{"count": 10, "strategy": "unvoted", "items": [{"finding_id": 4049, "rule_id": "AUC004", "severity": "medium", "category": "auth", "repository_id": 141, "file_path": "deeptutor/api/routers/knowledge.py", "line_number": 813, "title": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acce", "description": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /{kb_name}/upload.", "evidence_snippet": "", "verdict": "needs_review", "confidence": 0.66, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/4049/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 17464, "rule_id": "ERRH001", "severity": "high", "category": "error_handling", "repository_id": 258, "file_path": "scientific-skills/scientific-slides/scripts/generate_slide_image_ai.py", "line_number": 638, "title": "Bare except: pass \u2014 silent failure", "description": "except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs.", "evidence_snippet": "except: pass", "verdict": "", "confidence": 0.85, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/17464/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 13713, "rule_id": "CRYP001", "severity": "medium", "category": "crypto", "repository_id": 140, "file_path": "tools/browser_camofox.py", "line_number": 77, "title": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "description": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "evidence_snippet": "http://", "verdict": "", "confidence": 0.85, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/13713/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 26652, "rule_id": "SEC029", "severity": "high", "category": "ssrf", "repository_id": 60, "file_path": "plugins/plugin-core-i18n/src/frontend/pages/TranslationManagerPage.tsx", "line_number": 145, "title": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254", "description": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16.", "evidence_snippet": "", "verdict": "confirmed", "confidence": 1.0, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/26652/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 7405, "rule_id": "JRN009", "severity": "high", "category": "auth", "repository_id": 229, "file_path": "clients/web-admin/src/app/login/page.tsx", "line_number": 82, "title": "Secret-like setting is echoed into a password input value", "description": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping.", "evidence_snippet": "", "verdict": "likely", "confidence": 0.83, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/7405/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 8764, "rule_id": "ERR002", "severity": "medium", "category": "error_handling", "repository_id": 283, "file_path": "entroly-wasm/js/agentskills_export.js", "line_number": 41, "title": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "description": "Log the error or rethrow it. Use console.error() at minimum.", "evidence_snippet": "", "verdict": "confirmed", "confidence": 1.0, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/8764/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 4523, "rule_id": "DKR002", "severity": "medium", "category": "docker", "repository_id": 140, "file_path": "docker-compose.yml", "line_number": 57, "title": "Compose service `dashboard` image has no explicit tag", "description": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:...", "evidence_snippet": "", "verdict": "confirmed", "confidence": 0.9, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/4523/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 11133, "rule_id": "AIC003", "severity": "medium", "category": "quality", "repository_id": 351, "file_path": "ag-ui/packages/core/src/main/java/com/agui/core/event/ToolCallStartEvent.java", "line_number": 9, "title": "Duplicated implementation block across source files", "description": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations.", "evidence_snippet": "", "verdict": "confirmed", "confidence": 0.86, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/11133/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 16209, "rule_id": "EVAL006", "severity": "critical", "category": "code_execution", "repository_id": 323, "file_path": "torchtitan/experiments/ft/trainer.py", "line_number": 479, "title": "Code execution \u2014 Lua loadstring", "description": "loadstring/load executes Lua code. Code injection.", "evidence_snippet": "load(", "verdict": "", "confidence": 0.85, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/16209/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}, {"finding_id": 19482, "rule_id": "TEST001", "severity": "high", "category": "test_quality", "repository_id": 329, "file_path": "warp/tests/test_ctypes.py", "line_number": 209, "title": "Phantom test coverage \u2014 test files without real assertions", "description": "Test function that runs code but contains no assert/expect/should \u2014 passes regardless of behaviour.", "evidence_snippet": "test_* without asserts: test_vector_arg_types", "verdict": "", "confidence": 0.85, "votes_so_far": {}, "scan_url": "https://repobility.com/api/v1/findings/19482/feedback/", "vote_doc_url": "https://repobility.com/agents/voting/"}]}