Skip to content

Initial project setup with core functionality for exporting Unity memory snapshots to DuckDB or SQLite and generating HTML reports.#1

Merged
UnityZappy merged 1 commit into
mainfrom
initial-integration
Mar 12, 2026
Merged

Initial project setup with core functionality for exporting Unity memory snapshots to DuckDB or SQLite and generating HTML reports.#1
UnityZappy merged 1 commit into
mainfrom
initial-integration

Conversation

@UnityZappy

@UnityZappy UnityZappy commented Mar 12, 2026

Copy link
Copy Markdown
Collaborator

Initial project setup with core functionality for exporting Unity memory snapshots to DuckDB or SQLite and generating HTML reports. Added CLI interface, project structure, and build scripts. Included .gitignore and CI configuration for automated testing.

@UnityZappy
Initial project setup with core functionality for exporting Unity mem…
d9157e3 
…ory snapshots to DuckDB or SQLite and generating HTML reports. Added CLI interface, project structure, and build scripts. Included .gitignore and CI configuration for automated testing.
@UnityZappy UnityZappy requested a review from a team as a code owner March 12, 2026 16:14
@UnityZappy UnityZappy merged commit 344c75a into main Mar 12, 2026
1 check passed
cycode-security[bot]
cycode-security Bot reviewed Mar 12, 2026
View reviewed changes
Comment thread Core/ExportDestination/SqliteWriter.cs
{
using var command = connection.CreateCommand();
command.Transaction = tx;
command.CommandText = sql;

@cycode-security cycode-security Bot Mar 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized external input in SQL query'.

Severity: Critical

Description

Using unsanitized data, such as user input or request data, or externally influenced data passed to a function, in SQL query exposes your application to SQL injection attacks. This vulnerability arises when externally controlled data is directly included in SQL statements without proper sanitation, allowing attackers to manipulate queries and access or modify data.

Cycode Remediation Guideline

✅ Do

  • Do validate all external input to ensure it meets the expected format before including it in SQL queries.
string order = sortingOrder == "DESC" ? "DESC" : "ASC";
  • Do use safe lists to validate external input, if dynamic input is required.
private static string ValidatedTableName(string tableName) {
  if (ALLOWED_TABLE_NAMES.Contains(tableName)) {
    return tableName;
  } else {
    // handle invalid table name
  }
}
  • Do use parameterized database queries to separate SQL logic from external input, significantly reducing the risk of SQL injection.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = @username";
  SqlCommand cmd = new SqlCommand(query, conn);
  cmd.Parameters.AddWithValue("@username", unsafeInput);
  // ...
}

❌ Don't

  • Do not include raw external input in SQL queries. This practice can lead to SQL injection vulnerabilities.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = '" + unsafeInput + "'";
  SqlCommand cmd = new SqlCommand(query, conn);
  // ...
}

📋 References

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

cycode-security[bot]
cycode-security Bot reviewed Mar 12, 2026
View reviewed changes
Comment thread Core/ExportDestination/SqliteWriter.cs
{
using var command = connection.CreateCommand();
command.Transaction = tx;
command.CommandText = sql;

@cycode-security cycode-security Bot Mar 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized external input in SQL query'.

Severity: Critical

Description

Using unsanitized data, such as user input or request data, or externally influenced data passed to a function, in SQL query exposes your application to SQL injection attacks. This vulnerability arises when externally controlled data is directly included in SQL statements without proper sanitation, allowing attackers to manipulate queries and access or modify data.

Cycode Remediation Guideline

✅ Do

  • Do validate all external input to ensure it meets the expected format before including it in SQL queries.
string order = sortingOrder == "DESC" ? "DESC" : "ASC";
  • Do use safe lists to validate external input, if dynamic input is required.
private static string ValidatedTableName(string tableName) {
  if (ALLOWED_TABLE_NAMES.Contains(tableName)) {
    return tableName;
  } else {
    // handle invalid table name
  }
}
  • Do use parameterized database queries to separate SQL logic from external input, significantly reducing the risk of SQL injection.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = @username";
  SqlCommand cmd = new SqlCommand(query, conn);
  cmd.Parameters.AddWithValue("@username", unsafeInput);
  // ...
}

❌ Don't

  • Do not include raw external input in SQL queries. This practice can lead to SQL injection vulnerabilities.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = '" + unsafeInput + "'";
  SqlCommand cmd = new SqlCommand(query, conn);
  // ...
}

📋 References

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

cycode-security[bot]
cycode-security Bot reviewed Mar 12, 2026
View reviewed changes
Comment thread Core/Report/Queries/SqliteReportQueries.cs
public (string[] Columns, List<object?[]> Rows) ExecuteQuery(string sql)
{
using var cmd = _connection.CreateCommand();
cmd.CommandText = sql;

@cycode-security cycode-security Bot Mar 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized external input in SQL query'.

Severity: Critical

Description

Using unsanitized data, such as user input or request data, or externally influenced data passed to a function, in SQL query exposes your application to SQL injection attacks. This vulnerability arises when externally controlled data is directly included in SQL statements without proper sanitation, allowing attackers to manipulate queries and access or modify data.

Cycode Remediation Guideline

✅ Do

  • Do validate all external input to ensure it meets the expected format before including it in SQL queries.
string order = sortingOrder == "DESC" ? "DESC" : "ASC";
  • Do use safe lists to validate external input, if dynamic input is required.
private static string ValidatedTableName(string tableName) {
  if (ALLOWED_TABLE_NAMES.Contains(tableName)) {
    return tableName;
  } else {
    // handle invalid table name
  }
}
  • Do use parameterized database queries to separate SQL logic from external input, significantly reducing the risk of SQL injection.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = @username";
  SqlCommand cmd = new SqlCommand(query, conn);
  cmd.Parameters.AddWithValue("@username", unsafeInput);
  // ...
}

❌ Don't

  • Do not include raw external input in SQL queries. This practice can lead to SQL injection vulnerabilities.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = '" + unsafeInput + "'";
  SqlCommand cmd = new SqlCommand(query, conn);
  // ...
}

📋 References

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

cycode-security[bot]
cycode-security Bot reviewed Mar 12, 2026
View reviewed changes
Comment thread Core/ExportDestination/SqliteWriter.cs
private static long QueryCount(SqliteConnection connection, string sql)
{
using var cmd = connection.CreateCommand();
cmd.CommandText = sql;

@cycode-security cycode-security Bot Mar 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized external input in SQL query'.

Severity: Critical

Description

Using unsanitized data, such as user input or request data, or externally influenced data passed to a function, in SQL query exposes your application to SQL injection attacks. This vulnerability arises when externally controlled data is directly included in SQL statements without proper sanitation, allowing attackers to manipulate queries and access or modify data.

Cycode Remediation Guideline

✅ Do

  • Do validate all external input to ensure it meets the expected format before including it in SQL queries.
string order = sortingOrder == "DESC" ? "DESC" : "ASC";
  • Do use safe lists to validate external input, if dynamic input is required.
private static string ValidatedTableName(string tableName) {
  if (ALLOWED_TABLE_NAMES.Contains(tableName)) {
    return tableName;
  } else {
    // handle invalid table name
  }
}
  • Do use parameterized database queries to separate SQL logic from external input, significantly reducing the risk of SQL injection.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = @username";
  SqlCommand cmd = new SqlCommand(query, conn);
  cmd.Parameters.AddWithValue("@username", unsafeInput);
  // ...
}

❌ Don't

  • Do not include raw external input in SQL queries. This practice can lead to SQL injection vulnerabilities.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = '" + unsafeInput + "'";
  SqlCommand cmd = new SqlCommand(query, conn);
  // ...
}

📋 References

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

cycode-security[bot]
cycode-security Bot reviewed Mar 12, 2026
View reviewed changes
Comment thread Core/ExportDestination/SqliteWriter.cs
sql.Append(')');
}

command.CommandText = sql.ToString();

@cycode-security cycode-security Bot Mar 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: SAST violation: 'Unsanitized external input in SQL query'.

Severity: Critical

Description

Using unsanitized data, such as user input or request data, or externally influenced data passed to a function, in SQL query exposes your application to SQL injection attacks. This vulnerability arises when externally controlled data is directly included in SQL statements without proper sanitation, allowing attackers to manipulate queries and access or modify data.

Cycode Remediation Guideline

✅ Do

  • Do validate all external input to ensure it meets the expected format before including it in SQL queries.
string order = sortingOrder == "DESC" ? "DESC" : "ASC";
  • Do use safe lists to validate external input, if dynamic input is required.
private static string ValidatedTableName(string tableName) {
  if (ALLOWED_TABLE_NAMES.Contains(tableName)) {
    return tableName;
  } else {
    // handle invalid table name
  }
}
  • Do use parameterized database queries to separate SQL logic from external input, significantly reducing the risk of SQL injection.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = @username";
  SqlCommand cmd = new SqlCommand(query, conn);
  cmd.Parameters.AddWithValue("@username", unsafeInput);
  // ...
}

❌ Don't

  • Do not include raw external input in SQL queries. This practice can lead to SQL injection vulnerabilities.
using (SqlConnection conn = new SqlConnection(connection_string))
{
  string query = "SELECT * FROM Users WHERE Username = '" + unsafeInput + "'";
  SqlCommand cmd = new SqlCommand(query, conn);
  // ...
}

📋 References

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_sast_false_positive <reason> Mark as false positive — applies to this violation only
#cycode_ai_remediation Request remediation guidance using Cycode AI
#cycode_sast_ignore_here <reason> Ignore this violation — applies to this violation only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cycode-security cycode-security[bot] cycode-security[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@UnityZappy