{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/376"}, "properties": {"repository": "Imbad0202/academic-research-skills", "repoUrl": "https://github.com/Imbad0202/academic-research-skills.git", "branch": "main"}, "results": [{"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 12178, "scanner": "repobility-threat-engine", "fingerprint": "616367ccf172a97f133d4cda704c992cb8d1849fd1f5e2e03a5422f2e99d0c39", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|616367ccf172a97f133d4cda704c992cb8d1849fd1f5e2e03a5422f2e99d0c39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_audit_artifact_consistency.py"}, "region": {"startLine": 1975}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 12177, "scanner": "repobility-threat-engine", "fingerprint": "61748138d8e17569b77c86def2fd78edd83615a320ba05d413efead5065e36e3", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|134|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/_next_verified_at_ms.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 12175, "scanner": "repobility-agent-runtime", "fingerprint": "507004dd8cacac5228f6216361b7b5d29d9c74cc417f37fbc6b60317a5290314", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|507004dd8cacac5228f6216361b7b5d29d9c74cc417f37fbc6b60317a5290314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/run_codex_audit.sh"}, "region": {"startLine": 26}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 12174, "scanner": "repobility-agent-runtime", "fingerprint": "818bb0600ff69cd8411a675c773fece2955f5558b4f8c26409ef30d9d62f2236", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|818bb0600ff69cd8411a675c773fece2955f5558b4f8c26409ef30d9d62f2236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/SETUP.zh-TW.md"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 12173, "scanner": "repobility-agent-runtime", "fingerprint": "ef974d24c8aabe990a0ea8dc139d9484fac145a24ef646337b1d25af1f552f98", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ef974d24c8aabe990a0ea8dc139d9484fac145a24ef646337b1d25af1f552f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "QUICKSTART.md"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12172, "scanner": "repobility-ai-code-hygiene", "fingerprint": "042208c237278ececf9118a8668ad45bfb8f270dbc049954387d79da65bab92a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/check_benchmark_report.py", "duplicate_line": 38, "correlation_key": "fp|042208c237278ececf9118a8668ad45bfb8f270dbc049954387d79da65bab92a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_compliance_report.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 12176, "scanner": "repobility-threat-engine", "fingerprint": "2865cae48312d8fff49d0bca9f1567783902e6de7a9810cf2c2ea50dd907b610", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'SafeLoader' detected on same line", "evidence": {"match": "yaml.load(", "reason": "Safe pattern 'SafeLoader' detected on same line", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|219|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_audit_artifact_consistency.py"}, "region": {"startLine": 219}}}]}]}]}