AI Assessment
VERDICT
Not yet production-ready. The scanner detected 2 high-severity CVEs in dependencies and 10 medium-severity issues including code duplication and high cyclomatic complexity, plus missing governance files. Automated analysis suggests significant refactoring and dependency updates are needed before deployment.
TOP RISKS
→ CVE-2025-59530 in github.com/quic-go/quic-go@v0.54.0 flagged in go.mod — high severity vulnerability in QUIC implementation
→ CVE-2024-24792 in golang.org/x/image@v0.0.0-20191009234506-e7c1f5e7dbb8 flagged in go.mod — high severity vulnerability in image processing library that is significantly outdated
→ Duplicated code block (25 lines) detected across domains/image/upload-service.go:82, domains/processing/processing-service_test.go:100, domains/image/image-handler.go:137 — reduces maintainability and introduces inconsistency risk
→ applyTransformations function in domains/processing/processing-service.go flagged for high complexity (CCN 22) — exceeds recommended thresholds and suggests need for refactoring
WHAT TO FIX FIRST
Update golang.org/x/image in go.mod from the 2019 version (v0.0.0-20191009234506-e7c1f5e7dbb8) to a current stable release. This single dependency update resolves 4 medium-severity CVEs (CVE-2024-24792, CVE-2022-41727, CVE-2023-29407, CVE-2023-29408) that were all flagged against the same outdated library.
Note: Verify these findings against your actual code. Some duplication flags may be false positives if the code blocks serve different purposes.
Category Breakdown
Findings(23 in 14 groups)
github.com/quic-go/quic-go: quic-go Crash Due to Premature HANDSHAKE_DONE Frame | Fix available: 0.49.1, 0.54.1 | Package: github.com/quic-go/quic-go (gomod) | https://avd.aquasec.com/nvd/cve-2025-59530
Affected files
Parsing a corrupt or malicious image with invalid color indices can ca ... | Fix available: 0.18.0 | Package: golang.org/x/image (gomod) | https://avd.aquasec.com/nvd/cve-2024-24792
Affected files
Duplicate found between domains/image/upload-service.go:82 and domains/image/upload-service.go:36. Consider extracting shared logic into a reusable function or module.
Affected files
github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS | Fix available: 0.57.0 | Package: github.com/quic-go/quic-go (gomod) | https://avd.aquasec.com/nvd/cve-2025-64702
Affected files
golang.org/x/image: Uncontrolled Resource Consumption | Fix available: 0.5.0 | Package: golang.org/x/image (gomod) | https://avd.aquasec.com/nvd/cve-2022-41727
Affected files
golang.org/x/image/tiff: excessive CPU consumption in decoding | Fix available: 0.10.0 | Package: golang.org/x/image (gomod) | https://avd.aquasec.com/nvd/cve-2023-29407
Affected files
golang.org/x/image/tiff: TIFF decoder does not place a limit on the size of compressed tile data | Fix available: 0.10.0 | Package: golang.org/x/image (gomod) | https://avd.aquasec.com/nvd/cve-2023-29408
Affected files
Function "applyTransformations img [ ] byte" has a cyclomatic complexity of 22 (96 lines, 2 parameters). This function is very complex. Consider breaking it into smaller, more focused functions.
Affected files
No test directory or test files were found. Automated tests are critical for maintaining code quality and preventing regressions.
Affected files
disintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ... | Package: github.com/disintegration/imaging (gomod) | https://avd.aquasec.com/nvd/cve-2023-36308
Affected files
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmmt5z66o000hkt04sf495sm9)