app.js
rule:javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal: Possible writing outside of the destination, make sure that the target path is nested in the intended destination Details: https://sg.run/OPqk
145:                     const resolvedPath = path.resolve( dir, fname );
--------------------------------------------------------------------------------
rule:javascript.lang.security.detect-non-literal-require.detect-non-literal-require: Detected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load an run arbitrary code, or access arbitrary files. Details: https://sg.run/zvNn
151:                             const route = require( `${dir}/${fname}` );

executors/javascript/executor.js
rule:javascript.browser.security.eval-detected.eval-detected: Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. Details: https://sg.run/7ope
102:             eval( functionTemplate ); // eslint-disable-line no-eval
--------------------------------------------------------------------------------
rule:javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression: Detected eval(variable), which could allow a malicious actor to run arbitrary code. Details: https://sg.run/6nwK
102:             eval( functionTemplate ); // eslint-disable-line no-eval

executors/python3/executor.py
rule:python.lang.security.audit.exec-detected.exec-detected: Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. Details: https://sg.run/ndRX
86:        exec(
87:            _FUNCTION_TEMPLATE.format(
88:                function_name=function_name,
89:                argument_list=",".join(argument_names),
90:                implementation=implementation,
91:                return_value=return_value,
92:            ),
93:            {
94:                "_RESULT_CACHE": _RESULT_CACHE,
95:                "ZPair": utils.ZPair,
-------- [hid 9 additional lines, adjust with --max-lines-per-finding] ---------

lib/swagger-ui.js
rule:javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal: Possible writing outside of the destination, make sure that the target path is nested in the intended destination Details: https://sg.run/OPqk
16:      const reqPath = req.query.path || '/index.html';
17:  const filePath = path.join( docRoot, reqPath );

routes/ex.js
rule:javascript.express.security.audit.xss.direct-response-write.direct-response-write: Detected directly writing to a Response object. This bypasses any HTML escaping and may expose your app to a cross-site scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. Details: https://sg.run/vzGl
29:      res.send( arr.join() );
--------------------------------------------------------------------------------
48:                      res.send( text );

src/subprocess.js
rule:javascript.lang.security.detect-child-process.detect-child-process: Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability. Details: https://sg.run/l2lo
12:      const process = spawn( binary, args, options );
ran 474 rules on 106 files: 9 findings