{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 17 more): Same pattern found in 17 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24-trixie-slim` not pinned by digest: `FROM node:24-trixie-slim` resolves the tag at bu", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24-trixie-slim` not pinned by digest: `FROM node:24-trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Producti"}, "fullDescription": {"text": "Replace with: `FROM node:24-trixie-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SONAR_HOST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`,", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SONAR_HOST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_HOST_URL }` lets a PR from any fork exfiltrate the secr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/679"}, "properties": {"repository": "diegosouzapw/OmniRoute", "repoUrl": "https://github.com/diegosouzapw/OmniRoute/", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 45583, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 45577, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 45576, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 45574, "scanner": "repobility-agent-runtime", "fingerprint": "2ba398809b2e6b25f75a0e73ca23f1395baa17ddccbc3ffd87dbdea48d317e64", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|2ba398809b2e6b25f75a0e73ca23f1395baa17ddccbc3ffd87dbdea48d317e64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/accountFallback.ts"}, "region": {"startLine": 359}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 45553, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 45552, "scanner": "repobility-threat-engine", "fingerprint": "965750c74e78d8601298a31630c676b65fdab08f5c69e3385b5c4589986d7f70", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern.source, flags);\n}\n\nfunction compileUserPatterns(patterns: Array<string | RegExp>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|965750c74e78d8601298a31630c676b65fdab08f5c69e3385b5c4589986d7f70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/compression/preservation.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 45548, "scanner": "repobility-threat-engine", "fingerprint": "a0b6f80af3441a8db093aaeb9d507cd937544d56ebc7e9e9466992d551aeae6f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|126|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/signatureCache.ts"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 45547, "scanner": "repobility-threat-engine", "fingerprint": "48a63eca05a47143e5e1c82d10109791c4ec1e2458b493a2f31adda6a1d5070c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|93|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/comboAgentMiddleware.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 45546, "scanner": "repobility-threat-engine", "fingerprint": "5c170a3c9efd2a6c959168dfb0de76f1e479ca9f27ac1349c63e7845942cb87a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|315|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/apiKeyRotator.ts"}, "region": {"startLine": 315}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 45533, "scanner": "repobility-threat-engine", "fingerprint": "2b2108ae73a90700ee9ab8125448fd120febb4bf875e1caf59153e2287690aea", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() < effectiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b2108ae73a90700ee9ab8125448fd120febb4bf875e1caf59153e2287690aea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/autoCombo/engine.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 45532, "scanner": "repobility-threat-engine", "fingerprint": "72eff4c0d7fe1bd33f764fac2f64d1244ea168d3947fd746845379deb7ab4c6b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2)}`,\n    };\n  }\n\n  async refreshCopilotToken(githubAccessToken", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72eff4c0d7fe1bd33f764fac2f64d1244ea168d3947fd746845379deb7ab4c6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/github.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 45531, "scanner": "repobility-threat-engine", "fingerprint": "ccdbfc489592c46b8d3e2165e1ce69803fac3c0211d4d0a7ad60ec976cd20202", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccdbfc489592c46b8d3e2165e1ce69803fac3c0211d4d0a7ad60ec976cd20202"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/handlers/embeddings.ts"}, "region": {"startLine": 213}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 45530, "scanner": "repobility-threat-engine", "fingerprint": "0b7731064fbfd30154b4709f5d196ca39c0c4c676dd976238582408af09f20c2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b7731064fbfd30154b4709f5d196ca39c0c4c676dd976238582408af09f20c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/gemini-web.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 45584, "scanner": "repobility-web-presence", "fingerprint": "99ca8a2db121f8721bd12cde0905f331f26be8da30b9602e3bc4b52d63686c59", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|99ca8a2db121f8721bd12cde0905f331f26be8da30b9602e3bc4b52d63686c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/antigravityHeaders.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 45582, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 45581, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 45580, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45573, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c131b347532e4a4e9bd674a793c4d1f322648a378b28f16799a2e8d14322dde4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/services/chatgptTlsClient.ts", "duplicate_line": 12, "correlation_key": "fp|c131b347532e4a4e9bd674a793c4d1f322648a378b28f16799a2e8d14322dde4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/perplexityTlsClient.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45572, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89738305db7a80b6352414d541602d8ecf31c2785e405ea6b38faa0798cba3e4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/services/crofUsageFetcher.ts", "duplicate_line": 20, "correlation_key": "fp|89738305db7a80b6352414d541602d8ecf31c2785e405ea6b38faa0798cba3e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/genericQuotaFetcher.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45571, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d0c57360dae953688daecd3089223d013f105fcfaca34bd3a21e477273bda692", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/services/bailianQuotaFetcher.ts", "duplicate_line": 17, "correlation_key": "fp|d0c57360dae953688daecd3089223d013f105fcfaca34bd3a21e477273bda692"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/deepseekQuotaFetcher.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45570, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75e9521b342baf0d356165b1d9100c46c847d2e29102587abab1281d07149571", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/services/bailianQuotaFetcher.ts", "duplicate_line": 17, "correlation_key": "fp|75e9521b342baf0d356165b1d9100c46c847d2e29102587abab1281d07149571"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/crofUsageFetcher.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45569, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc8b25b02d1bfcef6baa850d90eaefe9608dcdcf666920f91cf78ca9e231c893", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/services/compression/engines/cavemanAdapter.ts", "duplicate_line": 256, "correlation_key": "fp|bc8b25b02d1bfcef6baa850d90eaefe9608dcdcf666920f91cf78ca9e231c893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/compression/strategySelector.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45568, "scanner": "repobility-ai-code-hygiene", "fingerprint": "19bc7dd462c908f8dd7f7e5db2a5c8674a974dba31ae14fe52e0049698610cdd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/services/bailianQuotaFetcher.ts", "duplicate_line": 17, "correlation_key": "fp|19bc7dd462c908f8dd7f7e5db2a5c8674a974dba31ae14fe52e0049698610cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/codexQuotaFetcher.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45567, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a77c03af398a41f40e600f15cf3e00c1272acf8be7f8e14fcfd70fabac0221f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/services/chatgptTlsClient.ts", "duplicate_line": 12, "correlation_key": "fp|8a77c03af398a41f40e600f15cf3e00c1272acf8be7f8e14fcfd70fabac0221f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/claudeTlsClient.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45566, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a66d9bf1cab1ab969a6a752f31b18dec798bc6773e0b1dbbe8ff621c24c28592", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/services/antigravityObfuscation.ts", "duplicate_line": 3, "correlation_key": "fp|a66d9bf1cab1ab969a6a752f31b18dec798bc6773e0b1dbbe8ff621c24c28592"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/claudeCodeObfuscation.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45565, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76273051550579b8887be76cc274b87ec4618fb3715cf091a76a1204520f39fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/handlers/musicGeneration.ts", "duplicate_line": 90, "correlation_key": "fp|76273051550579b8887be76cc274b87ec4618fb3715cf091a76a1204520f39fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/handlers/videoGeneration.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45564, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d43ccdb301f1fdceeb989821121f3818530c44dc24198558ada39e92826215e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/handlers/audioSpeech.ts", "duplicate_line": 16, "correlation_key": "fp|d43ccdb301f1fdceeb989821121f3818530c44dc24198558ada39e92826215e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/handlers/audioTranscription.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45563, "scanner": "repobility-ai-code-hygiene", "fingerprint": "604e5e6d59378e07612fca665202ebf5473c4a4f810deb6adf3deb8faf2d3821", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/nlpcloud.ts", "duplicate_line": 109, "correlation_key": "fp|604e5e6d59378e07612fca665202ebf5473c4a4f810deb6adf3deb8faf2d3821"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/petals.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45562, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8fe3d90a7a356ebfbafd825051d7e4c71feb339d424701b78ed487b0dde5b045", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/blackbox-web.ts", "duplicate_line": 41, "correlation_key": "fp|8fe3d90a7a356ebfbafd825051d7e4c71feb339d424701b78ed487b0dde5b045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/petals.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45561, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40357aacdd558cb90bdc148c2644a3bc8328376e49fe977eb481f735056f31ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/gitlab.ts", "duplicate_line": 30, "correlation_key": "fp|40357aacdd558cb90bdc148c2644a3bc8328376e49fe977eb481f735056f31ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/petals.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45560, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98dddb4b9aa44d5474122cd85ec2019c7cb8ace7f058007d057607a3814be29d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/default.ts", "duplicate_line": 375, "correlation_key": "fp|98dddb4b9aa44d5474122cd85ec2019c7cb8ace7f058007d057607a3814be29d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/opencode.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45559, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1e6995e02b3542911889c314052947a37792d9355102373bd13a1c934ac34bb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/blackbox-web.ts", "duplicate_line": 41, "correlation_key": "fp|c1e6995e02b3542911889c314052947a37792d9355102373bd13a1c934ac34bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/nlpcloud.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45558, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1cd4db61393c94ac64115933b2600497c53917c22f0e3c5aed84d90b4a96063e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/gitlab.ts", "duplicate_line": 31, "correlation_key": "fp|1cd4db61393c94ac64115933b2600497c53917c22f0e3c5aed84d90b4a96063e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/nlpcloud.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45557, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83d882595ad4b458cade73198b36c7685d247f84a6a502e7e7cf14e6a7bd5c6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/cliproxyapi.ts", "duplicate_line": 91, "correlation_key": "fp|83d882595ad4b458cade73198b36c7685d247f84a6a502e7e7cf14e6a7bd5c6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/ninerouter.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45556, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88abd548a11b413540059db12fb0b232a685ac26dea12ba4baec56574c9ee631", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/blackbox-web.ts", "duplicate_line": 41, "correlation_key": "fp|88abd548a11b413540059db12fb0b232a685ac26dea12ba4baec56574c9ee631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/gitlab.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45555, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5213a8cd6c05f5ff331f8bda9636b4e290ab87479ba7e5532851339f3a17fe03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/executors/base.ts", "duplicate_line": 309, "correlation_key": "fp|5213a8cd6c05f5ff331f8bda9636b4e290ab87479ba7e5532851339f3a17fe03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/default.ts"}, "region": {"startLine": 240}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45554, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba1ab73cec42bbf003dbc6afcb6b99ba7709b0e1d4d676e29fe932159749cea1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "open-sse/config/audioRegistry.ts", "duplicate_line": 350, "correlation_key": "fp|ba1ab73cec42bbf003dbc6afcb6b99ba7709b0e1d4d676e29fe932159749cea1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/config/registryUtils.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 45545, "scanner": "repobility-threat-engine", "fingerprint": "f18933be2d43a6f2b86aba60a194501d92b01604e86efa860079d4abf0349f9e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f18933be2d43a6f2b86aba60a194501d92b01604e86efa860079d4abf0349f9e"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 45541, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 45540, "scanner": "repobility-threat-engine", "fingerprint": "7c8b210fc64ded8b3d9569d486a7fcef86676efdb0894eee859d2e4dad1352a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7c8b210fc64ded8b3d9569d486a7fcef86676efdb0894eee859d2e4dad1352a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/cloudCodeThinking.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 45539, "scanner": "repobility-threat-engine", "fingerprint": "8c8005af3e9942bfe6a87b7282751a541ce8aad360cbcd193f9c5496beac6dc2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c8005af3e9942bfe6a87b7282751a541ce8aad360cbcd193f9c5496beac6dc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/claudeCodeCCH.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 45538, "scanner": "repobility-threat-engine", "fingerprint": "8e4f85da57b410a30e9ecfbbb4acf4d3c5c37a49197dc311f271359692411c79", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e4f85da57b410a30e9ecfbbb4acf4d3c5c37a49197dc311f271359692411c79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/mcp-server/httpTransport.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 45537, "scanner": "repobility-threat-engine", "fingerprint": "9795a602ff394f0f3327ccb65ba846109303ac4fabde17b13e1d9974e5555472", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9795a602ff394f0f3327ccb65ba846109303ac4fabde17b13e1d9974e5555472"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/veoaifree-web.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 45536, "scanner": "repobility-threat-engine", "fingerprint": "df4d0be9502dac2e5e2a40106fa27c5edbb572f49e74453ed5321024df368d29", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df4d0be9502dac2e5e2a40106fa27c5edbb572f49e74453ed5321024df368d29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/ninerouter.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 45535, "scanner": "repobility-threat-engine", "fingerprint": "6e3e4adf728bc0b33d3bb0b9a7776ba7a6c23a9834e2378eedebe2e679312ba1", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|14|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/antigravityIdentity.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 45534, "scanner": "repobility-threat-engine", "fingerprint": "18505e862e1cdd8c16e6000f187c557dbdd9f96db84c95e0b969b966d5c04170", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|154|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/github.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 45529, "scanner": "repobility-threat-engine", "fingerprint": "1cf8984907e1905e8554e897d9c0ce9bdcf33ddbcd595230378d3762b2293473", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1cf8984907e1905e8554e897d9c0ce9bdcf33ddbcd595230378d3762b2293473"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/mcp-server/tools/gamificationTools.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 45528, "scanner": "repobility-threat-engine", "fingerprint": "65272770fa55f5172fe9438e9732e878e070198da85b179d4b89d991c0326b7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65272770fa55f5172fe9438e9732e878e070198da85b179d4b89d991c0326b7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/claude-web-with-auto-refresh.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 45527, "scanner": "repobility-threat-engine", "fingerprint": "62391dd8a7e57801d65f2929a9d2c843ed0e6c3905f34413cd622085ce06dd58", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62391dd8a7e57801d65f2929a9d2c843ed0e6c3905f34413cd622085ce06dd58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/claude-web-auto-refresh.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 45526, "scanner": "repobility-threat-engine", "fingerprint": "72212593c6dca51ba91f73051cd4c4f876807798f883c1742382668a805cc051", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|72212593c6dca51ba91f73051cd4c4f876807798f883c1742382668a805cc051", "aggregated_count": 6}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 45525, "scanner": "repobility-threat-engine", "fingerprint": "4a7cc2c103a121ac4e436d4394dc8002bcafb610f03524c9c035543f08963d1b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a7cc2c103a121ac4e436d4394dc8002bcafb610f03524c9c035543f08963d1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/github.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 45524, "scanner": "repobility-threat-engine", "fingerprint": "ea4201d0d0ef4df6b1e449424971a56c41aff1213106273a16c997fe9b1dd18c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea4201d0d0ef4df6b1e449424971a56c41aff1213106273a16c997fe9b1dd18c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/gemini-web.ts"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 45523, "scanner": "repobility-threat-engine", "fingerprint": "6b0c6d386d8e0187ad029ebdd3d4ad6cfcb56a95589a88e53bce1f9762071c1d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b0c6d386d8e0187ad029ebdd3d4ad6cfcb56a95589a88e53bce1f9762071c1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/azure-openai.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 45522, "scanner": "repobility-threat-engine", "fingerprint": "c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "aggregated_count": 9}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45521, "scanner": "repobility-threat-engine", "fingerprint": "f4ad8756794af582f7fd6222737a98adb0d714bf2f9dc02434f15c58fd860514", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f4ad8756794af582f7fd6222737a98adb0d714bf2f9dc02434f15c58fd860514"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/deepseek-web-with-auto-refresh.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45520, "scanner": "repobility-threat-engine", "fingerprint": "353175f556aa9a67c73e5560a28fd3c034e697989b274c4bee5154a3e9df34ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|353175f556aa9a67c73e5560a28fd3c034e697989b274c4bee5154a3e9df34ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/config/credentialLoader.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45519, "scanner": "repobility-threat-engine", "fingerprint": "6da74b0dd9f0ce2a4036ced5b5b847af0515e5d94b99f04df9dc18df5aa282b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6da74b0dd9f0ce2a4036ced5b5b847af0515e5d94b99f04df9dc18df5aa282b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/config/constants.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 45518, "scanner": "repobility-threat-engine", "fingerprint": "9a4dded8559d76bfe00bc64cc7f3b84ea0bd9b1742965a6b760ddbb7eebe1048", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9a4dded8559d76bfe00bc64cc7f3b84ea0bd9b1742965a6b760ddbb7eebe1048"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 45514, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 45510, "scanner": "repobility-threat-engine", "fingerprint": "c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45610, "scanner": "repobility-supply-chain", "fingerprint": "f68ec219f61c4f00fdd059a84c2a5d6a1197e7591e32e848298f33ce77723460", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f68ec219f61c4f00fdd059a84c2a5d6a1197e7591e32e848298f33ce77723460"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45609, "scanner": "repobility-supply-chain", "fingerprint": "7edfaf94e845aa9cfbea85eb68228e94f98f24276781142b00db3c08b66f9f01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7edfaf94e845aa9cfbea85eb68228e94f98f24276781142b00db3c08b66f9f01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45608, "scanner": "repobility-supply-chain", "fingerprint": "da20bfccae8e3c3e410f16f3c2641b6007726e2a26097a78c5e7c439fdd643b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da20bfccae8e3c3e410f16f3c2641b6007726e2a26097a78c5e7c439fdd643b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45607, "scanner": "repobility-supply-chain", "fingerprint": "e54297cf8d2016c3e36ea4736cb4e9a33f75447deb8804f3d0e541efbe856e2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e54297cf8d2016c3e36ea4736cb4e9a33f75447deb8804f3d0e541efbe856e2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45606, "scanner": "repobility-supply-chain", "fingerprint": "043656aa024c1c64efcfe976add501aea29981135bde9382ce2b016353d72d75", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|043656aa024c1c64efcfe976add501aea29981135bde9382ce2b016353d72d75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45605, "scanner": "repobility-supply-chain", "fingerprint": "1284683314954eca356da47eb89d0e873a8edea62bf8c51cb6019659ec8b2655", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1284683314954eca356da47eb89d0e873a8edea62bf8c51cb6019659ec8b2655"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45604, "scanner": "repobility-supply-chain", "fingerprint": "0d3deab8928db24243ebf065629c7279e5d62d994a3de96a0aca1a7f6d784fb3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d3deab8928db24243ebf065629c7279e5d62d994a3de96a0aca1a7f6d784fb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/dockerhub-description` pinned to mutable ref `@v5`: `uses: peter-evans/dockerhub-description@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45603, "scanner": "repobility-supply-chain", "fingerprint": "471f3fda382273120e5ec2db697e70f7a86c60c46eb4e8a1f6bc214546860deb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|471f3fda382273120e5ec2db697e70f7a86c60c46eb4e8a1f6bc214546860deb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45602, "scanner": "repobility-supply-chain", "fingerprint": "5a1e416298675338fab1ac5333bd061c5d81315a2f8ff3e6c6e83b7664039ad6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a1e416298675338fab1ac5333bd061c5d81315a2f8ff3e6c6e83b7664039ad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45601, "scanner": "repobility-supply-chain", "fingerprint": "13076b3f482fe032f1707bb988e665cfda5166cce2ba282956cf3daafbfed718", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13076b3f482fe032f1707bb988e665cfda5166cce2ba282956cf3daafbfed718"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45600, "scanner": "repobility-supply-chain", "fingerprint": "73fc8e3bed2ca26c8ecb858acb374fb4c5b704b84b2b6e1959f7f17f214d92f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73fc8e3bed2ca26c8ecb858acb374fb4c5b704b84b2b6e1959f7f17f214d92f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45599, "scanner": "repobility-supply-chain", "fingerprint": "052557466db7fc4eeebc3919eb4c32d5e65a318b662bad585ebd817ccf83e9b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|052557466db7fc4eeebc3919eb4c32d5e65a318b662bad585ebd817ccf83e9b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45598, "scanner": "repobility-supply-chain", "fingerprint": "f8033bd7fd404e85b249295e3dc855105ed62828116ceee82b9147d1237f06c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8033bd7fd404e85b249295e3dc855105ed62828116ceee82b9147d1237f06c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v3`: `uses: softprops/action-gh-release@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45597, "scanner": "repobility-supply-chain", "fingerprint": "9dc57a3b3eb55ee92958de212f174fcc1e348ea078f1fab755ca0a9022e6fa50", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9dc57a3b3eb55ee92958de212f174fcc1e348ea078f1fab755ca0a9022e6fa50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/electron-release.yml"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45596, "scanner": "repobility-supply-chain", "fingerprint": "49fc430f48d010e48b186e3630204747b526aa93cdaab2a839008c7ce402a060", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49fc430f48d010e48b186e3630204747b526aa93cdaab2a839008c7ce402a060"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/electron-release.yml"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45595, "scanner": "repobility-supply-chain", "fingerprint": "d37a2b1f7a4b95d81ebcfa2f5ac6143ecaf599b1886784d67032cb6f6c18d6e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d37a2b1f7a4b95d81ebcfa2f5ac6143ecaf599b1886784d67032cb6f6c18d6e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/electron-release.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45594, "scanner": "repobility-supply-chain", "fingerprint": "1b92799787bdda307ad594a2d7c956ed05a4ec264c06ad496ef03b90f99c2598", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b92799787bdda307ad594a2d7c956ed05a4ec264c06ad496ef03b90f99c2598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/electron-release.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45593, "scanner": "repobility-supply-chain", "fingerprint": "117a549bb945cca5f986d4974f702963804be6771c43c147a60d470b07d68906", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|117a549bb945cca5f986d4974f702963804be6771c43c147a60d470b07d68906"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/electron-release.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45592, "scanner": "repobility-supply-chain", "fingerprint": "79efcb25edb1505083fc8f2d85d6a57ef500f03c953f37e29ecdac95ced939ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79efcb25edb1505083fc8f2d85d6a57ef500f03c953f37e29ecdac95ced939ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/electron-release.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45591, "scanner": "repobility-supply-chain", "fingerprint": "8a46e74e47ddedc5505c7e4f5fc4b4982e44614589e83487f0c818d1541a780d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a46e74e47ddedc5505c7e4f5fc4b4982e44614589e83487f0c818d1541a780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/electron-release.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45590, "scanner": "repobility-supply-chain", "fingerprint": "68b7c884e9b6540171404c4fd55beaf091ae06f2684e9420140e37157de87780", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68b7c884e9b6540171404c4fd55beaf091ae06f2684e9420140e37157de87780"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/electron-release.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45589, "scanner": "repobility-supply-chain", "fingerprint": "c8a0bc5c5ca8549ddeeb2d40f5219cfe2ebe54a8847cab5ef2317285d658d2b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8a0bc5c5ca8549ddeeb2d40f5219cfe2ebe54a8847cab5ef2317285d658d2b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45588, "scanner": "repobility-supply-chain", "fingerprint": "3e17a9993fa8e2d5b0f36ba354b3e954cbe038a66f98d7b4aa912e6ec4d99ba1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e17a9993fa8e2d5b0f36ba354b3e954cbe038a66f98d7b4aa912e6ec4d99ba1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45587, "scanner": "repobility-supply-chain", "fingerprint": "4a38516493816b64bf5671507015f3171051367915032e63eab4ebcdbcea3533", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a38516493816b64bf5671507015f3171051367915032e63eab4ebcdbcea3533"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 45586, "scanner": "repobility-supply-chain", "fingerprint": "93658446de64b042956e6a72fc80961c159f19d8d739c5f5f9e14c78f6ab3456", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93658446de64b042956e6a72fc80961c159f19d8d739c5f5f9e14c78f6ab3456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-trixie-slim` not pinned by digest: `FROM node:24-trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 45585, "scanner": "repobility-supply-chain", "fingerprint": "79c7d83ed778b5e031c376ceda970381b2d1c32e898fa415a6acb15348e231fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79c7d83ed778b5e031c376ceda970381b2d1c32e898fa415a6acb15348e231fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 45579, "scanner": "repobility-journey-contract", "fingerprint": "7e41f4d039b669a5d5b19d2735b3a3d390bacb7bc958daecc33b085bc1afe8f0", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|319|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/compression/engines/rtk/commandDetector.ts"}, "region": {"startLine": 319}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 45575, "scanner": "repobility-docker", "fingerprint": "05e15082e2a40f82214dcea7e870786ae6e3cb9455f4cccc55b872455a632cd8", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|05e15082e2a40f82214dcea7e870786ae6e3cb9455f4cccc55b872455a632cd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 45551, "scanner": "repobility-threat-engine", "fingerprint": "ac030016eeaf33e0d9fb3c6645d1ca73adf0ceef3da170470e16e1e75f5d4f5f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ac030016eeaf33e0d9fb3c6645d1ca73adf0ceef3da170470e16e1e75f5d4f5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/signatureCache.ts"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 45550, "scanner": "repobility-threat-engine", "fingerprint": "00078cca2501226c363375dc07fd79c70e2cd36005caeac1227c89139ba86e93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(msg", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00078cca2501226c363375dc07fd79c70e2cd36005caeac1227c89139ba86e93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/comboAgentMiddleware.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 45549, "scanner": "repobility-threat-engine", "fingerprint": "f9c4a77b4126b062721d6e01083bbe49b575065f334840d495469a3e0bb6ae08", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(selectedKeyId", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f9c4a77b4126b062721d6e01083bbe49b575065f334840d495469a3e0bb6ae08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/apiKeyRotator.ts"}, "region": {"startLine": 315}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 45544, "scanner": "repobility-threat-engine", "fingerprint": "0dfb46d6129aa1126f3d5ae2b8d05cdbbb7d29c668b018a83832648f8f6d2ccf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0dfb46d6129aa1126f3d5ae2b8d05cdbbb7d29c668b018a83832648f8f6d2ccf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/comboAgentMiddleware.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 45543, "scanner": "repobility-threat-engine", "fingerprint": "f999b34c1665a694648db3dbc1458482fdd49eefa07339313fe7f7a6b5e97b12", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeRegex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f999b34c1665a694648db3dbc1458482fdd49eefa07339313fe7f7a6b5e97b12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/claudeCodeObfuscation.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 45542, "scanner": "repobility-threat-engine", "fingerprint": "ef51f915abfca5bb0fae3f369d14e93c6cd04f04425bfe7a94a7dcc095141d6a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeRegex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef51f915abfca5bb0fae3f369d14e93c6cd04f04425bfe7a94a7dcc095141d6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/antigravityObfuscation.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 45517, "scanner": "repobility-threat-engine", "fingerprint": "6517cd7de18c3032690b655622849b54b3360457027ef6f4081b891b7fb41a06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_streamableSessions.delete(sessionId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6517cd7de18c3032690b655622849b54b3360457027ef6f4081b891b7fb41a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/mcp-server/httpTransport.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 45516, "scanner": "repobility-threat-engine", "fingerprint": "0dfad7207cf98ae9391d7beea37d39226fa9336aadcc3c1e11ec26e18b3e23c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tokenCache.delete(this.currentUserToken);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0dfad7207cf98ae9391d7beea37d39226fa9336aadcc3c1e11ec26e18b3e23c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/deepseek-web-with-auto-refresh.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 45515, "scanner": "repobility-threat-engine", "fingerprint": "aa3b792986bfe05623b47b737256fbefd2478b36ce627180be94ad7f9edd2ff9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "remaining.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa3b792986bfe05623b47b737256fbefd2478b36ce627180be94ad7f9edd2ff9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/config/cliFingerprints.ts"}, "region": {"startLine": 268}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 45513, "scanner": "repobility-threat-engine", "fingerprint": "bf8a8614a8d70cce787ac7a090dd08664a4931825b476ce135f43f6b5b99acc6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf8a8614a8d70cce787ac7a090dd08664a4931825b476ce135f43f6b5b99acc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/config/datarobot.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 45512, "scanner": "repobility-threat-engine", "fingerprint": "feb31f7b5bdb2ddc776a86a0da504c16de2b10e5677db95cf66fee41952b05e5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|feb31f7b5bdb2ddc776a86a0da504c16de2b10e5677db95cf66fee41952b05e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/config/bedrock.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 45511, "scanner": "repobility-threat-engine", "fingerprint": "86a151faa04dea49a08c2debb2b7cc8bf9f5e72f499b74053379127033687371", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|86a151faa04dea49a08c2debb2b7cc8bf9f5e72f499b74053379127033687371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/config/azureAi.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 45509, "scanner": "repobility-threat-engine", "fingerprint": "cdb85f65eab19095f2a987e1f9f6709aa161deb004bbd433268e337dfc881fd7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n        (entry) =>\n          `${entry.target.modelStr}=${entry.score?.score.toFixed(3)} pass=${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cdb85f65eab19095f2a987e1f9f6709aa161deb004bbd433268e337dfc881fd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/evalRouting.ts"}, "region": {"startLine": 264}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 45508, "scanner": "repobility-threat-engine", "fingerprint": "ad29c8ef6f78300ff56994ff2619251dba3df7f8071973126bbb7c4976cc4960", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((_, i) => `extra_${i}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad29c8ef6f78300ff56994ff2619251dba3df7f8071973126bbb7c4976cc4960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/services/apiKeyRotator.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 45507, "scanner": "repobility-threat-engine", "fingerprint": "b5d03b5e07d2c5697dbd0f0ce9d78caa6590f0e2da78ae7e66a7d625101d9b6c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((baseUrl) => `${baseUrl}${path}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5d03b5e07d2c5697dbd0f0ce9d78caa6590f0e2da78ae7e66a7d625101d9b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/config/antigravityUpstream.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SONAR_HOST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_HOST_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 45612, "scanner": "repobility-supply-chain", "fingerprint": "368fd38d756b242570a1d075faefe19df51ef54a3595e01e6a601a81147aea95", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|368fd38d756b242570a1d075faefe19df51ef54a3595e01e6a601a81147aea95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 386}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SONAR_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 45611, "scanner": "repobility-supply-chain", "fingerprint": "67df92d3c9ff0175e3d6b39b211c995e49f80e32b1f26b7900648e589c563f46", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67df92d3c9ff0175e3d6b39b211c995e49f80e32b1f26b7900648e589c563f46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 385}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 45578, "scanner": "repobility-journey-contract", "fingerprint": "d403e7432c22ec50940d4485009fc6bd43b19d9a786bbe56fcf7004bbdd9a1cf", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|275|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "open-sse/executors/chatgpt-web.ts"}, "region": {"startLine": 275}}}]}]}]}