{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `iii` image uses the latest tag", "shortDescription": {"text": "Compose service `iii` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `collect_skills` has cognitive complexity 19 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `collect_skills` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 19."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 51 more): Same pattern found in 51 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 101 more): Same pattern found in 101 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 101 more): Same pattern found in 101 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `engine/firmware/libkrunfw-linux-aarch64.so` committed in source repo: `engine/firmware/libkrunfw", "shortDescription": {"text": "[MINED134] Binary file `engine/firmware/libkrunfw-linux-aarch64.so` committed in source repo: `engine/firmware/libkrunfw-linux-aarch64.so` is a .so binary (22,873,704 bytes) committed to a repo that otherwise has 845 source files. Trojan bi"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `github.com/iii-hq/iii/sdk/packages/go/iii` \u2014 points to a LOCAL path: `replace github.com/iii", "shortDescription": {"text": "[MINED128] go.mod replaces `github.com/iii-hq/iii/sdk/packages/go/iii` \u2014 points to a LOCAL path: `replace github.com/iii-hq/iii/sdk/packages/go/iii => ../iii` overrides the canonical dependency with a different source (points to a LOCAL pat"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `rabbitmq:3-management-alpine` unpinned: `container/services image: rabbitm", "shortDescription": {"text": "[MINED126] Workflow container/services image `rabbitmq:3-management-alpine` unpinned: `container/services image: rabbitmq:3-management-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container referenc"}, "fullDescription": {"text": "Replace with `rabbitmq:3-management-alpine@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run", "shortDescription": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) "}, "fullDescription": {"text": "Replace with: `uses: pnpm/action-setup@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `iiidev/iii:latest` not pinned by digest: `FROM iiidev/iii:latest` resolves the tag at build ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `iiidev/iii:latest` not pinned by digest: `FROM iiidev/iii:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production i"}, "fullDescription": {"text": "Replace with: `FROM iiidev/iii:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.6.0`: `.pre-commit", "shortDescription": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.6.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.6.0`. If `{rev}` is a branch or ve"}, "fullDescription": {"text": "Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._send` used but never assigned in __init__: Method `_on_connected` of class `III` reads `self._send`, b", "shortDescription": {"text": "[MINED108] `self._send` used but never assigned in __init__: Method `_on_connected` of class `III` reads `self._send`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the m"}, "fullDescription": {"text": "Initialize `self._send = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_state_delete_non_existent_item: Test function `test_state_delete_non_existent_ite", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_state_delete_non_existent_item: Test function `test_state_delete_non_existent_item` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage witho"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `test_delivers_events_to_multiple_external_functions`: `time", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_delivers_events_to_multiple_external_functions`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every "}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED010", "name": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.", "shortDescription": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `argparse` used but not imported: The file uses `argparse.something(...)` but never imports `", "shortDescription": {"text": "[MINED107] Missing import: `argparse` used but not imported: The file uses `argparse.something(...)` but never imports `argparse`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import argparse` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1301"}, "properties": {"repository": "iii-hq/iii", "repoUrl": "https://github.com/iii-hq/iii", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132844, "scanner": "repobility-ast-engine", "fingerprint": "f714daa9031870b9bbc4fd71d332b83742b95ff4a0a4a24ee597058e7ae80d6d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f714daa9031870b9bbc4fd71d332b83742b95ff4a0a4a24ee597058e7ae80d6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/format_utils.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132843, "scanner": "repobility-ast-engine", "fingerprint": "3196c8af4851b5323bd04c2698b84beb38fccef7baaa1e255a976abeeee383af", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3196c8af4851b5323bd04c2698b84beb38fccef7baaa1e255a976abeeee383af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/format_utils.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132842, "scanner": "repobility-ast-engine", "fingerprint": "bf16b98603a19c127ac604af1642b711cf0f6a38e718005838630ce501186fd4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf16b98603a19c127ac604af1642b711cf0f6a38e718005838630ce501186fd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 1048}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132841, "scanner": "repobility-ast-engine", "fingerprint": "e96500e0916bad90e97eb1e712218910eaf67dd6dd14bd3ceee1ee38a464fbe9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e96500e0916bad90e97eb1e712218910eaf67dd6dd14bd3ceee1ee38a464fbe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 1214}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132820, "scanner": "repobility-ast-engine", "fingerprint": "a26dbdf756f9448f6f13c9150b38aab8f30b4bf0222110671ff74038c6de84cd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a26dbdf756f9448f6f13c9150b38aab8f30b4bf0222110671ff74038c6de84cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132819, "scanner": "repobility-ast-engine", "fingerprint": "49fe0197072f5e950734cfb690efa615a723ed2bd510db542787c9f33ed47657", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49fe0197072f5e950734cfb690efa615a723ed2bd510db542787c9f33ed47657"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132790, "scanner": "repobility-ast-engine", "fingerprint": "6fe91bed7d223b43229f80db9aea512a441b7bb2ed50ead3274d631de1686189", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fe91bed7d223b43229f80db9aea512a441b7bb2ed50ead3274d631de1686189"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_errors.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132789, "scanner": "repobility-ast-engine", "fingerprint": "5e299004805f3957a3808c9bd7ca07fad3c29f7c73a87c5fb12308c69ca8330d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e299004805f3957a3808c9bd7ca07fad3c29f7c73a87c5fb12308c69ca8330d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_healthcheck.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132787, "scanner": "repobility-ast-engine", "fingerprint": "d0faef02ad1830604af0765cb882313abc8ea9a670ba2ae3e9f7ff0e6c2deac5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d0faef02ad1830604af0765cb882313abc8ea9a670ba2ae3e9f7ff0e6c2deac5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/observability/src/iii_observability/logger.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 132753, "scanner": "repobility-docker", "fingerprint": "6a4f7db7a729923ef6ecd17f697591bdeef5fd5ae6ab0337db63ee78166f7691", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "rabbitmq", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|6a4f7db7a729923ef6ecd17f697591bdeef5fd5ae6ab0337db63ee78166f7691", "expected_targets": ["/var/lib/rabbitmq"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `iii` image uses the latest tag"}, "properties": {"repobilityId": 132740, "scanner": "repobility-docker", "fingerprint": "895655d9437c1f1f0115176c848a10c17056dd5ca0888f7297d992c171c5406f", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "iiidev/iii:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|895655d9437c1f1f0115176c848a10c17056dd5ca0888f7297d992c171c5406f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 132739, "scanner": "repobility-docker", "fingerprint": "1c09264fa3db07ac9b8136c4d794ac5187ec7f9967e74eab3a5c23cf2d9f054b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "iiidev/iii:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1c09264fa3db07ac9b8136c4d794ac5187ec7f9967e74eab3a5c23cf2d9f054b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/tests/fixtures/templates/docker/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 132738, "scanner": "repobility-docker", "fingerprint": "1d3665c62a85842f270c4ee749564396ccd846ae42aa3b90f2a438d5793d3ed0", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "iiidev/iii:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1d3665c62a85842f270c4ee749564396ccd846ae42aa3b90f2a438d5793d3ed0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/tests/fixtures/templates/docker/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 132737, "scanner": "repobility-docker", "fingerprint": "b706a08aeb6f4ed7e697b154ad791f05b4fe7dafcb92a6cf2b901d23515b27bc", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 9 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 9, "correlation_key": "fp|b706a08aeb6f4ed7e697b154ad791f05b4fe7dafcb92a6cf2b901d23515b27bc", "dependency_install_line": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/Dockerfile.debug"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 132735, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 132734, "scanner": "repobility-agent-runtime", "fingerprint": "7b598276f667e8cc7f0ac12fda8ec8bdb2c76bf97f71a957b83e7bb4d832b061", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|7b598276f667e8cc7f0ac12fda8ec8bdb2c76bf97f71a957b83e7bb4d832b061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/navbar-counters.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 132733, "scanner": "repobility-agent-runtime", "fingerprint": "390ed5a9f9c660bbb802d5ed070db406b8f5893fecc43a51494800b4625e03d1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|390ed5a9f9c660bbb802d5ed070db406b8f5893fecc43a51494800b4625e03d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/advanced/deployment.mdx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 132732, "scanner": "repobility-agent-runtime", "fingerprint": "832063df2dc879eab699844dd6f5703cd0c7e5ffd6e73deed1c0ec812f9393a7", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|832063df2dc879eab699844dd6f5703cd0c7e5ffd6e73deed1c0ec812f9393a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-10-0/quickstart.mdx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 132731, "scanner": "repobility-agent-runtime", "fingerprint": "2c75aa2947cd09db7438521b59044b3d9a61c23f6e6b2ea04684f2ae66378985", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2c75aa2947cd09db7438521b59044b3d9a61c23f6e6b2ea04684f2ae66378985"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-10-0/advanced/deployment.mdx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 132730, "scanner": "repobility-agent-runtime", "fingerprint": "eee201c5984de3257939b3b0918ba5c024a8a754c0088bc2902538b2345ca352", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|eee201c5984de3257939b3b0918ba5c024a8a754c0088bc2902538b2345ca352"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/hooks/useTheme.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 132729, "scanner": "repobility-agent-runtime", "fingerprint": "fbb174d41b42ab59693cc5ca79eec7dcf537c44d85cb4f502ed83391969534f1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fbb174d41b42ab59693cc5ca79eec7dcf537c44d85cb4f502ed83391969534f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 132698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a29278a3658737c091e04f136e7a9244510cefe4909cd62cddec883c8ca9d621", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "temp", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|a29278a3658737c091e04f136e7a9244510cefe4909cd62cddec883c8ca9d621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/src/workers/secure_temp.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 132696, "scanner": "repobility-threat-engine", "fingerprint": "55b0cd117b4f10665c8169493f60b84e679d95b6c40cdab2cb84d4ecf0cddb49", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55b0cd117b4f10665c8169493f60b84e679d95b6c40cdab2cb84d4ecf0cddb49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/posthog-consent.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 132694, "scanner": "repobility-threat-engine", "fingerprint": "95e1a22b1eb1ade21c321f4eba947ca3c63be6bc871f3dd09ddc13052008908e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95e1a22b1eb1ade21c321f4eba947ca3c63be6bc871f3dd09ddc13052008908e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/worker_metrics.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 132693, "scanner": "repobility-threat-engine", "fingerprint": "512665e9304f8aaff9f9dc281b0f55f8587449ae388916aaacd4097da53ddfa0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|512665e9304f8aaff9f9dc281b0f55f8587449ae388916aaacd4097da53ddfa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/types.py"}, "region": {"startLine": 241}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 132692, "scanner": "repobility-threat-engine", "fingerprint": "681ec4bda7eec082c6ab8afe9bd097b48736790da0376628b490e8890b650795", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|681ec4bda7eec082c6ab8afe9bd097b48736790da0376628b490e8890b650795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/otel_worker_gauges.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 132671, "scanner": "repobility-threat-engine", "fingerprint": "979b84e9d35529897006f46c0e42536bc7fd507a819e6bcf6acdeaf2a65d3c8a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|979b84e9d35529897006f46c0e42536bc7fd507a819e6bcf6acdeaf2a65d3c8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/src/cli/github.rs"}, "region": {"startLine": 205}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 132669, "scanner": "repobility-threat-engine", "fingerprint": "43cd19cc64751b8bdd8c514365415038338283732dbae5352b058dc6c98eec4d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        hints = get_type_hints(func)\n    except Exception:\n        return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43cd19cc64751b8bdd8c514365415038338283732dbae5352b058dc6c98eec4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/format_utils.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 132668, "scanner": "repobility-threat-engine", "fingerprint": "23f060730984328d387c5c564ab814f5c1190d94f80d83a696f59b9ac9909388", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (_) {\n      return null\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23f060730984328d387c5c564ab814f5c1190d94f80d83a696f59b9ac9909388"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/navbar-counters.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 132664, "scanner": "repobility-threat-engine", "fingerprint": "0e95d4719cb5b25ae9549755cc5c19700636a61f0504da94b2b5b954191f50e0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|engine/src/cli/exec.rs|62|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/src/cli/exec.rs"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 132663, "scanner": "repobility-threat-engine", "fingerprint": "3ad1c6981294f9dd5451f9c65b3a65d93f98028da2316afda222e9fe5afefcff", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|engine/src/cli/error.rs|25|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/src/cli/error.rs"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 132662, "scanner": "repobility-threat-engine", "fingerprint": "d76fd9dc464b393282bd7571f9af4dba8a4363cd0e9d1c4c35535a1675c2ccf9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|42|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/renderers/components.mts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 132625, "scanner": "repobility-threat-engine", "fingerprint": "e02ce90baeb34220e70abce937526a4e546492b730b005045ce78e7f5465b48c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ive = false\n  const subscriptionId = `console-${Date.now()}-${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e02ce90baeb34220e70abce937526a4e546492b730b005045ce78e7f5465b48c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/api/websocket.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `collect_skills` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, for=1, if=7, nested_bonus=9."}, "properties": {"repobilityId": 132606, "scanner": "repobility-threat-engine", "fingerprint": "c24489a9af4bfe823c44df6685be54acb30bfb9fde36daf5ef1385db9f47277c", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "collect_skills", "breakdown": {"if": 7, "for": 1, "continue": 2, "nested_bonus": 9}, "complexity": 19, "correlation_key": "fp|c24489a9af4bfe823c44df6685be54acb30bfb9fde36daf5ef1385db9f47277c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/build_skills_payload.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `normalize_worker_interface` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=5, for=2, if=7, nested_bonus=5, or=4."}, "properties": {"repobilityId": 132604, "scanner": "repobility-threat-engine", "fingerprint": "8e17eb5bbf5220e09ebe03dc2ad1c259225973d280b7e7d66553dd33a24752a5", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 23 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "normalize_worker_interface", "breakdown": {"if": 7, "or": 4, "for": 2, "continue": 5, "nested_bonus": 5}, "complexity": 23, "correlation_key": "fp|8e17eb5bbf5220e09ebe03dc2ad1c259225973d280b7e7d66553dd33a24752a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/build_engine_publish_payload.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132759, "scanner": "repobility-docker", "fingerprint": "60cae9c6b82c45c50302a594eef0d379abd3f6dbddeb82849b7bdfd3c6b2598c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|60cae9c6b82c45c50302a594eef0d379abd3f6dbddeb82849b7bdfd3c6b2598c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/docker-compose.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132758, "scanner": "repobility-docker", "fingerprint": "6a4267a6c608b5bbec962bc18b48b2f99e7e50b6f1f25e97fdc8bccb64b608f8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6a4267a6c608b5bbec962bc18b48b2f99e7e50b6f1f25e97fdc8bccb64b608f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/docker-compose.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132757, "scanner": "repobility-docker", "fingerprint": "f6554c199fe3300107ca92dbe8b1e8c8ee1e38127ae987eba6402a158f1a0972", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "openobserve", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f6554c199fe3300107ca92dbe8b1e8c8ee1e38127ae987eba6402a158f1a0972"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132755, "scanner": "repobility-docker", "fingerprint": "a998767554a367a0b1c6c148ccee830c869148cba0de75ce8beaba859368614a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "openobserve", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a998767554a367a0b1c6c148ccee830c869148cba0de75ce8beaba859368614a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 132754, "scanner": "repobility-docker", "fingerprint": "fda9727d5f9a68952f7cd8c6fd747d244f59b1932d213e488de420ad44b6b669", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "rabbitmq", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|fda9727d5f9a68952f7cd8c6fd747d244f59b1932d213e488de420ad44b6b669"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132751, "scanner": "repobility-docker", "fingerprint": "7e16cb55813e800f919d85b2e66f4eb4ee74171f607fb0f5b3b0dbe178c95ea4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7e16cb55813e800f919d85b2e66f4eb4ee74171f607fb0f5b3b0dbe178c95ea4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/docker-compose.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132750, "scanner": "repobility-docker", "fingerprint": "1eaaff44dee59cfce73c051f3de94187cec2fff906ff09292f7f940b8fc2de4c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1eaaff44dee59cfce73c051f3de94187cec2fff906ff09292f7f940b8fc2de4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/docker-compose.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132749, "scanner": "repobility-docker", "fingerprint": "5e72f0e605858d4c3c886c23f90a8b3e04d5a059bf2ea548c922f37e4aa68562", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "openobserve", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5e72f0e605858d4c3c886c23f90a8b3e04d5a059bf2ea548c922f37e4aa68562"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/docker-compose.yaml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132747, "scanner": "repobility-docker", "fingerprint": "19e74e6a709907af5dd66911e56fa3ffd1f45987f7971a48e72c46b164fb19de", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "openobserve", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|19e74e6a709907af5dd66911e56fa3ffd1f45987f7971a48e72c46b164fb19de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/docker-compose.yaml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132746, "scanner": "repobility-docker", "fingerprint": "2b7e315872ee132b72f8f6a9c128f22e69252bfa99dbcf8d34047f23735b6011", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "iii", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2b7e315872ee132b72f8f6a9c128f22e69252bfa99dbcf8d34047f23735b6011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/tests/fixtures/templates/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132745, "scanner": "repobility-docker", "fingerprint": "f7f87382133482fb1df6c6e263a03841c15249c4dd5bbbe4d052735cc50f8770", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "iii", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f7f87382133482fb1df6c6e263a03841c15249c4dd5bbbe4d052735cc50f8770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/tests/fixtures/templates/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132742, "scanner": "repobility-docker", "fingerprint": "97f1b0e4191b63bfeb291637d1ab33d04645eb3e829071d116e715bc4530ef48", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "iii", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|97f1b0e4191b63bfeb291637d1ab33d04645eb3e829071d116e715bc4530ef48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132741, "scanner": "repobility-docker", "fingerprint": "e38ae5feffede142a11d6bb4bfa861619c8943d9d39a92b95f60de0a5dbc43b6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "iii", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e38ae5feffede142a11d6bb4bfa861619c8943d9d39a92b95f60de0a5dbc43b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132728, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5034842270981fbdeae654ccdbe1389aa3ca94281d026b72f2b3fefa736d7a2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/fs/chmod.rs", "duplicate_line": 104, "correlation_key": "fp|5034842270981fbdeae654ccdbe1389aa3ca94281d026b72f2b3fefa736d7a2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/sed.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132727, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39937939d72d956c1615089b82230567875c373d7434c7effb6d0482121623f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/fs/grep.rs", "duplicate_line": 126, "correlation_key": "fp|39937939d72d956c1615089b82230567875c373d7434c7effb6d0482121623f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/sed.rs"}, "region": {"startLine": 146}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132726, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e122cd94dffb4f29282e2eb6ad99ac7ff54eaf48c15ff151ce9a258ad7b57d99", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/exec.rs", "duplicate_line": 180, "correlation_key": "fp|e122cd94dffb4f29282e2eb6ad99ac7ff54eaf48c15ff151ce9a258ad7b57d99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/rm.rs"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132725, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65744781fac0f3613e05843c008f2b96bc77cec7ff36407da45803295f02fdc1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/fs/chmod.rs", "duplicate_line": 35, "correlation_key": "fp|65744781fac0f3613e05843c008f2b96bc77cec7ff36407da45803295f02fdc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/rm.rs"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132724, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9a53c0def1ba8c8fe1e290008f564143c281c736ce9511dfd2f20b893303f00", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/exec.rs", "duplicate_line": 180, "correlation_key": "fp|e9a53c0def1ba8c8fe1e290008f564143c281c736ce9511dfd2f20b893303f00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/mv.rs"}, "region": {"startLine": 122}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132723, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26a4c1eeb0054bd23ce2c245b7e9df0dbc1d184b5a71e757f42a783b61c4b19c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/fs/chmod.rs", "duplicate_line": 35, "correlation_key": "fp|26a4c1eeb0054bd23ce2c245b7e9df0dbc1d184b5a71e757f42a783b61c4b19c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/mv.rs"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132722, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc936dbf1dfa6294df52bec49f03922fa7569649a870d5b050a498628051710f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/exec.rs", "duplicate_line": 180, "correlation_key": "fp|fc936dbf1dfa6294df52bec49f03922fa7569649a870d5b050a498628051710f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/mkdir.rs"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132721, "scanner": "repobility-ai-code-hygiene", "fingerprint": "726efda12d64312030486bde517758fff4af6c75435df5c8edbff105d19d65a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/fs/chmod.rs", "duplicate_line": 35, "correlation_key": "fp|726efda12d64312030486bde517758fff4af6c75435df5c8edbff105d19d65a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/mkdir.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132720, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3cb52b72e3751c11862d1f9709d6c9064425af4b7abcaed2627f576e28b69c7b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/exec.rs", "duplicate_line": 180, "correlation_key": "fp|3cb52b72e3751c11862d1f9709d6c9064425af4b7abcaed2627f576e28b69c7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/ls.rs"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132719, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0dfc699fbcc20a5bd9c724280605b0bb4ad0863faee61e97bf1095b460e6410f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/fs/grep.rs", "duplicate_line": 126, "correlation_key": "fp|0dfc699fbcc20a5bd9c724280605b0bb4ad0863faee61e97bf1095b460e6410f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/ls.rs"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132718, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3313a5ac07759b4b87df6bc683bd8c330919a1733f00e5410fd9f02c8c133b2f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/fs/chmod.rs", "duplicate_line": 35, "correlation_key": "fp|3313a5ac07759b4b87df6bc683bd8c330919a1733f00e5410fd9f02c8c133b2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/ls.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132717, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a5ab1f1feb791bb623700c6e848a6ad130c32b1267a07e6473ecdedbe3a9fe3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/exec.rs", "duplicate_line": 180, "correlation_key": "fp|1a5ab1f1feb791bb623700c6e848a6ad130c32b1267a07e6473ecdedbe3a9fe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/grep.rs"}, "region": {"startLine": 148}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132716, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d308cdb2138dcfdb66646d1eca987d117b57f2ff69a404eb451aa46782d0f420", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/fs/chmod.rs", "duplicate_line": 35, "correlation_key": "fp|d308cdb2138dcfdb66646d1eca987d117b57f2ff69a404eb451aa46782d0f420"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/grep.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f5da4ba988ae03c6ced6cc08d47ff6eeab63f3a1c3834e2c8355e3cd48359f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/sandbox_daemon/exec.rs", "duplicate_line": 180, "correlation_key": "fp|5f5da4ba988ae03c6ced6cc08d47ff6eeab63f3a1c3834e2c8355e3cd48359f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/sandbox_daemon/fs/chmod.rs"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99cb202c6e715cc3dd7674f209145170ca429f9b534d7ef9ca9262b7fb1f3cb3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/remove.rs", "duplicate_line": 98, "correlation_key": "fp|99cb202c6e715cc3dd7674f209145170ca429f9b534d7ef9ca9262b7fb1f3cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/update.rs"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a08fc1e9f7f2877c727f1e3976e2bbca618bcb90969886561aa33ccad71a0cb3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/host.rs", "duplicate_line": 82, "correlation_key": "fp|a08fc1e9f7f2877c727f1e3976e2bbca618bcb90969886561aa33ccad71a0cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/update.rs"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64112d4cf8c20f2f3c1d65c5e2b2b4f620d3a86e4a8900ae82c4958bb285a9f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/clear.rs", "duplicate_line": 39, "correlation_key": "fp|64112d4cf8c20f2f3c1d65c5e2b2b4f620d3a86e4a8900ae82c4958bb285a9f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/update.rs"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ccfeb4fc8387f8406cf66b338d2c8927960f36512c02e519cf9e76405536db71", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/remove.rs", "duplicate_line": 98, "correlation_key": "fp|ccfeb4fc8387f8406cf66b338d2c8927960f36512c02e519cf9e76405536db71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/stop.rs"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab38624c437104e82cd95ca0d8004bc77a1f61d16e0fe5905045a257ac22ff37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/clear.rs", "duplicate_line": 40, "correlation_key": "fp|ab38624c437104e82cd95ca0d8004bc77a1f61d16e0fe5905045a257ac22ff37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/stop.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bba6f934acfbb558461ce50810f3c5ff9cf4f2460b940f7a9a0c9fda3a49b3e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/start.rs", "duplicate_line": 41, "correlation_key": "fp|bba6f934acfbb558461ce50810f3c5ff9cf4f2460b940f7a9a0c9fda3a49b3e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/stop.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "10f34461d418b15289f36c5400a6192a493110ebc3ce81ce366e66be4348575b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/remove.rs", "duplicate_line": 98, "correlation_key": "fp|10f34461d418b15289f36c5400a6192a493110ebc3ce81ce366e66be4348575b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/start.rs"}, "region": {"startLine": 100}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f0bc7720dd55d88b9e20f7098fe3619bb8a603dea288ccad9c55471116dd7444", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/clear.rs", "duplicate_line": 40, "correlation_key": "fp|f0bc7720dd55d88b9e20f7098fe3619bb8a603dea288ccad9c55471116dd7444"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/start.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a11d91497c8246b860796759555e7b1a2421d3f20a79fde2c48471d8ee307cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/clear.rs", "duplicate_line": 41, "correlation_key": "fp|0a11d91497c8246b860796759555e7b1a2421d3f20a79fde2c48471d8ee307cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/remove.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9877ea64fd994afb9937fa59d85f1c008feab3318b9c75468bc38e3242dc49cc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/host.rs", "duplicate_line": 113, "correlation_key": "fp|9877ea64fd994afb9937fa59d85f1c008feab3318b9c75468bc38e3242dc49cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/list.rs"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "258b55f0f826efe95257320300125fceab292cf2ff2fd5a410e16475a4bfa697", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/core/clear.rs", "duplicate_line": 42, "correlation_key": "fp|258b55f0f826efe95257320300125fceab292cf2ff2fd5a410e16475a4bfa697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/list.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "585e05e23dab004e74241695238e1a434a939c29d78aee424e6fdc5d70d6c7a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-worker/src/cli/shell_relay.rs", "duplicate_line": 458, "correlation_key": "fp|585e05e23dab004e74241695238e1a434a939c29d78aee424e6fdc5d70d6c7a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/cli/vm_boot.rs"}, "region": {"startLine": 276}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60869fcd8de66110cf34f75571b5661a44a931a13363903d666e4aec36e4e1b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/iii-filesystem/src/backends/passthroughfs/builder.rs", "duplicate_line": 58, "correlation_key": "fp|60869fcd8de66110cf34f75571b5661a44a931a13363903d666e4aec36e4e1b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-filesystem/src/backends/passthroughfs/mod.rs"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2366f26a9207963ab89b11bc46c6bbe496140c86ff254dedb3b88c38e6ad8623", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "console/packages/console-frontend/src/routes/config.tsx", "duplicate_line": 306, "correlation_key": "fp|2366f26a9207963ab89b11bc46c6bbe496140c86ff254dedb3b88c38e6ad8623"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/routes/traces.tsx"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d0ad296430726733cc510ba3aef69e96fe72fda1e0cbc7d93df309b1c9ed07ff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "console/packages/console-frontend/src/routes/config.tsx", "duplicate_line": 310, "correlation_key": "fp|d0ad296430726733cc510ba3aef69e96fe72fda1e0cbc7d93df309b1c9ed07ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/routes/functions.tsx"}, "region": {"startLine": 249}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 132699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec4e47e921d672a8f140eefeab376043424a2c2f167aa185497f8c6fb8a77c25", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "console/packages/console-frontend/src/components/traces/SpanBaggageTab.tsx", "duplicate_line": 57, "correlation_key": "fp|ec4e47e921d672a8f140eefeab376043424a2c2f167aa185497f8c6fb8a77c25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/components/traces/SpanTagsTab.tsx"}, "region": {"startLine": 180}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 132697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cdc7d70441e5121d356d7e3b6c531c09dcf7d431ae80a11da526762cc3df0cf2", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "temp", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cdc7d70441e5121d356d7e3b6c531c09dcf7d431ae80a11da526762cc3df0cf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/src/workers/secure_temp.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 132673, "scanner": "repobility-threat-engine", "fingerprint": "dd8df5137ca40c2549cc26f2c2c8e95f3aa1a2a35523137841bfd96fe3551958", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'https://' + redirectHost + '/blog/'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd8df5137ca40c2549cc26f2c2c8e95f3aa1a2a35523137841bfd96fe3551958"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/terraform/website/cloudfront_functions/redirects.js"}, "region": {"startLine": 90}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `build_payload` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, except=1, if=4, or=5, ternary=2."}, "properties": {"repobilityId": 132605, "scanner": "repobility-threat-engine", "fingerprint": "913042ea1f4a17a265455bca73d43f29fce990d8b33ffb09a114d0d7d641112f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "build_payload", "breakdown": {"if": 4, "or": 5, "and": 1, "except": 1, "ternary": 2}, "complexity": 13, "correlation_key": "fp|913042ea1f4a17a265455bca73d43f29fce990d8b33ffb09a114d0d7d641112f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/build_engine_publish_payload.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 132695, "scanner": "repobility-threat-engine", "fingerprint": "c023ab5832ea4abb0be70f1b9c2d566a8d49fc8a3e6b27f29a640895fe7035af", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c023ab5832ea4abb0be70f1b9c2d566a8d49fc8a3e6b27f29a640895fe7035af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/posthog-consent.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 132691, "scanner": "repobility-threat-engine", "fingerprint": "bb073d169e432edd80ad520c2365fa126e348646d562af5169f91fd938623995", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bb073d169e432edd80ad520c2365fa126e348646d562af5169f91fd938623995", "aggregated_count": 3}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 132690, "scanner": "repobility-threat-engine", "fingerprint": "bbd8ea2728fe9bfaafac6046526b4a2148e4c2947644460c89600fd17393d2b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bbd8ea2728fe9bfaafac6046526b4a2148e4c2947644460c89600fd17393d2b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/types.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 132689, "scanner": "repobility-threat-engine", "fingerprint": "21d7becf0b079bf171e7422df937029932a8b54c5f0a1e4f432e4cb861d128c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21d7becf0b079bf171e7422df937029932a8b54c5f0a1e4f432e4cb861d128c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii_constants.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 132688, "scanner": "repobility-threat-engine", "fingerprint": "828122ca7d24d0fe4f4c3dc2d9ac83ef0cdb92a0d42e40262365ab951d38a4d1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|828122ca7d24d0fe4f4c3dc2d9ac83ef0cdb92a0d42e40262365ab951d38a4d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/channels.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 132687, "scanner": "repobility-threat-engine", "fingerprint": "95cc9797c40c926759aaa04a4225f0a4ae4f9faafb543c58446c2f46cd9cfe9e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|95cc9797c40c926759aaa04a4225f0a4ae4f9faafb543c58446c2f46cd9cfe9e", "aggregated_count": 2}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 132683, "scanner": "repobility-threat-engine", "fingerprint": "50406309e3101c911d59a3045c7bd41e083f0c20641ab6d2cbf99c80311d7d9e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|50406309e3101c911d59a3045c7bd41e083f0c20641ab6d2cbf99c80311d7d9e", "aggregated_count": 7}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 132682, "scanner": "repobility-threat-engine", "fingerprint": "e1b9ad2d2cc2f24ba41dce91c0e3c7a331724beafe6884f833dd6d96c1e12bbd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e1b9ad2d2cc2f24ba41dce91c0e3c7a331724beafe6884f833dd6d96c1e12bbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/otel_worker_gauges.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 132681, "scanner": "repobility-threat-engine", "fingerprint": "9cf476c11b2eaa073e6928592a2ad318e3194d692fa05cdcc849b417b3a0f31c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9cf476c11b2eaa073e6928592a2ad318e3194d692fa05cdcc849b417b3a0f31c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/channels.py"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 132680, "scanner": "repobility-threat-engine", "fingerprint": "2b5ccb7be07c8abdb609a254ef4b6b058f6d2704045095dbad430c8c6c363f47", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b5ccb7be07c8abdb609a254ef4b6b058f6d2704045095dbad430c8c6c363f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/src/trigger_types.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 132679, "scanner": "repobility-threat-engine", "fingerprint": "a19b0725aa4cdcc9355d4fea6af5174d8bf1ddce9c66d6387cea78ab5144cb3f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|84|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/src/middleware-example.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 132678, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 132677, "scanner": "repobility-threat-engine", "fingerprint": "74a1eeff8b9c502087a619cd5aa071b56945b0f7cf34cbb57c4b1fb247d15f6d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error(`[OTel] Max retries (${this.config.maxRetries})", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|10|console.error otel max retries this.config.maxretries"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/observability/src/telemetry-system/connection.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 132676, "scanner": "repobility-threat-engine", "fingerprint": "c1f3df35ff34ad2747c8b94bcedeee24c91ba505fde65d387cceb0526836d8df", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`[webhook] Registered trigger ${config.id} -> ${config.function_id}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|4|console.log webhook registered trigger config.id - config.function_id"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/src/trigger-types.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 132675, "scanner": "repobility-threat-engine", "fingerprint": "a93176ad2aa111241aa4ae93619fff40abee9c7cd15a2d7b668eb8404a6ce3e7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "logger.warn('Auth middleware rejected request: missing or invalid token')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|logger.warn auth middleware rejected request: missing or invalid token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/src/middleware-example.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 132674, "scanner": "repobility-threat-engine", "fingerprint": "eda166bb493a2b03fd04b501a986d2586e2e29e2c0404a7b66be6e99d4d8ea3b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eda166bb493a2b03fd04b501a986d2586e2e29e2c0404a7b66be6e99d4d8ea3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/go/iii-example/main.go"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 132659, "scanner": "repobility-threat-engine", "fingerprint": "77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "aggregated_count": 5}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 132658, "scanner": "repobility-threat-engine", "fingerprint": "6ea1d065c3c9bcb44b1c2b82196242b0b6e98bb32debfea63032525d4de3a0d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ea1d065c3c9bcb44b1c2b82196242b0b6e98bb32debfea63032525d4de3a0d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-browser/src/state.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 132657, "scanner": "repobility-threat-engine", "fingerprint": "705fe68f176f05267a2518cd45fd5bdbf3a162ba84b14d0aafdcb69b7203c70f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|705fe68f176f05267a2518cd45fd5bdbf3a162ba84b14d0aafdcb69b7203c70f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/parsers/parse-typedoc.mts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 132656, "scanner": "repobility-threat-engine", "fingerprint": "4b0cbe2b23eac48919de59102122edec53d30e108ab69c0b0ea58c569cc2e5e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b0cbe2b23eac48919de59102122edec53d30e108ab69c0b0ea58c569cc2e5e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/parsers/parse-griffe.mts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 132655, "scanner": "repobility-threat-engine", "fingerprint": "8d22d234ff6e522558f501e2b961809b56638e20faacee3f5f64166e5b05aa03", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8d22d234ff6e522558f501e2b961809b56638e20faacee3f5f64166e5b05aa03", "aggregated_count": 2}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 132654, "scanner": "repobility-threat-engine", "fingerprint": "af0d4c092883eb9e79c82c9c08dd372ba3b76a1c8f035c8a19e4ae76f6726852", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af0d4c092883eb9e79c82c9c08dd372ba3b76a1c8f035c8a19e4ae76f6726852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/parsers/parse-typedoc.mts"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 132653, "scanner": "repobility-threat-engine", "fingerprint": "62f9d4d10d697aedc961ce2360098f02ef0abadf843fad14a24e25b026286e40", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62f9d4d10d697aedc961ce2360098f02ef0abadf843fad14a24e25b026286e40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/parsers/parse-griffe.mts"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 132652, "scanner": "repobility-threat-engine", "fingerprint": "f3f30fff80df7a2553d8162d529d2e6eb463fa05ad5e3d96754cf4be6d785a0d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3f30fff80df7a2553d8162d529d2e6eb463fa05ad5e3d96754cf4be6d785a0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/generate-api-docs.mts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED012", "level": "none", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 132651, "scanner": "repobility-threat-engine", "fingerprint": "2ff5a3eaed642484dacff08ee235ab12b28ddde1d69f9447004fd140d72f27d9", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ff5a3eaed642484dacff08ee235ab12b28ddde1d69f9447004fd140d72f27d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/scaffolder-core/src/templates/version.rs"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED041", "level": "none", "message": {"text": "[MINED041] Rust Unimplemented Macro (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 132649, "scanner": "repobility-threat-engine", "fingerprint": "4fb4c57484bd71620deb694a4a1fd13f5fbc94b7b5f8d6c8a569a4cd47dca28b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4fb4c57484bd71620deb694a4a1fd13f5fbc94b7b5f8d6c8a569a4cd47dca28b", "aggregated_count": 14}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 132645, "scanner": "repobility-threat-engine", "fingerprint": "7fd12ada36c86d817e19d32eb5e0cec3762be6360d65b1ecaacf5780cd28f230", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7fd12ada36c86d817e19d32eb5e0cec3762be6360d65b1ecaacf5780cd28f230", "aggregated_count": 14}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 132644, "scanner": "repobility-threat-engine", "fingerprint": "c82235aa1a5035bae87ddb90bbcfae74002ea89a87f59d716f094eb48afbcd24", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c82235aa1a5035bae87ddb90bbcfae74002ea89a87f59d716f094eb48afbcd24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-filesystem/src/backends/passthroughfs/dir_ops.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 132643, "scanner": "repobility-threat-engine", "fingerprint": "f15a9efef982097c72f9c3d78b6d2f40963c3307220693229b868addb5d5ad8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f15a9efef982097c72f9c3d78b6d2f40963c3307220693229b868addb5d5ad8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-filesystem/src/backends/passthroughfs/create_ops.rs"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 132642, "scanner": "repobility-threat-engine", "fingerprint": "da817d1fe1e0a426cab36ddc0fe288d1375f1087ca0b485f0a94ac37324247f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da817d1fe1e0a426cab36ddc0fe288d1375f1087ca0b485f0a94ac37324247f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-filesystem/src/backends/passthroughfs/builder.rs"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 132641, "scanner": "repobility-threat-engine", "fingerprint": "710db83a0fa2fbf02d58226a9b8e6028514cc32e6ef252254cf97177f4e0795b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|710db83a0fa2fbf02d58226a9b8e6028514cc32e6ef252254cf97177f4e0795b", "aggregated_count": 11}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 132640, "scanner": "repobility-threat-engine", "fingerprint": "5a0839c099bf591a6c712b9ea665d06e2114989d75b8f8ce4487eb8db3f3508b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a0839c099bf591a6c712b9ea665d06e2114989d75b8f8ce4487eb8db3f3508b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-supervisor/src/control.rs"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 132639, "scanner": "repobility-threat-engine", "fingerprint": "fe73c9a7e263e86d71a77f9a29bb2281421f6948cadcc4a181c566fc2e853b21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe73c9a7e263e86d71a77f9a29bb2281421f6948cadcc4a181c566fc2e853b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-init/src/rlimit.rs"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 132638, "scanner": "repobility-threat-engine", "fingerprint": "6e51d7ad6fd5ff423429797cd46e0ab05ea93cee8d5f0a3a7ce4261a6f23c599", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e51d7ad6fd5ff423429797cd46e0ab05ea93cee8d5f0a3a7ce4261a6f23c599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-rust/build.rs"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "properties": {"repobilityId": 132637, "scanner": "repobility-threat-engine", "fingerprint": "2698be2fc343d0a5b9300b2a6446769143f36b187d02eaa483b768e0ef333dbb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 51 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2698be2fc343d0a5b9300b2a6446769143f36b187d02eaa483b768e0ef333dbb", "aggregated_count": 51}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 132636, "scanner": "repobility-threat-engine", "fingerprint": "5592521237094d6d38a82f47c00d2a2f5de7aa6ad42ad4a976788a99b6d4d279", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5592521237094d6d38a82f47c00d2a2f5de7aa6ad42ad4a976788a99b6d4d279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-rust/src/server.rs"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 132635, "scanner": "repobility-threat-engine", "fingerprint": "9214bc5c1285161d665c1d0bceb5c1efb240b48f43e18a3c46e1e103f0f13585", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9214bc5c1285161d665c1d0bceb5c1efb240b48f43e18a3c46e1e103f0f13585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-rust/src/main.rs"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 132634, "scanner": "repobility-threat-engine", "fingerprint": "49dec8f99c2ac0498d944264fd3464edc4f053442fca8d556b1534238770dfc3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|49dec8f99c2ac0498d944264fd3464edc4f053442fca8d556b1534238770dfc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-rust/build.rs"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 101 more): Same pattern found in 101 additional files. Review if needed."}, "properties": {"repobilityId": 132633, "scanner": "repobility-threat-engine", "fingerprint": "c483d1f2d67b1005406933562d07b22aea03594c2e2e3bf7d71cc2e8251733c0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 101 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c483d1f2d67b1005406933562d07b22aea03594c2e2e3bf7d71cc2e8251733c0", "aggregated_count": 101}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 132629, "scanner": "repobility-threat-engine", "fingerprint": "8bf19c453e7818e14ce45500f50971fc3b80ac3f53d28df113608305832f8668", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8bf19c453e7818e14ce45500f50971fc3b80ac3f53d28df113608305832f8668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/routeTree.gen.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 132624, "scanner": "repobility-threat-engine", "fingerprint": "28de840d6620347eb8e22aadf979b7737efc13deb2cda46e9f7abba6dd19f723", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28de840d6620347eb8e22aadf979b7737efc13deb2cda46e9f7abba6dd19f723"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "infra/terraform/website/cloudfront.tf"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 132623, "scanner": "repobility-threat-engine", "fingerprint": "350cca20880069e4ab11d8f31dff44c5ec5d5ec2bfb3f49973732ced6d719c8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|350cca20880069e4ab11d8f31dff44c5ec5d5ec2bfb3f49973732ced6d719c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/api/utils.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 132622, "scanner": "repobility-threat-engine", "fingerprint": "7b2b4429dd719966f3ca3cc2b566ca346e2f73f0b067b8874217c5ea21f2aa2d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b2b4429dd719966f3ca3cc2b566ca346e2f73f0b067b8874217c5ea21f2aa2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-browser/src/channels.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 132621, "scanner": "repobility-threat-engine", "fingerprint": "78ee36c2259bd11b69207a6501a79e034d777f70e8ed5e2b978180fad93b32d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78ee36c2259bd11b69207a6501a79e034d777f70e8ed5e2b978180fad93b32d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/parsers/parse-typedoc.mts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 132620, "scanner": "repobility-threat-engine", "fingerprint": "66f917fa8aea0b27d170bd987ce6c835b2172409c46acd31fe60a5795ff29c55", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|66f917fa8aea0b27d170bd987ce6c835b2172409c46acd31fe60a5795ff29c55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/api/utils.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 132619, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 132618, "scanner": "repobility-threat-engine", "fingerprint": "33598ee799cbd541cf453192daa1c9a97867a087e9f6e27720c42c85f629666c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33598ee799cbd541cf453192daa1c9a97867a087e9f6e27720c42c85f629666c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-rust/src/server.rs"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 132617, "scanner": "repobility-threat-engine", "fingerprint": "66d23700a9b793265961ad2c6cfa61e17c2657e4519da5314afc88667a301691", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|66d23700a9b793265961ad2c6cfa61e17c2657e4519da5314afc88667a301691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-rust/src/proxy/http.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 132616, "scanner": "repobility-threat-engine", "fingerprint": "7ea5ac5b2e06b0379a4ac2c56e03c35554792a3c65d5f168fe3badb5ec7fef00", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ea5ac5b2e06b0379a4ac2c56e03c35554792a3c65d5f168fe3badb5ec7fef00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blog/src/pages/rss.xml.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 132615, "scanner": "repobility-threat-engine", "fingerprint": "32a0c4b8eb59896358b09f6f62cfc62156eff6eb76004bde5c08520a91514dfe", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|32a0c4b8eb59896358b09f6f62cfc62156eff6eb76004bde5c08520a91514dfe", "aggregated_count": 13}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 132614, "scanner": "repobility-threat-engine", "fingerprint": "f24d204c54f06aea247f17b381d28bceef47e51e6520e27891fbf51eb4c88284", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f24d204c54f06aea247f17b381d28bceef47e51e6520e27891fbf51eb4c88284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/api/state/streams.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 132613, "scanner": "repobility-threat-engine", "fingerprint": "677e61b4165f7970d705f087543cc3b7be2180912861a845d8d8bcd614eab2d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|677e61b4165f7970d705f087543cc3b7be2180912861a845d8d8bcd614eab2d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/api/observability/traces.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 132612, "scanner": "repobility-threat-engine", "fingerprint": "93898bba0f220ec1425daab4c26a508414df59050a05c362b4a810c14e69e21e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|93898bba0f220ec1425daab4c26a508414df59050a05c362b4a810c14e69e21e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/license-agreement-check.mjs"}, "region": {"startLine": 259}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 132611, "scanner": "repobility-threat-engine", "fingerprint": "0f70dcb830f007110a79342e3f81eda77503ccc94f6c49e7c60c391ea17cb0cb", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0f70dcb830f007110a79342e3f81eda77503ccc94f6c49e7c60c391ea17cb0cb"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 132607, "scanner": "repobility-threat-engine", "fingerprint": "29306b5028b90ab8087937c717cb745fd7e07ab4ccb4b2237f19cccb49788ca3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "normalize_worker_interface", "breakdown": {"if": 7, "or": 4, "for": 2, "continue": 5, "nested_bonus": 5}, "aggregated": true, "complexity": 23, "correlation_key": "fp|29306b5028b90ab8087937c717cb745fd7e07ab4ccb4b2237f19cccb49788ca3", "aggregated_count": 9}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `engine/firmware/libkrunfw-linux-aarch64.so` committed in source repo: `engine/firmware/libkrunfw-linux-aarch64.so` is a .so binary (22,873,704 bytes) committed to a repo that otherwise has 845 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 132887, "scanner": "repobility-supply-chain", "fingerprint": "6dd83d333187edc9e519a71df4c678c0f9b781b3a23d090c7215500ea18c497c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6dd83d333187edc9e519a71df4c678c0f9b781b3a23d090c7215500ea18c497c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/firmware/libkrunfw-linux-aarch64.so"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `engine/firmware/libkrunfw-linux-x86_64.so` committed in source repo: `engine/firmware/libkrunfw-linux-x86_64.so` is a .so binary (19,203,768 bytes) committed to a repo that otherwise has 845 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 132886, "scanner": "repobility-supply-chain", "fingerprint": "c8026555cce90742a6b811aeac19963081f748b71305fef43fdb20d87d147927", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8026555cce90742a6b811aeac19963081f748b71305fef43fdb20d87d147927"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/firmware/libkrunfw-linux-x86_64.so"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `engine/firmware/libkrunfw-darwin-aarch64.dylib` committed in source repo: `engine/firmware/libkrunfw-darwin-aarch64.dylib` is a .dylib binary (22,886,048 bytes) committed to a repo that otherwise has 845 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 132885, "scanner": "repobility-supply-chain", "fingerprint": "c4735bd0b4ef98268ddff79b42025a5fb7e05975fa8b634220418ad282e1cb98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4735bd0b4ef98268ddff79b42025a5fb7e05975fa8b634220418ad282e1cb98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/firmware/libkrunfw-darwin-aarch64.dylib"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `github.com/iii-hq/iii/sdk/packages/go/iii` \u2014 points to a LOCAL path: `replace github.com/iii-hq/iii/sdk/packages/go/iii => ../iii` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 132884, "scanner": "repobility-supply-chain", "fingerprint": "581a7695a410709af86f5e262b2f1234b69d7a4080edee82df09f316bf4629a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|581a7695a410709af86f5e262b2f1234b69d7a4080edee82df09f316bf4629a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/go/iii-example/go.mod"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `rabbitmq:3-management-alpine` unpinned: `container/services image: rabbitmq:3-management-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 132880, "scanner": "repobility-supply-chain", "fingerprint": "0f4aa59040ddac1266a3aa09ebde26e27f83710f33c3d61d001d3906775d68f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f4aa59040ddac1266a3aa09ebde26e27f83710f33c3d61d001d3906775d68f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `alpine:3.20` unpinned: `container/services image: alpine:3.20` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 132879, "scanner": "repobility-supply-chain", "fingerprint": "fdbf1ac5bd088e2f73b88e2c4ddceb427500f8588f22def4f91a77b100a8f949", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fdbf1ac5bd088e2f73b88e2c4ddceb427500f8588f22def4f91a77b100a8f949"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/install-sh.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132878, "scanner": "repobility-supply-chain", "fingerprint": "642fc3b0148f68d2287e967854b272ea76847ae9729a90939b5b5c5e7656cf7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|642fc3b0148f68d2287e967854b272ea76847ae9729a90939b5b5c5e7656cf7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 345}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132877, "scanner": "repobility-supply-chain", "fingerprint": "79bbbc7590def7a5b0b5bde565db33cee0253ba246742877df09975cc01d8e09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79bbbc7590def7a5b0b5bde565db33cee0253ba246742877df09975cc01d8e09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132876, "scanner": "repobility-supply-chain", "fingerprint": "905731192b5ec26ca07886166df5d64ca044035b23318133834255e8c7935405", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|905731192b5ec26ca07886166df5d64ca044035b23318133834255e8c7935405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 274}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132875, "scanner": "repobility-supply-chain", "fingerprint": "4620350bd48daa3b4782dfdead5b6978a19f5378f357bd25ae2467619ecd551d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4620350bd48daa3b4782dfdead5b6978a19f5378f357bd25ae2467619ecd551d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: actions/create-github-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132874, "scanner": "repobility-supply-chain", "fingerprint": "b1a534aa8784d830507a85eb8853f84b3a948842ff626a16e42df50af0bacc4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1a534aa8784d830507a85eb8853f84b3a948842ff626a16e42df50af0bacc4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 238}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132873, "scanner": "repobility-supply-chain", "fingerprint": "8fc854dabe7267c6323f37331724103427b715fb84acf81af5a735f640817904", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fc854dabe7267c6323f37331724103427b715fb84acf81af5a735f640817904"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132872, "scanner": "repobility-supply-chain", "fingerprint": "eec4fa5c273b9627f11b804bc409b0af8171299c15365a7630a3c0fafdea5f2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eec4fa5c273b9627f11b804bc409b0af8171299c15365a7630a3c0fafdea5f2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132871, "scanner": "repobility-supply-chain", "fingerprint": "a983e8e309671345e3cb6871820474de74ef8092265ebe52c14e9b5e78ee9e9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a983e8e309671345e3cb6871820474de74ef8092265ebe52c14e9b5e78ee9e9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132870, "scanner": "repobility-supply-chain", "fingerprint": "f565ce5148aaa78706804a1271bd83a78d57a2b79cc8e4b767932a08679f8102", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f565ce5148aaa78706804a1271bd83a78d57a2b79cc8e4b767932a08679f8102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132869, "scanner": "repobility-supply-chain", "fingerprint": "9ce14fea9a4a250a47dd48ffa1097a30ddcb055f7c3e878e6dd8eb7c20fd18a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ce14fea9a4a250a47dd48ffa1097a30ddcb055f7c3e878e6dd8eb7c20fd18a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: actions/create-github-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132868, "scanner": "repobility-supply-chain", "fingerprint": "62dbf8bcf0e75b88e49f135014078e06a5194165dfd8367362206b9b297a10d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62dbf8bcf0e75b88e49f135014078e06a5194165dfd8367362206b9b297a10d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132867, "scanner": "repobility-supply-chain", "fingerprint": "eee57e647bc944bac4012a1f4a7afc1c2c41a80e1e17cc53a248d32a758cf3cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eee57e647bc944bac4012a1f4a7afc1c2c41a80e1e17cc53a248d32a758cf3cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132866, "scanner": "repobility-supply-chain", "fingerprint": "d0aa9b49ed871f6a9a27da240e23b984c5139f34e34a012cdcc79d8311672fa1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0aa9b49ed871f6a9a27da240e23b984c5139f34e34a012cdcc79d8311672fa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: actions/create-github-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132865, "scanner": "repobility-supply-chain", "fingerprint": "fe469c4f3a4392b09e26fecef856adf44ca4984fbaa2c77711fc6aa7eeb050dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe469c4f3a4392b09e26fecef856adf44ca4984fbaa2c77711fc6aa7eeb050dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v2.0.0`: `uses: slackapi/slack-github-action@v2.0.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132864, "scanner": "repobility-supply-chain", "fingerprint": "ae09e57af0703b713d19221b315bc4fc761b4c0bbc52fbdc7817f073cff2c261", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae09e57af0703b713d19221b315bc4fc761b4c0bbc52fbdc7817f073cff2c261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-iii.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132863, "scanner": "repobility-supply-chain", "fingerprint": "95278951ac8cf2ab58895f6d7ec8ce1ad5d146909647046167b1bfebf518ee70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|95278951ac8cf2ab58895f6d7ec8ce1ad5d146909647046167b1bfebf518ee70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/checklist-checker.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132862, "scanner": "repobility-supply-chain", "fingerprint": "bae91c7e11972f85b4736820afebd260bf4adbfa889939884390b408aa0f503a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bae91c7e11972f85b4736820afebd260bf4adbfa889939884390b408aa0f503a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/checklist-checker.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v2.0.0`: `uses: slackapi/slack-github-action@v2.0.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132861, "scanner": "repobility-supply-chain", "fingerprint": "1284c812da649324ccba8099b455afd75aaeb2b3a46f18af42cf75da7380ea3a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1284c812da649324ccba8099b455afd75aaeb2b3a46f18af42cf75da7380ea3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-engine.yml"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `slackapi/slack-github-action` pinned to mutable ref `@v2.0.0`: `uses: slackapi/slack-github-action@v2.0.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132860, "scanner": "repobility-supply-chain", "fingerprint": "ac31fda324382d1b649f1cc4fcd7bcd9fa03864d7c99cec300cee45f8f508f26", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac31fda324382d1b649f1cc4fcd7bcd9fa03864d7c99cec300cee45f8f508f26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-engine.yml"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aquasecurity/trivy-action` pinned to mutable ref `@0.35.0`: `uses: aquasecurity/trivy-action@0.35.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132859, "scanner": "repobility-supply-chain", "fingerprint": "e2d09e12ad201714eb4ba048b726a24a82ff8fec01eca5d6e207f230796347b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2d09e12ad201714eb4ba048b726a24a82ff8fec01eca5d6e207f230796347b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-engine.yml"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132858, "scanner": "repobility-supply-chain", "fingerprint": "200ea4d6cf3076ca4cde4951360d686733e20f74344f628491d0c7cf4ed21cfa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|200ea4d6cf3076ca4cde4951360d686733e20f74344f628491d0c7cf4ed21cfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-engine.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aquasecurity/trivy-action` pinned to mutable ref `@0.35.0`: `uses: aquasecurity/trivy-action@0.35.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132857, "scanner": "repobility-supply-chain", "fingerprint": "48c554eb88d3cb24b44ce9254a2e56ee27b2ab172adce7633e42c9b0b27b5304", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48c554eb88d3cb24b44ce9254a2e56ee27b2ab172adce7633e42c9b0b27b5304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-engine.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132856, "scanner": "repobility-supply-chain", "fingerprint": "01b5f02de249df2ef3d7d8a687da86e6d556504b622151b3f335261da8bac0b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01b5f02de249df2ef3d7d8a687da86e6d556504b622151b3f335261da8bac0b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-engine.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132855, "scanner": "repobility-supply-chain", "fingerprint": "960e32b6181f1bae43f7f24840db9186e9ff948fb1a0a080eaa68a14c14b46bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|960e32b6181f1bae43f7f24840db9186e9ff948fb1a0a080eaa68a14c14b46bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloudfront-functions-test.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132854, "scanner": "repobility-supply-chain", "fingerprint": "e4b558b0b44319d9b8af1d2265efdef4ee2368b9f31e82be915d89bc730d782e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4b558b0b44319d9b8af1d2265efdef4ee2368b9f31e82be915d89bc730d782e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloudfront-functions-test.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `iiidev/iii:latest` not pinned by digest: `FROM iiidev/iii:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132853, "scanner": "repobility-supply-chain", "fingerprint": "41ff5c648bb2deda481347e0a5fa8f66508bf86d1d63c20d3fdedc1fe6bd0589", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41ff5c648bb2deda481347e0a5fa8f66508bf86d1d63c20d3fdedc1fe6bd0589"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/tests/fixtures/templates/docker/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132852, "scanner": "repobility-supply-chain", "fingerprint": "22b9ac61b3d37b061b0754cb3e7592ccf347a111483c6e91c7d2576f1fffdcd2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22b9ac61b3d37b061b0754cb3e7592ccf347a111483c6e91c7d2576f1fffdcd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/images/node/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132851, "scanner": "repobility-supply-chain", "fingerprint": "e28917bba7fab44388a8b13be0184e117e2394804d7fc908d8bc06bd4cbb7661", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e28917bba7fab44388a8b13be0184e117e2394804d7fc908d8bc06bd4cbb7661"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/images/python/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.6.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.6.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132850, "scanner": "repobility-supply-chain", "fingerprint": "119fc358b31a8c7856c29476dd05e996ca3e302407a0444c256dac05f698cefc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|119fc358b31a8c7856c29476dd05e996ca3e302407a0444c256dac05f698cefc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/.pre-commit-config.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/doublify/pre-commit-rust` pinned to mutable rev `v1.0`: `.pre-commit-config.yaml` references `https://github.com/doublify/pre-commit-rust` at `rev: v1.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132849, "scanner": "repobility-supply-chain", "fingerprint": "8bc9438f265f9bc9b02dd1c75547950b05d1f6dd50a3735f5664d1e6ff070e30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bc9438f265f9bc9b02dd1c75547950b05d1f6dd50a3735f5664d1e6ff070e30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/.pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gcr.io/distroless/cc-debian12:nonroot` not pinned by digest: `FROM gcr.io/distroless/cc-debian12:nonroot` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132848, "scanner": "repobility-supply-chain", "fingerprint": "6214a985b02c403ffa054d4361539a344879cb7b16679f0c6292d2d8301259b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6214a985b02c403ffa054d4361539a344879cb7b16679f0c6292d2d8301259b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132847, "scanner": "repobility-supply-chain", "fingerprint": "1c50322eb89690089a1643e346cb1768e2999002eb5f1a9591f8a4affebfb732", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c50322eb89690089a1643e346cb1768e2999002eb5f1a9591f8a4affebfb732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/Dockerfile.debug"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:slim-bookworm` not pinned by digest: `FROM rust:slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132846, "scanner": "repobility-supply-chain", "fingerprint": "be61170366ed44188750a75f0738eab71b0ad97cde1eccc42f0fb80e28c9eceb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be61170366ed44188750a75f0738eab71b0ad97cde1eccc42f0fb80e28c9eceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/Dockerfile.debug"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.5.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.5.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132845, "scanner": "repobility-supply-chain", "fingerprint": "d64ee726403c53a9cbef08a12e56fad3c1c3c3fb097420b09f3417f9a0f87136", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d64ee726403c53a9cbef08a12e56fad3c1c3c3fb097420b09f3417f9a0f87136"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/.pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._send` used but never assigned in __init__: Method `_on_connected` of class `III` reads `self._send`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132840, "scanner": "repobility-ast-engine", "fingerprint": "6fb7cbed85007e6d23b16dd44c54611cd56e611ae17e33480df4abcebf2fe706", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fb7cbed85007e6d23b16dd44c54611cd56e611ae17e33480df4abcebf2fe706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._receive_loop` used but never assigned in __init__: Method `_on_connected` of class `III` reads `self._receive_loop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132839, "scanner": "repobility-ast-engine", "fingerprint": "4d349fbf92b9715f3869424a6d66319a12de012c4a77e3ad80d9bcf848d9b35b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4d349fbf92b9715f3869424a6d66319a12de012c4a77e3ad80d9bcf848d9b35b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 358}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._register_worker_metadata` used but never assigned in __init__: Method `_on_connected` of class `III` reads `self._register_worker_metadata`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132838, "scanner": "repobility-ast-engine", "fingerprint": "a5fc0e74c10af47a62c978241f40dd6a4eb68e4f4204eab947e99ca2eb11a60e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a5fc0e74c10af47a62c978241f40dd6a4eb68e4f4204eab947e99ca2eb11a60e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._set_connection_state` used but never assigned in __init__: Method `_on_connected` of class `III` reads `self._set_connection_state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132837, "scanner": "repobility-ast-engine", "fingerprint": "45194e378152177cfc4ec108e67a707b4ca903045a286b3b05da08004f65178d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|45194e378152177cfc4ec108e67a707b4ca903045a286b3b05da08004f65178d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 340}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._do_connect` used but never assigned in __init__: Method `_reconnect_loop` of class `III` reads `self._do_connect`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132836, "scanner": "repobility-ast-engine", "fingerprint": "b8bd423e160555576108c5a68524321f40a851712cd9a842659352439292e42f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8bd423e160555576108c5a68524321f40a851712cd9a842659352439292e42f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._set_connection_state` used but never assigned in __init__: Method `_reconnect_loop` of class `III` reads `self._set_connection_state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132835, "scanner": "repobility-ast-engine", "fingerprint": "031617324143b3be79e442ca49c50992c3bdc0517ca01d72c39981f5de1f3335", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|031617324143b3be79e442ca49c50992c3bdc0517ca01d72c39981f5de1f3335"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._set_connection_state` used but never assigned in __init__: Method `_reconnect_loop` of class `III` reads `self._set_connection_state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132834, "scanner": "repobility-ast-engine", "fingerprint": "2629fd0e2046197d3ab85f91fce31f0103308af95d77a0bf977cf3551be39be2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2629fd0e2046197d3ab85f91fce31f0103308af95d77a0bf977cf3551be39be2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 329}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._reconnect_loop` used but never assigned in __init__: Method `_schedule_reconnect` of class `III` reads `self._reconnect_loop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132833, "scanner": "repobility-ast-engine", "fingerprint": "8e256aefb9d10cbadf7a6879fdd1151ece3f09dca6ddd3721e46628e0e22f088", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e256aefb9d10cbadf7a6879fdd1151ece3f09dca6ddd3721e46628e0e22f088"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._schedule_reconnect` used but never assigned in __init__: Method `_do_connect` of class `III` reads `self._schedule_reconnect`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132832, "scanner": "repobility-ast-engine", "fingerprint": "bbcde63494136ee0a3ba0c2fc730f763c5338f0ccd92aaae240508973c946769", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bbcde63494136ee0a3ba0c2fc730f763c5338f0ccd92aaae240508973c946769"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 303}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._on_connected` used but never assigned in __init__: Method `_do_connect` of class `III` reads `self._on_connected`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132831, "scanner": "repobility-ast-engine", "fingerprint": "07ae5b490d5c1843ecd37d9a8d4e7534301ab11d588913ac72c6430870bcbf84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07ae5b490d5c1843ecd37d9a8d4e7534301ab11d588913ac72c6430870bcbf84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 299}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._set_connection_state` used but never assigned in __init__: Method `shutdown_async` of class `III` reads `self._set_connection_state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132830, "scanner": "repobility-ast-engine", "fingerprint": "21928bdbc47c1dc0b18d82132ea4933be71cf9df5c2e57b2f52859707b944809", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21928bdbc47c1dc0b18d82132ea4933be71cf9df5c2e57b2f52859707b944809"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 281}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._do_connect` used but never assigned in __init__: Method `connect_async` of class `III` reads `self._do_connect`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132829, "scanner": "repobility-ast-engine", "fingerprint": "2d8cff74f3678359b7ccd64c3b97e3327d4b6309ab10eecd6eb263395e09076e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2d8cff74f3678359b7ccd64c3b97e3327d4b6309ab10eecd6eb263395e09076e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._set_connection_state` used but never assigned in __init__: Method `connect_async` of class `III` reads `self._set_connection_state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132828, "scanner": "repobility-ast-engine", "fingerprint": "335b689b65c27301780ae83c5b80e1016db30b1b35d36b881998c7b7b0a22bfd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|335b689b65c27301780ae83c5b80e1016db30b1b35d36b881998c7b7b0a22bfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 238}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.shutdown_async` used but never assigned in __init__: Method `shutdown` of class `III` reads `self.shutdown_async`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132827, "scanner": "repobility-ast-engine", "fingerprint": "3f7a192ad8a2ad9fee49fc086f310979a8bf8b8896ee76ebba1645bc2675f98d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f7a192ad8a2ad9fee49fc086f310979a8bf8b8896ee76ebba1645bc2675f98d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._run_on_loop` used but never assigned in __init__: Method `shutdown` of class `III` reads `self._run_on_loop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132826, "scanner": "repobility-ast-engine", "fingerprint": "127a99d5320a26b3bb8175ccf6b4b2cdf4c3ac11f63286db5afbc76d93f6a8be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|127a99d5320a26b3bb8175ccf6b4b2cdf4c3ac11f63286db5afbc76d93f6a8be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/iii.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_state_delete_non_existent_item: Test function `test_state_delete_non_existent_item` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132825, "scanner": "repobility-ast-engine", "fingerprint": "5502cbe793ee3a190ee6e2be7a351b6d9b706fb3fb25ee4cda91fdf57fd0fca8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5502cbe793ee3a190ee6e2be7a351b6d9b706fb3fb25ee4cda91fdf57fd0fca8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_state.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_shutdown_closes_connection: Test function `test_shutdown_closes_connection` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132824, "scanner": "repobility-ast-engine", "fingerprint": "58e086dc5720c869650411cd3065353b574b364498e727aa64c28884a1ba75d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58e086dc5720c869650411cd3065353b574b364498e727aa64c28884a1ba75d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_telemetry.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_shutdown_without_init_is_safe: Test function `test_shutdown_without_init_is_safe` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132823, "scanner": "repobility-ast-engine", "fingerprint": "8fb520a5e1a7adacd20824d86c18ae9c45325512b54b77f1000936f2f1ddf8d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8fb520a5e1a7adacd20824d86c18ae9c45325512b54b77f1000936f2f1ddf8d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_telemetry.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_stream_delete_non_existent_item: Test function `test_stream_delete_non_existent_item` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132822, "scanner": "repobility-ast-engine", "fingerprint": "324d39ace93d92dc934c0e452912883ac07338fea5eec913080f17bd5c0afd8a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|324d39ace93d92dc934c0e452912883ac07338fea5eec913080f17bd5c0afd8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_streams.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_set_current_span_error_is_safe_outside_span: Test function `test_set_current_span_error_is_safe_outside_span` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132821, "scanner": "repobility-ast-engine", "fingerprint": "ce9d4ca444a267faec070c6fb84210faeb37228df2dce0061bf151c45c7a002c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce9d4ca444a267faec070c6fb84210faeb37228df2dce0061bf151c45c7a002c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_span_ops.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_delivers_events_to_multiple_external_functions`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132818, "scanner": "repobility-ast-engine", "fingerprint": "004784af91cfb9c057b55f8ac4286f35ddfcee783119e9ac4572ca2792b5fb27", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|004784af91cfb9c057b55f8ac4286f35ddfcee783119e9ac4572ca2792b5fb27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 467}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_delivers_events_to_multiple_external_functions`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132817, "scanner": "repobility-ast-engine", "fingerprint": "3fa499c008029a51e9db623bdb4ca48acf3bb97dfd43354b2ad9261419e8f786", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3fa499c008029a51e9db623bdb4ca48acf3bb97dfd43354b2ad9261419e8f786"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 459}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_delivers_events_with_custom_headers`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132816, "scanner": "repobility-ast-engine", "fingerprint": "04e7920faf6e35a0fca9a7f941deb531f015c302fffe892ff4ff989ca80ac547", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04e7920faf6e35a0fca9a7f941deb531f015c302fffe892ff4ff989ca80ac547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 404}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_delivers_events_with_custom_headers`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132815, "scanner": "repobility-ast-engine", "fingerprint": "861025bd53cd035a87baad0b23e80e474204b5c3dde2b59bddbe6e7698e812c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|861025bd53cd035a87baad0b23e80e474204b5c3dde2b59bddbe6e7698e812c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 399}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_registers_and_unregisters_external_function`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132814, "scanner": "repobility-ast-engine", "fingerprint": "aaad107868d93561a166bfe1efcb51b552518470ab80f39a1884fdce5b4e7afa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aaad107868d93561a166bfe1efcb51b552518470ab80f39a1884fdce5b4e7afa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 367}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_registers_and_unregisters_external_function`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132813, "scanner": "repobility-ast-engine", "fingerprint": "c46dc6a68a5dd101e615e6c0b7b5726e4ef4f75382d5d6e1caccb8ed9f28319e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c46dc6a68a5dd101e615e6c0b7b5726e4ef4f75382d5d6e1caccb8ed9f28319e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_registers_and_unregisters_external_function`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132812, "scanner": "repobility-ast-engine", "fingerprint": "999dd4a15f8e2ba47bf45a0bb648394634c1406ded165c30c69e805985ab623a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|999dd4a15f8e2ba47bf45a0bb648394634c1406ded165c30c69e805985ab623a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_registers_and_unregisters_external_function`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132811, "scanner": "repobility-ast-engine", "fingerprint": "67ede5658db2169116c1bbf4c13dfe8fa17be01b9cc694a0a4fc0a2ed36ae2b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67ede5658db2169116c1bbf4c13dfe8fa17be01b9cc694a0a4fc0a2ed36ae2b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 341}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_delivers_queue_events_to_external_http_function`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132810, "scanner": "repobility-ast-engine", "fingerprint": "010899515299aae697d6f5c9fab7e984e9c411c52c82f1f1044c0d4acb09e447", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|010899515299aae697d6f5c9fab7e984e9c411c52c82f1f1044c0d4acb09e447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_delivers_queue_events_to_external_http_function`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132809, "scanner": "repobility-ast-engine", "fingerprint": "db15174d024bda07525c329218cfaacab9cfc482ac241a7bfddbc860e6f746f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|db15174d024bda07525c329218cfaacab9cfc482ac241a7bfddbc860e6f746f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wait_for_webhook` used but never assigned in __init__: Method `wait_for_webhook_or_none` of class `WebhookProbe` reads `self.wait_for_webhook`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132808, "scanner": "repobility-ast-engine", "fingerprint": "0731225f259240da6efbb7adc7fe6fecfa262947744556691713fa83b8352498", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0731225f259240da6efbb7adc7fe6fecfa262947744556691713fa83b8352498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._handle_request` used but never assigned in __init__: Method `start` of class `WebhookProbe` reads `self._handle_request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132807, "scanner": "repobility-ast-engine", "fingerprint": "75e8fa04f2a7ed343801a7a3b3f6da0654eed7a7758f56ac656623ee7a726e4a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75e8fa04f2a7ed343801a7a3b3f6da0654eed7a7758f56ac656623ee7a726e4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_http_external_functions_integration.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_register_function_input_model_raises: Test function `test_register_function_input_model_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132806, "scanner": "repobility-ast-engine", "fingerprint": "2443b8df6f62d9c50daa22e4ea49d85adffc5ac973bd4044540407d0fdb749ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2443b8df6f62d9c50daa22e4ea49d85adffc5ac973bd4044540407d0fdb749ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_register_function_args.py"}, "region": {"startLine": 383}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_register_function_dict_raises: Test function `test_register_function_dict_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132805, "scanner": "repobility-ast-engine", "fingerprint": "03f94a67af26475c01ce359559afeb83fee58b76edb0e05be2b0c3cac9b188e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|03f94a67af26475c01ce359559afeb83fee58b76edb0e05be2b0c3cac9b188e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_register_function_args.py"}, "region": {"startLine": 369}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_multipart_form_data`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132804, "scanner": "repobility-ast-engine", "fingerprint": "e57413fbfbd5fb8d9c61e4dae94a8a51333d841915d5cd492bd2779eccdc6dc7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e57413fbfbd5fb8d9c61e4dae94a8a51333d841915d5cd492bd2779eccdc6dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 568}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_urlencoded_form_data`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132803, "scanner": "repobility-ast-engine", "fingerprint": "c429bda9724d85194fac3dd9ce82f12ac649ee34a7a7e1e464418d1d78c59a5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c429bda9724d85194fac3dd9ce82f12ac649ee34a7a7e1e464418d1d78c59a5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 498}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_sse_streaming`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132802, "scanner": "repobility-ast-engine", "fingerprint": "6566bd311c645910921cf1fb8d4fb1eebe1bae1fdc2f451d5db90562e9bdd5a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6566bd311c645910921cf1fb8d4fb1eebe1bae1fdc2f451d5db90562e9bdd5a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 423}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_upload_pdf_streaming`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132801, "scanner": "repobility-ast-engine", "fingerprint": "4ffb7401d1cf660ce12cda3003aa2d47ba802f1c34c02aeeee403227fa1c2515", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ffb7401d1cf660ce12cda3003aa2d47ba802f1c34c02aeeee403227fa1c2515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 360}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_download_pdf_streaming`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132800, "scanner": "repobility-ast-engine", "fingerprint": "d7be9438df3ab4ba32d9210aef2229145aa73c9f2143c1c5a17978a634906cd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7be9438df3ab4ba32d9210aef2229145aa73c9f2143c1c5a17978a634906cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_content_type_on_api_response_return`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132799, "scanner": "repobility-ast-engine", "fingerprint": "59eac33067d441a51907a9e12df68aa930c1386acd6adf259ade422ec59d9204", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|59eac33067d441a51907a9e12df68aa930c1386acd6adf259ade422ec59d9204"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_custom_status_code`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132798, "scanner": "repobility-ast-engine", "fingerprint": "067525c0ff1ca3c522a0fadc2fdf45f7e25ae7b85c42c26e9808669351107ff2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|067525c0ff1ca3c522a0fadc2fdf45f7e25ae7b85c42c26e9808669351107ff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 234}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_query_parameters`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132797, "scanner": "repobility-ast-engine", "fingerprint": "a6bc75c99811cd459c59ba087f36d2c14de03f6eccc96fac211f40464f687059", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6bc75c99811cd459c59ba087f36d2c14de03f6eccc96fac211f40464f687059"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_path_parameters`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132796, "scanner": "repobility-ast-engine", "fingerprint": "6b6f92bb73dd08adfdd4c64276652c3c1ba0a2c5842c1696ff969a8fc3529feb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b6f92bb73dd08adfdd4c64276652c3c1ba0a2c5842c1696ff969a8fc3529feb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_raw_json_request_body`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132795, "scanner": "repobility-ast-engine", "fingerprint": "ab289db944386d513acc2e94d1b434c060c4a72c345d946d9d9a5db61a7c9c98", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab289db944386d513acc2e94d1b434c060c4a72c345d946d9d9a5db61a7c9c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_post_endpoint_with_body`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132794, "scanner": "repobility-ast-engine", "fingerprint": "e09389b69da3a29ab232f99da4e1442cdd541dd54992540576b1589a9bf69625", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e09389b69da3a29ab232f99da4e1442cdd541dd54992540576b1589a9bf69625"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_get_endpoint`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132793, "scanner": "repobility-ast-engine", "fingerprint": "59bbd69ff8c3e5a94eb7be1267733421836f31991e13dbdec15e4a301fbecd32", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|59bbd69ff8c3e5a94eb7be1267733421836f31991e13dbdec15e4a301fbecd32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_api_triggers.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_close_async_skips_when_ws_is_none: Test function `test_close_async_skips_when_ws_is_none` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132792, "scanner": "repobility-ast-engine", "fingerprint": "f6a0d52eff210af495bf369cd3878e078cdfc05fac98e9f3421aadfaa59cd926", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f6a0d52eff210af495bf369cd3878e078cdfc05fac98e9f3421aadfaa59cd926"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_channel_close_delay.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_close_async_skips_when_not_connected: Test function `test_close_async_skips_when_not_connected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132791, "scanner": "repobility-ast-engine", "fingerprint": "0bd31ed15c3e980d3b2c3af94612362b3ce983dc3cd428351f96ceec32532cd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0bd31ed15c3e980d3b2c3af94612362b3ce983dc3cd428351f96ceec32532cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/tests/test_channel_close_delay.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._run` used but never assigned in __init__: Method `start` of class `SharedEngineConnection` reads `self._run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132788, "scanner": "repobility-ast-engine", "fingerprint": "d2dee072c97b7e2779e7940b98b31e1be3d44482614b59920bf24d40112b7683", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2dee072c97b7e2779e7940b98b31e1be3d44482614b59920bf24d40112b7683"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/observability/src/iii_observability/telemetry_exporters.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit` used but never assigned in __init__: Method `debug` of class `Logger` reads `self._emit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132786, "scanner": "repobility-ast-engine", "fingerprint": "64ae6f8765d919115c9c125f1d0dec72fc7155074ae8acc8b802863a93fe8f98", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64ae6f8765d919115c9c125f1d0dec72fc7155074ae8acc8b802863a93fe8f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/observability/src/iii_observability/logger.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit` used but never assigned in __init__: Method `error` of class `Logger` reads `self._emit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132785, "scanner": "repobility-ast-engine", "fingerprint": "081f051ff013b3b16811996e0b0ccf47fde301da3a8609ee77ae792657fc7670", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|081f051ff013b3b16811996e0b0ccf47fde301da3a8609ee77ae792657fc7670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/observability/src/iii_observability/logger.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit` used but never assigned in __init__: Method `warn` of class `Logger` reads `self._emit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132784, "scanner": "repobility-ast-engine", "fingerprint": "5b7a3eea10b2da6da9d81f1499208c132e94f0c2dfa2f5492822199816226bee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b7a3eea10b2da6da9d81f1499208c132e94f0c2dfa2f5492822199816226bee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/observability/src/iii_observability/logger.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit` used but never assigned in __init__: Method `info` of class `Logger` reads `self._emit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132783, "scanner": "repobility-ast-engine", "fingerprint": "351d833774de83e735bb4e001a082fc8dfa32b6fffb1f5331dd55711a6dc82e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|351d833774de83e735bb4e001a082fc8dfa32b6fffb1f5331dd55711a6dc82e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/observability/src/iii_observability/logger.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit_otel` used but never assigned in __init__: Method `_emit` of class `Logger` reads `self._emit_otel`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132782, "scanner": "repobility-ast-engine", "fingerprint": "81cfcf21a92d7599f4645b7693c6300b295c9f006968e05939842bfd1db1f1c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81cfcf21a92d7599f4645b7693c6300b295c9f006968e05939842bfd1db1f1c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/observability/src/iii_observability/logger.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.urlopen` inside async function `_post_example`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132781, "scanner": "repobility-ast-engine", "fingerprint": "8125eb38797c78308b34c95feb6a2b482feb6dc552a484981fcae379c2820cb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8125eb38797c78308b34c95feb6a2b482feb6dc552a484981fcae379c2820cb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/src/main.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.Request` inside async function `_post_example`: `urllib.request.Request` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132780, "scanner": "repobility-ast-engine", "fingerprint": "8fc572db0dafc8fec111f7a39f111088f6d4a9216b57f6587aefdcb92a95ec0b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8fc572db0dafc8fec111f7a39f111088f6d4a9216b57f6587aefdcb92a95ec0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/src/main.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.urlopen` inside async function `_fetch_example`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 132779, "scanner": "repobility-ast-engine", "fingerprint": "61a44e62c113f6af6432a2d5082b7d8887edcab464c21e184cda6015ee490186", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|61a44e62c113f6af6432a2d5082b7d8887edcab464c21e184cda6015ee490186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/src/main.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.base` used but never assigned in __init__: Method `__str__` of class `Version` reads `self.base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132778, "scanner": "repobility-ast-engine", "fingerprint": "ca3c29135469db80177491219d0a724d6f8bec1cc80777a3a31c2315b3fed347", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ca3c29135469db80177491219d0a724d6f8bec1cc80777a3a31c2315b3fed347"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/calculate_release_version.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.base` used but never assigned in __init__: Method `__str__` of class `Version` reads `self.base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132777, "scanner": "repobility-ast-engine", "fingerprint": "25f20c5fda2eadd4c169efea56dc17be7d9d42d5f58dc2c4bc6d1eaeb1c1427e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|25f20c5fda2eadd4c169efea56dc17be7d9d42d5f58dc2c4bc6d1eaeb1c1427e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/calculate_release_version.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_raises_when_dep_missing: Test function `test_raises_when_dep_missing` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132776, "scanner": "repobility-ast-engine", "fingerprint": "84171e09b589cd6f3bc6e50d0f41b395f3615055a960e5191e2aefe494f0ada2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84171e09b589cd6f3bc6e50d0f41b395f3615055a960e5191e2aefe494f0ada2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_bump_manifests.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_raises_when_no_top_level_version: Test function `test_raises_when_no_top_level_version` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132775, "scanner": "repobility-ast-engine", "fingerprint": "0592660cf6a64245fab2b21796e60b98626bd270fbec192785e0720370f38cff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0592660cf6a64245fab2b21796e60b98626bd270fbec192785e0720370f38cff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_bump_manifests.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_raises_when_dep_missing: Test function `test_raises_when_dep_missing` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132774, "scanner": "repobility-ast-engine", "fingerprint": "8189b6404eb22b9cca4d04b49270e64b2034b87e57a35928f00c2544d0247a2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8189b6404eb22b9cca4d04b49270e64b2034b87e57a35928f00c2544d0247a2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_bump_manifests.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_raises_when_no_version: Test function `test_raises_when_no_version` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132773, "scanner": "repobility-ast-engine", "fingerprint": "0b508de15c7e562bdd566c19c9bb3b5ad49a4f8c98309bbf963eb4fde72c4cb0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b508de15c7e562bdd566c19c9bb3b5ad49a4f8c98309bbf963eb4fde72c4cb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_bump_manifests.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_raises_when_absent: Test function `test_raises_when_absent` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132772, "scanner": "repobility-ast-engine", "fingerprint": "98140a69b257b219f65b25c91321925036787c70b68c14375e6a701ce7a3fc42", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98140a69b257b219f65b25c91321925036787c70b68c14375e6a701ce7a3fc42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_pin_docs.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rejects_garbage: Test function `test_rejects_garbage` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132771, "scanner": "repobility-ast-engine", "fingerprint": "4317e8f6a3069eb63730294ea39a1ccfe172e9a03ea6797208c141c3bdcefb3e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4317e8f6a3069eb63730294ea39a1ccfe172e9a03ea6797208c141c3bdcefb3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_pin_docs.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_unparseable_current_raises: Test function `test_unparseable_current_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132770, "scanner": "repobility-ast-engine", "fingerprint": "12f0f6c79921136f6b6f615587910ee1532d022cbbd580d75674084b01df2348", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|12f0f6c79921136f6b6f615587910ee1532d022cbbd580d75674084b01df2348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 807}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_uppercase_prerelease_raises: Test function `test_uppercase_prerelease_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132769, "scanner": "repobility-ast-engine", "fingerprint": "65b395dbbd86b4c3c8e94ac0b8adfb9b25942ba9b8d3d2495507f79515753d55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|65b395dbbd86b4c3c8e94ac0b8adfb9b25942ba9b8d3d2495507f79515753d55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 801}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_empty_prerelease_string_raises: Test function `test_empty_prerelease_string_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132768, "scanner": "repobility-ast-engine", "fingerprint": "0ab6170bd90307044e861d1b3f3ded7141127c6361ea9d4d883ccbbfc5431609", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ab6170bd90307044e861d1b3f3ded7141127c6361ea9d4d883ccbbfc5431609"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 797}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_unknown_prerelease_raises: Test function `test_unknown_prerelease_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132767, "scanner": "repobility-ast-engine", "fingerprint": "b9b45438877e7cf7f110bc739499e905fb5cd6cb59e4c879a8a7eee25565cd73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b9b45438877e7cf7f110bc739499e905fb5cd6cb59e4c879a8a7eee25565cd73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 793}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_unknown_bump_type_raises: Test function `test_unknown_bump_type_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132766, "scanner": "repobility-ast-engine", "fingerprint": "9bec91d235fc98f28e82ffb793378301be91673c34f4d243b1a94ee0ad8b802f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9bec91d235fc98f28e82ffb793378301be91673c34f4d243b1a94ee0ad8b802f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 789}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_missing_version_raises: Test function `test_missing_version_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132765, "scanner": "repobility-ast-engine", "fingerprint": "b7d91c0d7d31a132ea6f6cf0999fdb80a68d5edda5b7f352779e4eb3caed7dfb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b7d91c0d7d31a132ea6f6cf0999fdb80a68d5edda5b7f352779e4eb3caed7dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 779}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_unknown_prerelease: Test function `test_unknown_prerelease` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132764, "scanner": "repobility-ast-engine", "fingerprint": "8c5fa5391ab7d23f69cbc61d698c3629f9260431b47ad1a27e8614c3147e6c83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c5fa5391ab7d23f69cbc61d698c3629f9260431b47ad1a27e8614c3147e6c83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_unknown_bump: Test function `test_unknown_bump` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132763, "scanner": "repobility-ast-engine", "fingerprint": "49ce571af86cacce8394e986aa6a75d33b3764e1bc51a3809488df8691060ac1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49ce571af86cacce8394e986aa6a75d33b3764e1bc51a3809488df8691060ac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 308}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_unknown_bump: Test function `test_unknown_bump` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132762, "scanner": "repobility-ast-engine", "fingerprint": "ff76b8b9b9a0a7e8352472c0b4c4aad572c28df5fd0c967dba859820baccd4a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ff76b8b9b9a0a7e8352472c0b4c4aad572c28df5fd0c967dba859820baccd4a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_invalid: Test function `test_invalid` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132761, "scanner": "repobility-ast-engine", "fingerprint": "c8e4bcba282c7cb6ff49f17c23803b99987986d75f9ae9ffeaf3aeeef06059b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8e4bcba282c7cb6ff49f17c23803b99987986d75f9ae9ffeaf3aeeef06059b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_calculate_release_version.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 132752, "scanner": "repobility-docker", "fingerprint": "07d8e127063f9f2037d9f71b08b8425a838b2cb31d8e6edb7d4cf95e0ae1366f", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5672:5672", "target": "5672", "host_ip": "", "published": "5672"}, {"raw": "15672:15672", "target": "15672", "host_ip": "", "published": "15672"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "rabbitmq", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|07d8e127063f9f2037d9f71b08b8425a838b2cb31d8e6edb7d4cf95e0ae1366f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 132744, "scanner": "repobility-docker", "fingerprint": "c86f5691cd4386394d1f94d8e34ecfba31c99aa32c55f57afd8c4b687dd28b36", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5672:5672", "target": "5672", "host_ip": "", "published": "5672"}, {"raw": "15672:15672", "target": "15672", "host_ip": "", "published": "15672"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "rabbitmq", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|c86f5691cd4386394d1f94d8e34ecfba31c99aa32c55f57afd8c4b687dd28b36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 132743, "scanner": "repobility-docker", "fingerprint": "9459cfec6d3e7c9fec2fd862eec344d4b44981cd594e4fe74098177026e1f746", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|9459cfec6d3e7c9fec2fd862eec344d4b44981cd594e4fe74098177026e1f746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 132736, "scanner": "repobility-docker", "fingerprint": "03a2ca64ae7e6b3b39085dc5888953d43c7313a0783551bd05dd9b82f1691c26", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|03a2ca64ae7e6b3b39085dc5888953d43c7313a0783551bd05dd9b82f1691c26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/Dockerfile.debug"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 132686, "scanner": "repobility-threat-engine", "fingerprint": "98c3f8eeac055c70bb9d3a696d7ae3bcb85ecce8f9298e536226b1978ba5d4c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98c3f8eeac055c70bb9d3a696d7ae3bcb85ecce8f9298e536226b1978ba5d4c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/types.py"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 132685, "scanner": "repobility-threat-engine", "fingerprint": "b86ad329e4f9b8ba6af1a536daa24e7badc6270e7548edc1a76a59aad56b0d41", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b86ad329e4f9b8ba6af1a536daa24e7badc6270e7548edc1a76a59aad56b0d41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/otel_worker_gauges.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 132684, "scanner": "repobility-threat-engine", "fingerprint": "860ac896f975a02a775a65274a3cee7ebece0a85f824ef08a021166ec5e55375", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|860ac896f975a02a775a65274a3cee7ebece0a85f824ef08a021166ec5e55375"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii/src/iii/channels.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 132670, "scanner": "repobility-threat-engine", "fingerprint": "6ad735ce4ce976e83358d5b904bc76e10029367e77113c388b22d330d69d1e0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ad735ce4ce976e83358d5b904bc76e10029367e77113c388b22d330d69d1e0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/examples/python/echo_invoker.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 132667, "scanner": "repobility-threat-engine", "fingerprint": "f087d28c7ce41f21a20f4e2d18573634777a0c7b548b0bb387553b44dff8a0f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f087d28c7ce41f21a20f4e2d18573634777a0c7b548b0bb387553b44dff8a0f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/renderers/components.mts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 132666, "scanner": "repobility-threat-engine", "fingerprint": "10ca1bc613e246c03e214e920bf044349fc186a55bb0e6b97ecb45ddf327b96d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(typeStr", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10ca1bc613e246c03e214e920bf044349fc186a55bb0e6b97ecb45ddf327b96d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/renderers/components.mts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 132665, "scanner": "repobility-threat-engine", "fingerprint": "73b119c41491c2b4a09961dd22f56fe37493f854b4725e44b27eef84036d1e33", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73b119c41491c2b4a09961dd22f56fe37493f854b4725e44b27eef84036d1e33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/renderers/components.mts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 132661, "scanner": "repobility-threat-engine", "fingerprint": "883c127c8da5ee89c379d60f8765e6b8441d7c824e2923d0cfea748a05ca9eff", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n    ({ path: p, priority }) => `  <url>\n    <loc>${SITE_ORIGIN}${p}</loc>\n    <lastmod>${lastmo", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|883c127c8da5ee89c379d60f8765e6b8441d7c824e2923d0cfea748a05ca9eff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/scripts/generate-sitemap.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 132660, "scanner": "repobility-threat-engine", "fingerprint": "3d6e7d1c94831fc8d05cb97619d19f567bfaa3842b7c16e6fe31659c923cd8a5", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((p: any) => `${p.name}: ${typeToString(p.type)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d6e7d1c94831fc8d05cb97619d19f567bfaa3842b7c16e6fe31659c923cd8a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/0-11-0/scripts/parsers/parse-typedoc.mts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 132650, "scanner": "repobility-threat-engine", "fingerprint": "db94c068682b0c5ca3c1f4e72d6feb7ce6dc830f6a93c74d8c636eaef3727614", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db94c068682b0c5ca3c1f4e72d6feb7ce6dc830f6a93c74d8c636eaef3727614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/scaffolder-core/src/runtime/tool.rs"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 132648, "scanner": "repobility-threat-engine", "fingerprint": "c6a237fce26908f86e0a988655dd5f25efc5c6b6b2aa99a75311d23760bc30d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6a237fce26908f86e0a988655dd5f25efc5c6b6b2aa99a75311d23760bc30d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/list.rs"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 132647, "scanner": "repobility-threat-engine", "fingerprint": "4d5bc5e7f34122187e71766270798f7ae71217290a134f53f14ce023d24503b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d5bc5e7f34122187e71766270798f7ae71217290a134f53f14ce023d24503b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/clear.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 132646, "scanner": "repobility-threat-engine", "fingerprint": "87d838b861f587dc386b96c6b725a27e26419ca6672432960ff16701cb1a3f1f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87d838b861f587dc386b96c6b725a27e26419ca6672432960ff16701cb1a3f1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-worker/src/core/add.rs"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 132632, "scanner": "repobility-threat-engine", "fingerprint": "59602720978647e205a74eaf85d288b5fba731ac3f5c90337e460e2edbbc447a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59602720978647e205a74eaf85d288b5fba731ac3f5c90337e460e2edbbc447a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/iii-filesystem/build.rs"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 132631, "scanner": "repobility-threat-engine", "fingerprint": "6e470da5dd93be4e137735aaa6ba4def2b0e93f07ce0c028a78b9c2c5f1798af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e470da5dd93be4e137735aaa6ba4def2b0e93f07ce0c028a78b9c2c5f1798af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-rust/src/server.rs"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 132630, "scanner": "repobility-threat-engine", "fingerprint": "eb5626fc5b36feef2b29f1734c483d72bc5445a2e2069ff63d8193da1595615a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb5626fc5b36feef2b29f1734c483d72bc5445a2e2069ff63d8193da1595615a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-rust/build.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 132628, "scanner": "repobility-threat-engine", "fingerprint": "4485a5c47d9776bde76a0d74637887a9b70bbde37583788f63adf092d288bc68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.stream.destroy(err)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4485a5c47d9776bde76a0d74637887a9b70bbde37583788f63adf092d288bc68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii/src/channels.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 132627, "scanner": "repobility-threat-engine", "fingerprint": "4a7f43e09c5161f59aa0b6a9d6fe0da212ba9e529478eb8dff4618c0b0032b76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(data);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a7f43e09c5161f59aa0b6a9d6fe0da212ba9e529478eb8dff4618c0b0032b76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/src/cli/download.rs"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 132626, "scanner": "repobility-threat-engine", "fingerprint": "263c8f642d92997063d708f64fdb13bbf9b2369a3fbecb167a3fcc7989d51313", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(namespace)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|263c8f642d92997063d708f64fdb13bbf9b2369a3fbecb167a3fcc7989d51313"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "console/packages/console-frontend/src/components/traces/SpanTagsTab.tsx"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 132610, "scanner": "repobility-threat-engine", "fingerprint": "41fb4526300d4070a593729461880e3a3472e95e8195c5880c83c79b9f57b115", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41fb4526300d4070a593729461880e3a3472e95e8195c5880c83c79b9f57b115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/go/iii/channels.go"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 132609, "scanner": "repobility-threat-engine", "fingerprint": "b9d33f912ab4fd39b93dbed2b61eec75e2781750b0811493741ab705df95a9a1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b9d33f912ab4fd39b93dbed2b61eec75e2781750b0811493741ab705df95a9a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/examples/python/echo_invoker.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 132608, "scanner": "repobility-threat-engine", "fingerprint": "ecadb24f991479c56251389e8d083d29904ab95fc6712236f71689d159a237c7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ecadb24f991479c56251389e8d083d29904ab95fc6712236f71689d159a237c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/license-agreement-check.mjs"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132883, "scanner": "repobility-supply-chain", "fingerprint": "db49c62f50fcad5fc4b43e39a954db4ab3987ede1982923934952e65f625ee6c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db49c62f50fcad5fc4b43e39a954db4ab3987ede1982923934952e65f625ee6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/skill-check.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ALARM_EMAIL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALARM_EMAIL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132882, "scanner": "repobility-supply-chain", "fingerprint": "df4cd9df0b34b6b1d050c19f7a4e1e31bdef494922e4d22a0df1a5e5bcb20310", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df4cd9df0b34b6b1d050c19f7a4e1e31bdef494922e4d22a0df1a5e5bcb20310"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tf-plan.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AWS_READONLY_ROLE_ARN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_READONLY_ROLE_ARN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132881, "scanner": "repobility-supply-chain", "fingerprint": "4ce1652409ec42ec73c559780f5d3d97496ccb5c8200b826bd1bad8b2ca605d0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ce1652409ec42ec73c559780f5d3d97496ccb5c8200b826bd1bad8b2ca605d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tf-plan.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `argparse` used but not imported: The file uses `argparse.something(...)` but never imports `argparse`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132760, "scanner": "repobility-ast-engine", "fingerprint": "e8ba829c7bfe646ff16a4e4da50762c46e178c0bb407531795e9c4799b252020", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8ba829c7bfe646ff16a4e4da50762c46e178c0bb407531795e9c4799b252020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/examples/python/echo_invoker.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 132756, "scanner": "repobility-docker", "fingerprint": "f3fdfb6c0c55a13fa69917121df75d40319895de127f72174d62078c6b0d0bda", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "openobserve", "variable": "ZO_ROOT_USER_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|f3fdfb6c0c55a13fa69917121df75d40319895de127f72174d62078c6b0d0bda", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/python/iii-example/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 132748, "scanner": "repobility-docker", "fingerprint": "95dcc900d0d974536764ebe327e330bc73e6105b4ad50dde30b8716c16d86592", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "openobserve", "variable": "ZO_ROOT_USER_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|95dcc900d0d974536764ebe327e330bc73e6105b4ad50dde30b8716c16d86592", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/packages/node/iii-example/docker-compose.yaml"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 132672, "scanner": "repobility-threat-engine", "fingerprint": "cf63d9c9d0e7caf15077f21be62de88ae93cf6f32f166286e08c8355676ff14e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf63d9c9d0e7caf15077f21be62de88ae93cf6f32f166286e08c8355676ff14e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/src/cli_trigger/help.rs"}, "region": {"startLine": 125}}}]}]}]}