Project Details
rmb-web
solutionbowl/rmb-web · Bitbucket · Default branch main
Security Findings
Low security scores and security-related AI review notes.
| Commit | Security Score | Finding | Date |
|---|---|---|---|
| d0b0aa44 | 50 | The commit adds extensive logic related to order scheduling and handling various conditions with pumps, batching plants, and trips. However, the commit message is not descriptive, and the changes lack comments explaining complex logic. Some potential issues with error handling and checks (e.g., usage of non-null safe operations, assumptions about object attributes, and sparse validation) could increase bug risk. Security considerations such as SQL injections or input sanitation are not evident. The large diff with many logging statements appears to be work-in-progress or debugging code, increasing fake work risk and reducing confidence in quality and business value. | 08 Jul 2026 |
| 896c5d89 | 60 | The commit introduces additional filtering and sorting logic in BatchingPlantHelper, and enhancements to PumpHelper with transaction management, slot overlap detection, and complex scheduling logic. However, code readability could be improved with comments and better naming conventions. The commit message is insufficient and non-descriptive, reducing code review efficiency. There is a moderate risk of bugs due to complex time calculations and assumptions about data availability. The lack of security-specific changes limits security score but no evident vulnerabilities were introduced. | 10 Mar 2026 |
| 29aaae52 | 50 | The commit adds multiple helper functions for batching plants and transit mixers, enhancing scheduling capabilities. However, it lacks comments and proper function docblocks, which impairs maintainability and comprehension. Several added methods handle time and resource availability but assume data validity without input validation or error handling, raising potential bug risks. The commit message is uninformative ('merge') and does not describe the purpose or impact of changes, reducing its value for historical context. There is also potential security concerns if input data is not sanitized externally. The commit adds relevant business logic, but improvements in documentation, validation, and commit messaging would increase code quality and maintainability. | 25 Mar 2026 |
| 45b0e08f | 60 | The commit adds scheduling improvements including dual-plant mode support, inserting flexible orders into available gaps, and logs for scheduling steps. It introduces new logic for determining free slots and scheduling orders more efficiently. However, the commit message 'merge' is uninformative. There is a risk of subtle bugs due to time calculations and no direct test evidence. Security risks appear low but handling of input parameters and error paths could be clearer. Overall, the changes add solid business value by improving scheduling optimization. | 01 Apr 2026 |
| 0cdfb859 | 80 | The changes add extensive scheduling logic and state management with snapshots and resetting functions, improving system capabilities to manage scheduling intervals and resource assignments. However, the commit message is not descriptive and the presence of many commented-out code lines and debug log statements reduces code clarity and maintainability. Some bug risk exists due to complexity and unclear state handling. No major security risks are evident. | 07 Apr 2026 |
| 7031e69b | 90 | The commit introduces new scheduling logic for trip-by-trip batching plant and truck assignment with considerations for plant availability and loading times. The code is fairly structured and readable but lacks extensive comments explaining the rationale behind some conditionals and selections. Also, many complex conditional chains and nested filters increase bug risk without unit tests shown. The security aspects are adequate since no user input handling or sensitive data exposure is present. The business value is high as it improves scheduling accuracy and resource utilization. Fake work risk is low as the changes involve substantive logic in multiple helpers. | 20 Apr 2026 |
| c993cd22 | 40 | The commit adds a ScheduleExport class and associated sheet classes for exporting schedule data into Excel sheets. The code covers functionality to load various scheduled orders, trips, and pump schedules based on parameters and formats them with styling for Excel export. The code quality is good with descriptive naming, use of Laravel Eloquent with eager loading, and clear data presentation. However, the commit lacks a meaningful commit message, and no error handling or security considerations like input validation or protection against potential SQL injection are evident. Business logic seems well addressed by this export functionality, though the lack of comments on complex query logic or class responsibilities may affect maintainability. Overall, it adds valuable reporting features but could improve on documentation, commit hygiene, and robustness. | 23 Jun 2026 |
| 4de1c60c | 70 | The commit includes a variety of enhancements primarily on pump scheduling logic and logging. It introduces multiple new log statements which can help debugging and system observability, but the quality is impacted by commented-out code and lack of descriptive commit message. The changes touch scheduling calculations which could have some bug risks if edge cases are not handled carefully. Security impact is moderate given no direct security issues are evident in the changes. | 11 Mar 2026 |
| e0a1a250 | 40 | This commit adds extensive logging for the ScheduleService class which improves traceability and debugging capabilities. However, the addition of numerous log statements, especially info-level logs with potentially sensitive order data, can lead to log bloat and potential information leakage. There is also a lack of log level consistency and some commented-out code remains in the production branch, which reduces overall code quality. | 12 Mar 2026 |
| b36d7489 | 40 | The commit adds numerous logging statements across ScheduleService.php to enhance visibility into the pump scheduling process, including site-to-site pump operations. While these logs improve traceability and debugging capabilities, the quality could be improved by standardizing log message formats and removing commented-out or redundant code. Business value is moderately high as logging can help identify operational issues, but the commit introduces some bug risk due to non-conditional log deletions and lack of error handling around file operations. Security risk is moderate because sensitive information might be logged without masking. Overall the work appears genuine but could be refined for better maintainability and security. | 12 Mar 2026 |
| a66d7a55 | 60 | The commit adds a large number of lines defining a ScheduleData class and ScheduleService class with many properties and methods, including timeout settings for HTTP requests. However, the commit message is uninformative ('merge'), and there are multiple commented-out Log statements which reduce clarity. There is no visible validation on HTTP calls or error handling beyond broad exception catching. The large diff and lack of granularity may hide bugs or insecure practices. | 13 Mar 2026 |
| 38c50638 | 75 | The commit includes multiple meaningful changes mainly focused on schedule optimization and resource conflict handling in the ScheduleService. However, quality is lowered by commented out code remnants and minor typos in logs. Bug risk exists where new logic around timing and resource availability is complex without explicit error handling or tests. Security impacts appear limited but log statements could risk information leaks if logs are insufficiently protected. Business value is moderate as the changes seem targeted at improving scheduling efficiency and resource management. | 16 Mar 2026 |
| 495e55da | 50 | The commit adds a new function reassignPouring to update pouring schedules with proper calculations and saves changes. However, there are commented out code blocks, debugging code (dd) left in the catch block, and some potential bugs in index checking which reduce code quality and increase bug risk. The commit message is not descriptive. Business value is moderate as it improves schedule management logic but lacks clarity and testing indications. | 16 Mar 2026 |
| 6828d5a1 | 30 | This initial commit adds a .gitignore file with common ignore patterns for node modules, compiled files, logs, and media files. While it establishes a foundational setup for ignoring unnecessary or sensitive files, the .gitignore could be more tailored to the specific project. The commit message is generic and uninformative. | 23 Jun 2026 |
| 0f5092ed | 30 | The commit adds a comprehensive .gitignore file with common patterns for Node.js, Java, Python, logs, IDE files, and media. This improves repository cleanliness by ignoring generated and non-source files. However, the commit message is ambiguous and does not describe the change clearly, which reduces maintainability and clarity. Some entries are slightly redundant (e.g., dist/ listed twice). The .gitignore file helps reduce accidental commits of build artifacts and sensitive files, indirectly improving security and bug risk, but it does not directly address functional code. | 23 Jun 2026 |
| babed622 | 50 | The commit adds foundational exception classes, a command scheduling kernel, and one export class scaffold. The type hierarchy for API exceptions appears structured well for reuse and clear error handling. However, the code is largely boilerplate or skeleton without implementation details or meaningful logic that deliver direct business value or mitigate bugs immediately. Security consideration is average given custom exception handling, but no input validation or sanitization is visible. The commit message lacks specifics making it harder to assess intent or relevance, and there are minor style issues such as missing final newlines. | 23 Jan 2026 |
| 22510bb1 | 10 | This commit adds a comprehensive README.md file for a Laravel project. It includes badges, framework description, learning resources, sponsor acknowledgements, contribution guidelines, code of conduct, security vulnerability reporting, and license information. The changes improve project documentation but do not affect code quality, security, or bug risk directly. | 23 Jan 2026 |
| 4e2036ce | 10 | The commit only adds JSON files patterns to .gitignore, potentially to avoid committing sensitive Firebase admin SDK credentials. The change is minimal with low direct business value and quality impact. The security score is low because ignoring files in gitignore alone does not guarantee safety if files were already committed or leaked. The lack of a descriptive commit message reduces confidence and clarity. | 23 Jan 2026 |
| e72e7b60 | 10 | The commit introduces a large number of environment variables including sensitive keys exposed in .env, which is a significant security risk. Code adds a PumpHelper class with complex logic for pump availability, but lacks comments and structure clarity. Some debug lines are commented but still present. There is no test coverage or validation evident. Minor changes in controllers and service files are minimal and unclear without further context. The overall change has moderate business value but lowered due to security risks and potential bugs. | 26 Jan 2026 |
| 1629b9af | 60 | The code adds a new pump scheduling helper function and modifies the OrderController with many new queries and handling. The structure is fairly clear but contains some variable name inconsistencies and commented-out code that reduce quality. There is sufficient error handling in the new helper with logging. The business logic seems useful for scheduling pumps and orders but lacks inline documentation making it harder to assess full business impact. Some repetitive and nested conditions increase bug risk, and no sanitization or authorization checks are apparent, posing moderate security risk. | 27 Jan 2026 |
| f8f7cf2a | 5 | The commit only adds two lines to the .env file for database credentials with minimal context or verification. There is very low quality assurance or business impact, with increased security risk from potentially exposed credentials. The work also appears low effort and low confidence for genuine value. | 27 Jan 2026 |
| 5ad406a2 | 50 | The merge commit introduces a significant new function getAvailablePumps with reasonable error handling and detailed logic to select suitable pumps based on various criteria. However, the code contains several typos in variable names and commented-out log calls which lowers maintainability and clarity. The rest of the diff shows code additions without context, making it hard to judge the overall impact. There is moderate risk of bugs due to unclear variable names and subtle logic but basic error catching is present. Security is moderate given logging sensitive info and no input sanitization shown. Business value is positive due to potential improvements in pump resource allocation. Fake work risk is low due to large functional changes. | 27 Jan 2026 |
| efef12ca | 70 | The commit adds an install_time field across various components including database schema, helper functions, and views to enhance pump scheduling logic. The work appears to integrate install_time properly with default fallbacks and logging for debugging. However, the commit message 'merge' is non-descriptive, reducing traceability and quality. The code lacks comments explaining the rationale behind some defaults. There is no indication of validation or error handling around the new install_time values which could increase bug risk. | 27 Jan 2026 |
| 57864738 | 10 | The commit only adds database credentials to the environment file. This offers minimal code or feature changes, so quality and bug risk improvements are limited. However, adding sensitive info like DB_PASSWORD in a commit is low security and raises fake work risk since it might be just updating config without feature improvements. | 27 Jan 2026 |
| 164dbc2d | 50 | This commit introduces changes to environment variables, .gitignore, and logic related to pump scheduling and time calculations. The changes aim to adjust calculations involving installation and travel times, possibly improving accuracy. However, uncommented logging lines and an empty DB_PASSWORD reduce clarity and security. Some code comments and questionable default values (e.g., installation_time default to 10) could be clarified or safeguarded better. | 27 Jan 2026 |
| 6c3f2563 | 30 | The commit introduces buffer time calculations and adjustments in ScheduleService related to pump scheduling. It logs some processing information and attempts to handle multiple trips for pumps, updating various time metrics. The changes improve handling of scheduling nuances but lack comments and type safety which can lead to maintenance challenges. There is some redundant code and no validation for input data which can increase bug risk. Security implications are low but present due to logging and unvalidated data use. | 27 Jan 2026 |
| 2e266fb9 | 50 | The commit introduces pump installation and waiting graph features, including new fields for scheduling and UI updates. The migration properly adds and removes these fields. However, there are some potential issues with operator precedence that may cause bugs; specifically, the use of '??' with multiplication expressions without parentheses in OrderHelper.php. Additionally, a debug 'dd($ex);' call remains in OrderController.php which is undesirable in production code. Overall the feature adds clear business value by enhancing scheduling visualization but code quality and bug risk could be improved with minor fixes. | 28 Jan 2026 |
| fc3cad62 | 60 | The commit introduces a large new method for selecting available pumps based on various criteria such as capacity, assignment, and availability time windows. It features detailed logging and error handling, which is positive. However, the commit message is non-descriptive, and the code has some minor style inconsistency and potential risk areas related to time comparison logic and naming (typos in variable names like 'assinedPump'). There is limited documentation and some commented-out debugging code. The business impact is moderate as it relates to pump assignment, but the full value depends on usage context. | 30 Jan 2026 |
| 6d407076 | 60 | The commit introduces detailed scheduling logic for pump utilization with extensive use of time calculations and conditions. However, the commit lacks comments explaining the new complex logic clearly, and some variables and magic numbers are used without context. There is also some commented-out debug and unused code, which reduces code clarity and potentially increases maintenance overhead. | 03 Feb 2026 |
| d2bc232f | 70 | The commit merges intervals and adjusts schedule-related calculations, introducing changes in schedule timing logic and view code. However, the commit message is vague and does not clarify the intent or impact, reducing maintainability and reviewability. Presence of commented out code lines suggests incomplete refactoring or debugging artifacts. Lack of input validation and detailed comments may raise bug risks. No clear security issues identified, but code quality and clarity could be improved. | 06 Feb 2026 |
| 96ca6a26 | 70 | This commit contains minor code additions mostly related to adjusting time values by subtracting seconds or minutes in ScheduleService.php and adding progress bar display logic in a Blade template. The commit message 'merge' is non-informative. There is some repeated logic that could be refactored. The time manipulation uses 'copy()->subSeconds()' and 'copy()->subMinutes()' but no context or comments explain the intent, which may introduce subtle bugs. The Blade view's inline PHP and mixing of complex expressions affects readability and maintainability. Tooltips with dynamic content are created, but potential XSS issues are unclear. Overall, the changes are incremental but lack documentation or clear justification. | 06 Feb 2026 |
| 0738c7b3 | 0 | The commit adds or modifies environment variables to include database credentials. There is very limited information and no code changes to evaluate quality or logic. The inclusion of sensitive information like passwords in the commit is a security risk. The commit message is not descriptive, reducing business value and clarity. | 06 Feb 2026 |
| d54553c9 | 70 | The commit introduces small timing adjustments in ScheduleService and adds tooltip progress bars in a view, likely for UI improvements. The changes seem functional and meaningful but lack detailed explanations and testing evidence. The commit message is a vague merge note, and complex inline blade logic could be simplified. | 06 Feb 2026 |
| a09f746b | 70 | The commit introduces multiple changes around scheduling, especially related to intervals, waiting times, and pixel calculations for graphical representation. The change spans various helper files and controller logic. The commit message is vague and does not describe the changes or the rationale. Some code quality and maintainability issues affect the clarity and ease of future debugging. The code lacks comments and proper variable naming in some spots. There is also commented-out debug code left in the diff. The risk of bugs is increased due to tight coupling with domain logic without clear documentation and partial magic constants (e.g., 1.5 multiplier). Security is not heavily impacted but could improve with better input validation. Business value is moderate as these changes appear to enhance schedule visualization, but lack of a detailed commit message reduces confidence and traceability. | 10 Feb 2026 |
| 997d9c6a | 5 | This commit only updates environment variables to set the database name and password. It lacks code changes or any meaningful enhancements. Storing secrets directly in .env file without encryption raises security concerns. The merge commit message is generic and not descriptive. | 10 Feb 2026 |
| efddb9fe | 45 | The commit introduces a method to filter and assign pumps based on various constraints. It adds capacity checks, time calculations, and filtering based on assigned pumps and locations. The code merge may improve scheduling but has some code style inconsistencies and unclear variable naming (e.g., assinedPump typo). There are minimal comments explaining the reasoning behind time and capacity logic. The environment file modification lacks password security and documentation. Logging is added but could be structured better. Overall, the work addresses business needs but needs improvements in clarity, security (empty DB_PASSWORD), and minor bug risk due to unvalidated inputs and assumptions. | 11 Feb 2026 |
| 671dad24 | 50 | The commit adds functionality to display the last update reason in an internal error view and tracks assigned pumps per order in schedule data. However, the commit message is uninformative ('merge'), and the code lacks comments and validation for potential null values which could introduce bugs or maintenance challenges. The message handling can leak internal details which may be a security concern. | 12 Feb 2026 |
| b17f1beb | 80 | The commit shows a very minimal code change with unclear purpose and a vague commit message. The minor manipulation of a variable might have some impact, but without proper context or explanation, its value is limited. The risk of introducing bugs is moderate due to reassigning variables without visible validation. Security impact is likely low but cannot be confirmed due to lack of detail. The commit message 'merge' is not informative and reduces traceability and understandability. | 12 Feb 2026 |
| aa9cd906 | 20 | This commit adds a large service class with many public properties and some initial scheduling logic. The code shows a complex data model for schedule handling but lacks implementation details for key scheduling functions and error handling. The commit message is uninformative. Sensitive data such as DB_PASSWORD is committed in .env which is a security risk. | 12 Feb 2026 |