If you can guide me on how to do so, I can share the whole files privately and explain in more detail the structure of the repos as well.
You will receive a private message that opens a private thread. In this one you can share the files privately.
I am seeing the same behaviour where one repo finds the nesting issue AND the security issue, but one only finds the nesting issue.
So the issues still exists. Next, we could check if the method is actually called in both cases. The analysis will only explore a function if it is called somewhere. Such a function can be called directly or indirectly from within a module. If in one case it is called but not in the other, that would be an explanation. If it is directly called in one case and indirectly (from within a module) in the other, that might also be an explanation. Let me know if this might be the difference.
With the additional information, that was shared privately, the issue could be identified. A temporary solution has been found and a permanent solution will be implemented along with a (non-public) ticket that has been created.
To provide a little bit of context without revealing any details:
The analysis was not able make a connection between an exported function and its usage due to a slightly different import used in the non working repo. We were able to adapt the code such that the connection is made and once the ticket is implemented this adaptation will not be necessary anymore.
Thanks @tab for providing all the details and your responsiveness!
You gave us the chance to improve our analysis.
