{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-pq67-6m6q-mj2v", "name": "urllib3: GHSA-pq67-6m6q-mj2v", "shortDescription": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "fullDescription": {"text": "urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-48p4-8xcf-vxj5", "name": "urllib3: GHSA-48p4-8xcf-vxj5", "shortDescription": {"text": "urllib3: GHSA-48p4-8xcf-vxj5"}, "fullDescription": {"text": "urllib3 does not control redirects in browsers and Node.js"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2c2j-9gv5-cj73", "name": "starlette: GHSA-2c2j-9gv5-cj73", "shortDescription": {"text": "starlette: GHSA-2c2j-9gv5-cj73"}, "fullDescription": {"text": "Starlette has possible denial-of-service vector when parsing large files in multipart forms"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc5v-m9x4-r6x2", "name": "requests: GHSA-gc5v-m9x4-r6x2", "shortDescription": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "fullDescription": {"text": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g8c6-8fjj-2r4m", "name": "python-socketio: GHSA-g8c6-8fjj-2r4m", "shortDescription": {"text": "python-socketio: GHSA-g8c6-8fjj-2r4m"}, "fullDescription": {"text": "python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mj87-hwqh-73pj", "name": "python-multipart: GHSA-mj87-hwqh-73pj", "shortDescription": {"text": "python-multipart: GHSA-mj87-hwqh-73pj"}, "fullDescription": {"text": "python-multipart affected by Denial of Service via large multipart preamble or epilogue data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mf9w-mj56-hr94", "name": "python-dotenv: GHSA-mf9w-mj56-hr94", "shortDescription": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "fullDescription": {"text": "python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-428g-f7cq-pgp5", "name": "marshmallow: GHSA-428g-f7cq-pgp5", "shortDescription": {"text": "marshmallow: GHSA-428g-f7cq-pgp5"}, "fullDescription": {"text": "Marshmallow has DoS in Schema.load(many)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rr7j-v2q5-chgv", "name": "langsmith: GHSA-rr7j-v2q5-chgv", "shortDescription": {"text": "langsmith: GHSA-rr7j-v2q5-chgv"}, "fullDescription": {"text": "LangSmith SDK: Streaming token events bypass output redaction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mhr3-j7m5-c7c9", "name": "langgraph-checkpoint: GHSA-mhr3-j7m5-c7c9", "shortDescription": {"text": "langgraph-checkpoint: GHSA-mhr3-j7m5-c7c9"}, "fullDescription": {"text": "LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-926x-3r5x-gfhw", "name": "langchain-core: GHSA-926x-3r5x-gfhw", "shortDescription": {"text": "langchain-core: GHSA-926x-3r5x-gfhw"}, "fullDescription": {"text": "LangChain has incomplete f-string validation in prompt templates"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-65pc-fj4g-8rjx", "name": "idna: GHSA-65pc-fj4g-8rjx", "shortDescription": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "fullDescription": {"text": "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w853-jp5j-5j7f", "name": "filelock: GHSA-w853-jp5j-5j7f", "shortDescription": {"text": "filelock: GHSA-w853-jp5j-5j7f"}, "fullDescription": {"text": "filelock has a TOCTOU race condition which allows symlink attacks during lock file creation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qmgc-5h2g-mvrw", "name": "filelock: GHSA-qmgc-5h2g-mvrw", "shortDescription": {"text": "filelock: GHSA-qmgc-5h2g-mvrw"}, "fullDescription": {"text": "filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w2fm-2cpv-w7v5", "name": "aiohttp: GHSA-w2fm-2cpv-w7v5", "shortDescription": {"text": "aiohttp: GHSA-w2fm-2cpv-w7v5"}, "fullDescription": {"text": "aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p998-jp59-783m", "name": "aiohttp: GHSA-p998-jp59-783m", "shortDescription": {"text": "aiohttp: GHSA-p998-jp59-783m"}, "fullDescription": {"text": "AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m5qp-6w8w-w647", "name": "aiohttp: GHSA-m5qp-6w8w-w647", "shortDescription": {"text": "aiohttp: GHSA-m5qp-6w8w-w647"}, "fullDescription": {"text": "AIOHTTP has a Multipart Header Size Bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jj3x-wxrx-4x23", "name": "aiohttp: GHSA-jj3x-wxrx-4x23", "shortDescription": {"text": "aiohttp: GHSA-jj3x-wxrx-4x23"}, "fullDescription": {"text": "AIOHTTP vulnerable to DoS when bypassing asserts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g84x-mcqj-x9qq", "name": "aiohttp: GHSA-g84x-mcqj-x9qq", "shortDescription": {"text": "aiohttp: GHSA-g84x-mcqj-x9qq"}, "fullDescription": {"text": "AIOHTTP vulnerable to DoS through chunked messages"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c427-h43c-vf67", "name": "aiohttp: GHSA-c427-h43c-vf67", "shortDescription": {"text": "aiohttp: GHSA-c427-h43c-vf67"}, "fullDescription": {"text": "AIOHTTP accepts duplicate Host headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6jhg-hg63-jvvf", "name": "aiohttp: GHSA-6jhg-hg63-jvvf", "shortDescription": {"text": "aiohttp: GHSA-6jhg-hg63-jvvf"}, "fullDescription": {"text": "AIOHTTP vulnerable to  denial of service through large payloads"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `build_instrument_context` has cognitive complexity 18 (SonarSource scale)", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `build_instrument_context` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, an"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 18."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED124", "name": "requirements.txt: `.` has no version pin", "shortDescription": {"text": "requirements.txt: `.` has no version pin"}, "fullDescription": {"text": "Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `__init__` (list)", "shortDescription": {"text": "Mutable default argument in `__init__` (list)"}, "fullDescription": {"text": "`def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `ollama` image uses the latest tag", "shortDescription": {"text": "Compose service `ollama` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "GHSA-5239-wwwm-4pmq", "name": "pygments: GHSA-5239-wwwm-4pmq", "shortDescription": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "fullDescription": {"text": "Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g6r-c272-w58r", "name": "langchain-core: GHSA-2g6r-c272-w58r", "shortDescription": {"text": "langchain-core: GHSA-2g6r-c272-w58r"}, "fullDescription": {"text": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v492-6xx2-p57g", "name": "chainlit: GHSA-v492-6xx2-p57g", "shortDescription": {"text": "chainlit: GHSA-v492-6xx2-p57g"}, "fullDescription": {"text": "Chainlit contains an authorization bypass vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwh4-6h8g-pg8w", "name": "aiohttp: GHSA-mwh4-6h8g-pg8w", "shortDescription": {"text": "aiohttp: GHSA-mwh4-6h8g-pg8w"}, "fullDescription": {"text": "AIOHTTP has HTTP response splitting via \\r in reason phrase"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mqqc-3gqh-h2x8", "name": "aiohttp: GHSA-mqqc-3gqh-h2x8", "shortDescription": {"text": "aiohttp: GHSA-mqqc-3gqh-h2x8"}, "fullDescription": {"text": "AIOHTTP has unicode match groups in regexes for ASCII protocol elements"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hcc4-c3v8-rx92", "name": "aiohttp: GHSA-hcc4-c3v8-rx92", "shortDescription": {"text": "aiohttp: GHSA-hcc4-c3v8-rx92"}, "fullDescription": {"text": "AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fh55-r93g-j68g", "name": "aiohttp: GHSA-fh55-r93g-j68g", "shortDescription": {"text": "aiohttp: GHSA-fh55-r93g-j68g"}, "fullDescription": {"text": "AIOHTTP Vulnerable to Cookie Parser Warning Storm"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-966j-vmvw-g2g9", "name": "aiohttp: GHSA-966j-vmvw-g2g9", "shortDescription": {"text": "aiohttp: GHSA-966j-vmvw-g2g9"}, "fullDescription": {"text": "AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9548-qrrj-x5pj", "name": "aiohttp: GHSA-9548-qrrj-x5pj", "shortDescription": {"text": "aiohttp: GHSA-9548-qrrj-x5pj"}, "fullDescription": {"text": " AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-69f9-5gxw-wvc2", "name": "aiohttp: GHSA-69f9-5gxw-wvc2", "shortDescription": {"text": "aiohttp: GHSA-69f9-5gxw-wvc2"}, "fullDescription": {"text": "AIOHTTP's unicode processing of header values could cause parsing discrepancies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-63hf-3vf5-4wqf", "name": "aiohttp: GHSA-63hf-3vf5-4wqf", "shortDescription": {"text": "aiohttp: GHSA-63hf-3vf5-4wqf"}, "fullDescription": {"text": "AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-54jq-c3m8-4m76", "name": "aiohttp: GHSA-54jq-c3m8-4m76", "shortDescription": {"text": "aiohttp: GHSA-54jq-c3m8-4m76"}, "fullDescription": {"text": "AIOHTTP vulnerable to brute-force leak of internal static \ufb01le path components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3wq7-rqq7-wx6j", "name": "aiohttp: GHSA-3wq7-rqq7-wx6j", "shortDescription": {"text": "aiohttp: GHSA-3wq7-rqq7-wx6j"}, "fullDescription": {"text": "AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2vrm-gr82-f7m5", "name": "aiohttp: GHSA-2vrm-gr82-f7m5", "shortDescription": {"text": "aiohttp: GHSA-2vrm-gr82-f7m5"}, "fullDescription": {"text": "AIOHTTP has CRLF injection through multipart part content type header construction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "GHSA-gm62-xv2j-4w53", "name": "urllib3: GHSA-gm62-xv2j-4w53", "shortDescription": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "fullDescription": {"text": "urllib3 allows an unbounded number of links in the decompression chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38jv-5279-wg99", "name": "urllib3: GHSA-38jv-5279-wg99", "shortDescription": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "fullDescription": {"text": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xpw-w6gg-jr37", "name": "urllib3: GHSA-2xpw-w6gg-jr37", "shortDescription": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "fullDescription": {"text": "urllib3 streaming API improperly handles highly compressed data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7f5h-v6xp-fcq8", "name": "starlette: GHSA-7f5h-v6xp-fcq8", "shortDescription": {"text": "starlette: GHSA-7f5h-v6xp-fcq8"}, "fullDescription": {"text": "Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-161", "name": "starlette: PYSEC-2026-161", "shortDescription": {"text": "starlette: PYSEC-2026-161"}, "fullDescription": {"text": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wp53-j4wj-2cfg", "name": "python-multipart: GHSA-wp53-j4wj-2cfg", "shortDescription": {"text": "python-multipart: GHSA-wp53-j4wj-2cfg"}, "fullDescription": {"text": "Python-Multipart has Arbitrary File Write via Non-Default Configuration"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pp6c-gr5w-3c5g", "name": "python-multipart: GHSA-pp6c-gr5w-3c5g", "shortDescription": {"text": "python-multipart: GHSA-pp6c-gr5w-3c5g"}, "fullDescription": {"text": "python-multipart has Denial of Service via unbounded multipart part headers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-120", "name": "pyjwt: PYSEC-2026-120", "shortDescription": {"text": "pyjwt: PYSEC-2026-120"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-183", "name": "pyjwt: PYSEC-2025-183", "shortDescription": {"text": "pyjwt: PYSEC-2025-183"}, "fullDescription": {"text": "pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement)."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jr27-m4p2-rc6r", "name": "pyasn1: GHSA-jr27-m4p2-rc6r", "shortDescription": {"text": "pyasn1: GHSA-jr27-m4p2-rc6r"}, "fullDescription": {"text": "Denial of Service in pyasn1 via Unbounded Recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-63vm-454h-vhhq", "name": "pyasn1: GHSA-63vm-454h-vhhq", "shortDescription": {"text": "pyasn1: GHSA-63vm-454h-vhhq"}, "fullDescription": {"text": "pyasn1 has a DoS vulnerability in decoder"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7gcm-g887-7qv7", "name": "protobuf: GHSA-7gcm-g887-7qv7", "shortDescription": {"text": "protobuf: GHSA-7gcm-g887-7qv7"}, "fullDescription": {"text": "protobuf affected by a JSON recursion depth bypass"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-107", "name": "orjson: PYSEC-2026-107", "shortDescription": {"text": "orjson: PYSEC-2026-107"}, "fullDescription": {"text": "The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j975-95f5-7wqh", "name": "mcp: GHSA-j975-95f5-7wqh", "shortDescription": {"text": "mcp: GHSA-j975-95f5-7wqh"}, "fullDescription": {"text": "MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9h52-p55h-vw2f", "name": "mcp: GHSA-9h52-p55h-vw2f", "shortDescription": {"text": "mcp: GHSA-9h52-p55h-vw2f"}, "fullDescription": {"text": "Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-87", "name": "lxml: PYSEC-2026-87", "shortDescription": {"text": "lxml: PYSEC-2026-87"}, "fullDescription": {"text": "lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. This vulnerability is fixed in 6.1.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3644-q5cj-c5c7", "name": "langsmith: GHSA-3644-q5cj-c5c7", "shortDescription": {"text": "langsmith: GHSA-3644-q5cj-c5c7"}, "fullDescription": {"text": "LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wwqv-p2pp-99h5", "name": "langgraph-checkpoint: GHSA-wwqv-p2pp-99h5", "shortDescription": {"text": "langgraph-checkpoint: GHSA-wwqv-p2pp-99h5"}, "fullDescription": {"text": "LangGraph Checkpoint affected by RCE in \"json\" mode of JsonPlusSerializer "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-83", "name": "langgraph: PYSEC-2026-83", "shortDescription": {"text": "langgraph: PYSEC-2026-83"}, "fullDescription": {"text": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m42m-m8cr-8m58", "name": "langchain-text-splitters: GHSA-m42m-m8cr-8m58", "shortDescription": {"text": "langchain-text-splitters: GHSA-m42m-m8cr-8m58"}, "fullDescription": {"text": "LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-77", "name": "langchain-text-splitters: PYSEC-2026-77", "shortDescription": {"text": "langchain-text-splitters: PYSEC-2026-77"}, "fullDescription": {"text": "LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters\n 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-76", "name": "langchain-openai: PYSEC-2026-76", "shortDescription": {"text": "langchain-openai: PYSEC-2026-76"}, "fullDescription": {"text": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qh6h-p6c9-ff54", "name": "langchain-core: GHSA-qh6h-p6c9-ff54", "shortDescription": {"text": "langchain-core: GHSA-qh6h-p6c9-ff54"}, "fullDescription": {"text": "LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwx-r37v-7724", "name": "langchain-core: GHSA-pjwx-r37v-7724", "shortDescription": {"text": "langchain-core: GHSA-pjwx-r37v-7724"}, "fullDescription": {"text": "LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pc6w-59fv-rh23", "name": "langchain-community: GHSA-pc6w-59fv-rh23", "shortDescription": {"text": "langchain-community: GHSA-pc6w-59fv-rh23"}, "fullDescription": {"text": "Langchain Community Vulnerable to XML External Entity (XXE) Attacks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qw2m-4pqf-rmpp", "name": "curl-cffi: GHSA-qw2m-4pqf-rmpp", "shortDescription": {"text": "curl-cffi: GHSA-qw2m-4pqf-rmpp"}, "fullDescription": {"text": "curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g59-m95p-pgfq", "name": "chainlit: GHSA-2g59-m95p-pgfq", "shortDescription": {"text": "chainlit: GHSA-2g59-m95p-pgfq"}, "fullDescription": {"text": "Chainlit contain a server-side request forgery (SSRF) vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6mq8-rvhq-8wgg", "name": "aiohttp: GHSA-6mq8-rvhq-8wgg", "shortDescription": {"text": "aiohttp: GHSA-6mq8-rvhq-8wgg"}, "fullDescription": {"text": "AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_portfolio_manager_no_memory_param", "shortDescription": {"text": "Phantom test coverage: test_portfolio_manager_no_memory_param"}, "fullDescription": {"text": "Test function `test_portfolio_manager_no_memory_param` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.assertEqual` used but never assigned in __init__", "shortDescription": {"text": "`self.assertEqual` used but never assigned in __init__"}, "fullDescription": {"text": "Method `test_env_config_skips_llm_prompts` of class `TestCliSkipsPromptsFromEnv` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.12-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: conn.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "MINED007", "name": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection.", "shortDescription": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/151"}, "properties": {"repository": "TauricResearch/TradingAgents", "repoUrl": "https://github.com/TauricResearch/TradingAgents", "branch": "main"}, "results": [{"ruleId": "GHSA-pq67-6m6q-mj2v", "level": "warning", "message": {"text": "urllib3: GHSA-pq67-6m6q-mj2v"}, "properties": {"repobilityId": 52138, "scanner": "osv-scanner", "fingerprint": "05f36209b81330ef1da074c89a6716f96abc131a5f3f659eb7de7221cef4a5bf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-50181"], "package": "urllib3", "rule_id": "GHSA-pq67-6m6q-mj2v", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-50181|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48p4-8xcf-vxj5", "level": "warning", "message": {"text": "urllib3: GHSA-48p4-8xcf-vxj5"}, "properties": {"repobilityId": 52136, "scanner": "osv-scanner", "fingerprint": "3ef8bdf416d6322429c1f23b4e6f5062a1776ba6a4536217b44709604a44b7ee", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-50182"], "package": "urllib3", "rule_id": "GHSA-48p4-8xcf-vxj5", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-50182|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2c2j-9gv5-cj73", "level": "warning", "message": {"text": "starlette: GHSA-2c2j-9gv5-cj73"}, "properties": {"repobilityId": 52131, "scanner": "osv-scanner", "fingerprint": "4b60aeb897baf90314c79f6655f39d34e492f9866aa709c18a3a1775f19b847c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-54121"], "package": "starlette", "rule_id": "GHSA-2c2j-9gv5-cj73", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2025-54121|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 52129, "scanner": "osv-scanner", "fingerprint": "e884985e28f71ca0fc1c2b7bb4ab3804118148f9826bc4963d61cc8124554f58", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g8c6-8fjj-2r4m", "level": "warning", "message": {"text": "python-socketio: GHSA-g8c6-8fjj-2r4m"}, "properties": {"repobilityId": 52128, "scanner": "osv-scanner", "fingerprint": "f1325e3c140c029fcaae81d4a32bea64b71c959cc5dedd78b826e656d7c25aa9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-61765"], "package": "python-socketio", "rule_id": "GHSA-g8c6-8fjj-2r4m", "scanner": "osv-scanner", "correlation_key": "vuln|python-socketio|CVE-2025-61765|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mj87-hwqh-73pj", "level": "warning", "message": {"text": "python-multipart: GHSA-mj87-hwqh-73pj"}, "properties": {"repobilityId": 52125, "scanner": "osv-scanner", "fingerprint": "8834df3dbd3b1c1b4de1142909b33800225a613b094d9c8dd1da59fb20d9460a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40347"], "package": "python-multipart", "rule_id": "GHSA-mj87-hwqh-73pj", "scanner": "osv-scanner", "correlation_key": "vuln|python-multipart|CVE-2026-40347|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mf9w-mj56-hr94", "level": "warning", "message": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "properties": {"repobilityId": 52124, "scanner": "osv-scanner", "fingerprint": "9fa45bb35d6c42713aa5ad20c133330f7651c7c5a59abc07a1c90866c86a92fa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-28684"], "package": "python-dotenv", "rule_id": "GHSA-mf9w-mj56-hr94", "scanner": "osv-scanner", "correlation_key": "vuln|python-dotenv|CVE-2026-28684|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-428g-f7cq-pgp5", "level": "warning", "message": {"text": "marshmallow: GHSA-428g-f7cq-pgp5"}, "properties": {"repobilityId": 52114, "scanner": "osv-scanner", "fingerprint": "f635be3594579a6c51430644c4e267ffb2ab1a0b1041200f250902f1714812c0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68480"], "package": "marshmallow", "rule_id": "GHSA-428g-f7cq-pgp5", "scanner": "osv-scanner", "correlation_key": "vuln|marshmallow|CVE-2025-68480|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rr7j-v2q5-chgv", "level": "warning", "message": {"text": "langsmith: GHSA-rr7j-v2q5-chgv"}, "properties": {"repobilityId": 52112, "scanner": "osv-scanner", "fingerprint": "a919238152fe4549a787e12addb1178cc44124e24b739995a59b52984c7b85e0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41182"], "package": "langsmith", "rule_id": "GHSA-rr7j-v2q5-chgv", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-41182|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mhr3-j7m5-c7c9", "level": "warning", "message": {"text": "langgraph-checkpoint: GHSA-mhr3-j7m5-c7c9"}, "properties": {"repobilityId": 52109, "scanner": "osv-scanner", "fingerprint": "53c9790fd4ec8a0da6e79de3f78134a5085e8ad057829284ac91c35ff7f4ea01", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27794"], "package": "langgraph-checkpoint", "rule_id": "GHSA-mhr3-j7m5-c7c9", "scanner": "osv-scanner", "correlation_key": "vuln|langgraph-checkpoint|CVE-2026-27794|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-926x-3r5x-gfhw", "level": "warning", "message": {"text": "langchain-core: GHSA-926x-3r5x-gfhw"}, "properties": {"repobilityId": 52102, "scanner": "osv-scanner", "fingerprint": "daaed5093da47e1ba5a718a0f58d61eb0aebd3c619a95322124b580f0b1a924c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40087"], "package": "langchain-core", "rule_id": "GHSA-926x-3r5x-gfhw", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2026-40087|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 52098, "scanner": "osv-scanner", "fingerprint": "3cb0e6e51097792f0802522bd5a1c534f3c96b9d90576d70a538075f8c4d5bb0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w853-jp5j-5j7f", "level": "warning", "message": {"text": "filelock: GHSA-w853-jp5j-5j7f"}, "properties": {"repobilityId": 52097, "scanner": "osv-scanner", "fingerprint": "6571831b5a61bf2090496a811117f9b886366191683b3420b611c444dcaa8dc5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68146"], "package": "filelock", "rule_id": "GHSA-w853-jp5j-5j7f", "scanner": "osv-scanner", "correlation_key": "vuln|filelock|CVE-2025-68146|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qmgc-5h2g-mvrw", "level": "warning", "message": {"text": "filelock: GHSA-qmgc-5h2g-mvrw"}, "properties": {"repobilityId": 52096, "scanner": "osv-scanner", "fingerprint": "41f22d34be3420f91be9012e9334618515fe6d05507a29da78f47a406cc5a3f7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22701"], "package": "filelock", "rule_id": "GHSA-qmgc-5h2g-mvrw", "scanner": "osv-scanner", "correlation_key": "vuln|filelock|CVE-2026-22701|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w2fm-2cpv-w7v5", "level": "warning", "message": {"text": "aiohttp: GHSA-w2fm-2cpv-w7v5"}, "properties": {"repobilityId": 52092, "scanner": "osv-scanner", "fingerprint": "79a220d6d0166b58cfbb40ff74faaf9c1f86aa2ae45d8c67c12832894b820c2b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22815"], "package": "aiohttp", "rule_id": "GHSA-w2fm-2cpv-w7v5", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-22815|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p998-jp59-783m", "level": "warning", "message": {"text": "aiohttp: GHSA-p998-jp59-783m"}, "properties": {"repobilityId": 52091, "scanner": "osv-scanner", "fingerprint": "48f2069051382c71eee301e42997717bbe2a2ea42c991ad9260eb0bdc8f6f136", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34515"], "package": "aiohttp", "rule_id": "GHSA-p998-jp59-783m", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34515|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m5qp-6w8w-w647", "level": "warning", "message": {"text": "aiohttp: GHSA-m5qp-6w8w-w647"}, "properties": {"repobilityId": 52088, "scanner": "osv-scanner", "fingerprint": "697dcbe15596d7d5afeb4a6664c7ef3e36a601a784e31edc1ce7c26d043b678e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34516"], "package": "aiohttp", "rule_id": "GHSA-m5qp-6w8w-w647", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34516|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jj3x-wxrx-4x23", "level": "warning", "message": {"text": "aiohttp: GHSA-jj3x-wxrx-4x23"}, "properties": {"repobilityId": 52087, "scanner": "osv-scanner", "fingerprint": "71895be818ded60389be622754924256844f61e7ae32827cead7e11b94d9864b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69227"], "package": "aiohttp", "rule_id": "GHSA-jj3x-wxrx-4x23", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69227|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g84x-mcqj-x9qq", "level": "warning", "message": {"text": "aiohttp: GHSA-g84x-mcqj-x9qq"}, "properties": {"repobilityId": 52085, "scanner": "osv-scanner", "fingerprint": "7b6d0ea4533ec1685c4a6b58988678c05dfd2757cff14da55ccd5cb72c4f1e95", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69229"], "package": "aiohttp", "rule_id": "GHSA-g84x-mcqj-x9qq", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69229|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c427-h43c-vf67", "level": "warning", "message": {"text": "aiohttp: GHSA-c427-h43c-vf67"}, "properties": {"repobilityId": 52083, "scanner": "osv-scanner", "fingerprint": "4ab5b4256381a2e847fada3d4f68ca33751b8c550fe83f9bf343525049cfd2a2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34525"], "package": "aiohttp", "rule_id": "GHSA-c427-h43c-vf67", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34525|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6jhg-hg63-jvvf", "level": "warning", "message": {"text": "aiohttp: GHSA-6jhg-hg63-jvvf"}, "properties": {"repobilityId": 52079, "scanner": "osv-scanner", "fingerprint": "e2097b9b948cc8f01217826b03a8a4c114bb8e79f59b20d5cfdd076f40ad1fce", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69228"], "package": "aiohttp", "rule_id": "GHSA-6jhg-hg63-jvvf", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69228|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52068, "scanner": "repobility-ast-engine", "fingerprint": "e6ab595a43cec65f7d64f938a5cc1d85e58178102cc84b054dcedc67e4e8deb6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6ab595a43cec65f7d64f938a5cc1d85e58178102cc84b054dcedc67e4e8deb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_indicator.py"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52067, "scanner": "repobility-ast-engine", "fingerprint": "4dd58b2b657cda04e26e0bec0d3da2ed002b828960c6331837d6c6c8d2c9acb7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4dd58b2b657cda04e26e0bec0d3da2ed002b828960c6331837d6c6c8d2c9acb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52066, "scanner": "repobility-ast-engine", "fingerprint": "cd3a83fa175f2ca17b9ea50b0829aee64a4ce1a27e41c68c97479f1e1045d7e0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd3a83fa175f2ca17b9ea50b0829aee64a4ce1a27e41c68c97479f1e1045d7e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 426}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52065, "scanner": "repobility-ast-engine", "fingerprint": "592fc58e43f2dc7d96243d93e7d36b42ace77df0c7a57f950a19efc8005f93f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|592fc58e43f2dc7d96243d93e7d36b42ace77df0c7a57f950a19efc8005f93f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 391}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52064, "scanner": "repobility-ast-engine", "fingerprint": "8f17470a88950be310076aabd4cee1df5179ca2fd016e4dc833618d236404f9a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f17470a88950be310076aabd4cee1df5179ca2fd016e4dc833618d236404f9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52063, "scanner": "repobility-ast-engine", "fingerprint": "81cb5b5d778a19efb19d10cb3434aabe2b7d94afb8d8a9772d68f3e36a47b0dc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81cb5b5d778a19efb19d10cb3434aabe2b7d94afb8d8a9772d68f3e36a47b0dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52062, "scanner": "repobility-ast-engine", "fingerprint": "1d8082e5dcffee6e9120677c812700ab130a493d9d0f019d9577a0b3f65169da", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d8082e5dcffee6e9120677c812700ab130a493d9d0f019d9577a0b3f65169da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52061, "scanner": "repobility-ast-engine", "fingerprint": "da0297e86384ef0285c3626e408a5ae15345979528d5295aacac4f69e2afa693", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da0297e86384ef0285c3626e408a5ae15345979528d5295aacac4f69e2afa693"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52060, "scanner": "repobility-ast-engine", "fingerprint": "9d3cc34b63189b590cdf2eedea1c02627295c4bfc75ab1178d3bf3e6d61998fa", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d3cc34b63189b590cdf2eedea1c02627295c4bfc75ab1178d3bf3e6d61998fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/interface.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52059, "scanner": "repobility-ast-engine", "fingerprint": "ccca9f21f39d9f2fc180dcc2aea947c78f399ee5d2d29daad3e200658f52ee4d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ccca9f21f39d9f2fc180dcc2aea947c78f399ee5d2d29daad3e200658f52ee4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52047, "scanner": "repobility-ast-engine", "fingerprint": "23172f073f505e756aa9b0687cd2b3ba6760b3b860657e03cfe58b20b0eb129a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23172f073f505e756aa9b0687cd2b3ba6760b3b860657e03cfe58b20b0eb129a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/main.py"}, "region": {"startLine": 1279}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 52044, "scanner": "repobility-ast-engine", "fingerprint": "581a303add9bde3843cc7a334617ad04ba4a15cea3413564bf35e173eab255f5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|581a303add9bde3843cc7a334617ad04ba4a15cea3413564bf35e173eab255f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/utils.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `build_instrument_context` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, if=6, nested_bonus=7, or=1, ternary=2."}, "properties": {"repobilityId": 51713, "scanner": "repobility-threat-engine", "fingerprint": "bbf1e51b15b9de922455c5a43241ff27f86b59039593b3d03c9e818d79b26d1c", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 18 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "build_instrument_context", "breakdown": {"if": 6, "or": 1, "elif": 2, "ternary": 2, "nested_bonus": 7}, "complexity": 18, "correlation_key": "fp|bbf1e51b15b9de922455c5a43241ff27f86b59039593b3d03c9e818d79b26d1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/utils/agent_utils.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 51710, "scanner": "repobility-threat-engine", "fingerprint": "dc16b1c93d9d107f926e9c22a54a507dffba50faeb647af9904910eeb3a9d497", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc16b1c93d9d107f926e9c22a54a507dffba50faeb647af9904910eeb3a9d497"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "main.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `.` has no version pin"}, "properties": {"repobilityId": 51705, "scanner": "repobility-supply-chain", "fingerprint": "c7d50d8a4c4e71b3c5b77cab5792c0a415c3029ad75f1dd2f963d642c778199f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7d50d8a4c4e71b3c5b77cab5792c0a415c3029ad75f1dd2f963d642c778199f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51702, "scanner": "repobility-ast-engine", "fingerprint": "9c6123d8b7f4b6fdbfc9ae6967a2da7cb161b54e09ff690f6a33c69b037ddc19", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9c6123d8b7f4b6fdbfc9ae6967a2da7cb161b54e09ff690f6a33c69b037ddc19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/yfinance_news.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51701, "scanner": "repobility-ast-engine", "fingerprint": "bf3ff66761b4a227abd10278e99c2f6b21663e4e3fe0100d81a94a80a636b377", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf3ff66761b4a227abd10278e99c2f6b21663e4e3fe0100d81a94a80a636b377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/yfinance_news.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51700, "scanner": "repobility-ast-engine", "fingerprint": "e94c0d99d10e0f9b969c51e3e984417e7ee4299c1127dbcffd5c6a7e2193b335", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e94c0d99d10e0f9b969c51e3e984417e7ee4299c1127dbcffd5c6a7e2193b335"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_indicator.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51699, "scanner": "repobility-ast-engine", "fingerprint": "82d4099387fcac71b83eb21e05712bcc09e7c12cce2eeb1cb5a3a6b3619eed65", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|82d4099387fcac71b83eb21e05712bcc09e7c12cce2eeb1cb5a3a6b3619eed65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 421}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51698, "scanner": "repobility-ast-engine", "fingerprint": "5442a5a1f001151da595a79bd2bf282c4237325cf6ca4ace6090893d63b7326f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5442a5a1f001151da595a79bd2bf282c4237325cf6ca4ace6090893d63b7326f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 397}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51697, "scanner": "repobility-ast-engine", "fingerprint": "51850a7f9f32ef354dfe605a0e6efbb7e7f876136af38df0b6fa5673a6255072", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|51850a7f9f32ef354dfe605a0e6efbb7e7f876136af38df0b6fa5673a6255072"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 365}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51696, "scanner": "repobility-ast-engine", "fingerprint": "7e387d9636259cc9bde7786e9eaea07258f11a361f7872a287abdcbd24a04892", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e387d9636259cc9bde7786e9eaea07258f11a361f7872a287abdcbd24a04892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51695, "scanner": "repobility-ast-engine", "fingerprint": "f8e32a08d632afa1e59505fdf5696d621e626c42fc5e695fe0f1189cfcee5406", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f8e32a08d632afa1e59505fdf5696d621e626c42fc5e695fe0f1189cfcee5406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 301}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51694, "scanner": "repobility-ast-engine", "fingerprint": "fd07fea31d98eec1b97932d5c5838ae3f4e381657a8844e9413de36c6c1b7739", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd07fea31d98eec1b97932d5c5838ae3f4e381657a8844e9413de36c6c1b7739"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51693, "scanner": "repobility-ast-engine", "fingerprint": "d1060da6a676a49657b4c3ea7fdc58e2d3e92764233ae61e7743ebaeab881354", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1060da6a676a49657b4c3ea7fdc58e2d3e92764233ae61e7743ebaeab881354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/y_finance.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51692, "scanner": "repobility-ast-engine", "fingerprint": "6496fb432c784d80586aac62171612db532903bec6723f841ca0004bdd0df391", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6496fb432c784d80586aac62171612db532903bec6723f841ca0004bdd0df391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/market_data_validator.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51691, "scanner": "repobility-ast-engine", "fingerprint": "c56bdfc84f9143fa7c7db5fa23c10c4d8aa36b1d069aa8b853450d94dc429dfe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c56bdfc84f9143fa7c7db5fa23c10c4d8aa36b1d069aa8b853450d94dc429dfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 51690, "scanner": "repobility-ast-engine", "fingerprint": "3bcac616aeeb2caa8fa6c70e1272bbaa4c2d8f6b2e4188ce81bd1110419c8e48", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3bcac616aeeb2caa8fa6c70e1272bbaa4c2d8f6b2e4188ce81bd1110419c8e48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/graph/trading_graph.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `setup_graph` (list)"}, "properties": {"repobilityId": 51689, "scanner": "repobility-ast-engine", "fingerprint": "463dde955244477f18e82133a4e1d0bee239f519b181f588b7537c122dcea271", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|463dde955244477f18e82133a4e1d0bee239f519b181f588b7537c122dcea271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/graph/setup.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51657, "scanner": "repobility-ast-engine", "fingerprint": "8522d2cbb137e2335e3ec5c40e1314176836e87d440fafc7ec56cdc1e28644e0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8522d2cbb137e2335e3ec5c40e1314176836e87d440fafc7ec56cdc1e28644e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/main.py"}, "region": {"startLine": 1264}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51654, "scanner": "repobility-ast-engine", "fingerprint": "b3876fca080f66d88e72a88d1cc13b606a8a38c11fbee810203ee9ca300af3af", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b3876fca080f66d88e72a88d1cc13b606a8a38c11fbee810203ee9ca300af3af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/utils.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 51653, "scanner": "repobility-ast-engine", "fingerprint": "b97ac2ccb3a5a31b1512883a066f3ee9ce5456a870903df188bf7e965be0cb82", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b97ac2ccb3a5a31b1512883a066f3ee9ce5456a870903df188bf7e965be0cb82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/announcements.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `ollama` image uses the latest tag"}, "properties": {"repobilityId": 3960, "scanner": "repobility-docker", "fingerprint": "3da4e0e72e98dfec692bb981bdf11f2a65ee71a5d64d8f682273037c5b5980cd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ollama/ollama:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3da4e0e72e98dfec692bb981bdf11f2a65ee71a5d64d8f682273037c5b5980cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 3957, "scanner": "repobility-docker", "fingerprint": "84fdfb6d47b2d494dee3526f844c1387c14c82256a474e89774a00382dcd05c4", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|84fdfb6d47b2d494dee3526f844c1387c14c82256a474e89774a00382dcd05c4", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3955, "scanner": "repobility-ai-code-hygiene", "fingerprint": "856051d68a311934a584cc8335c16062aa27a2e477baed34cf3e673c9dd7ac41", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/fundamentals_analyst.py", "duplicate_line": 27, "correlation_key": "fp|856051d68a311934a584cc8335c16062aa27a2e477baed34cf3e673c9dd7ac41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/social_media_analyst.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3954, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab011c43c3bc78703f8532fa39ce18d5a520c4377c45034dc3f4e89b486d06b2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/market_analyst.py", "duplicate_line": 37, "correlation_key": "fp|ab011c43c3bc78703f8532fa39ce18d5a520c4377c45034dc3f4e89b486d06b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/social_media_analyst.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3952, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14c7933e09199375d8134da4034c157487b57dddca5dec96fe28d188003ead14", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/market_analyst.py", "duplicate_line": 37, "correlation_key": "fp|14c7933e09199375d8134da4034c157487b57dddca5dec96fe28d188003ead14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/news_analyst.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3951, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2163ea28f752df6442139ac73bee5fbedc1b59f752d593bd4adb802cf7cf273c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/fundamentals_analyst.py", "duplicate_line": 27, "correlation_key": "fp|2163ea28f752df6442139ac73bee5fbedc1b59f752d593bd4adb802cf7cf273c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/market_analyst.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 3950, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "GHSA-5239-wwwm-4pmq", "level": "note", "message": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "properties": {"repobilityId": 52121, "scanner": "osv-scanner", "fingerprint": "db0fef0ab784fa7e288e01a475a731d75b5105247b655bdfac2babc124377da9", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4539"], "package": "pygments", "rule_id": "GHSA-5239-wwwm-4pmq", "scanner": "osv-scanner", "correlation_key": "vuln|pygments|CVE-2026-4539|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g6r-c272-w58r", "level": "note", "message": {"text": "langchain-core: GHSA-2g6r-c272-w58r"}, "properties": {"repobilityId": 52101, "scanner": "osv-scanner", "fingerprint": "c18c2d3784971d4e45a6290b13db621e850ccc9a73876ad157fd30703724f0e5", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26013"], "package": "langchain-core", "rule_id": "GHSA-2g6r-c272-w58r", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2026-26013|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v492-6xx2-p57g", "level": "note", "message": {"text": "chainlit: GHSA-v492-6xx2-p57g"}, "properties": {"repobilityId": 52094, "scanner": "osv-scanner", "fingerprint": "9611e2a14f2a5330fa6456cffebca5483c0b9219f0fdf5eea0cd1a73e42a151a", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68492"], "package": "chainlit", "rule_id": "GHSA-v492-6xx2-p57g", "scanner": "osv-scanner", "correlation_key": "vuln|chainlit|CVE-2025-68492|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwh4-6h8g-pg8w", "level": "note", "message": {"text": "aiohttp: GHSA-mwh4-6h8g-pg8w"}, "properties": {"repobilityId": 52090, "scanner": "osv-scanner", "fingerprint": "f7bed1792c7b4c1d1e1227e2518bd6ee1b5b3faf768c9e2fa52018e59f486737", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34519"], "package": "aiohttp", "rule_id": "GHSA-mwh4-6h8g-pg8w", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34519|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mqqc-3gqh-h2x8", "level": "note", "message": {"text": "aiohttp: GHSA-mqqc-3gqh-h2x8"}, "properties": {"repobilityId": 52089, "scanner": "osv-scanner", "fingerprint": "4481dea0ef30ae7aed064e42f31a31835a3e865d9a40b44856310223f386518e", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69225"], "package": "aiohttp", "rule_id": "GHSA-mqqc-3gqh-h2x8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69225|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hcc4-c3v8-rx92", "level": "note", "message": {"text": "aiohttp: GHSA-hcc4-c3v8-rx92"}, "properties": {"repobilityId": 52086, "scanner": "osv-scanner", "fingerprint": "e460e238f68fbd58b112c878f62e3ce863a07546e803baf9bee0656d868d72ee", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34513"], "package": "aiohttp", "rule_id": "GHSA-hcc4-c3v8-rx92", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34513|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fh55-r93g-j68g", "level": "note", "message": {"text": "aiohttp: GHSA-fh55-r93g-j68g"}, "properties": {"repobilityId": 52084, "scanner": "osv-scanner", "fingerprint": "d5fa1c043e0e0eddab3c1ada026a2d04bbf75e0090c949954695a08e37b2ad97", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69230"], "package": "aiohttp", "rule_id": "GHSA-fh55-r93g-j68g", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69230|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-966j-vmvw-g2g9", "level": "note", "message": {"text": "aiohttp: GHSA-966j-vmvw-g2g9"}, "properties": {"repobilityId": 52082, "scanner": "osv-scanner", "fingerprint": "4a5819d120d94221571f6bdd4db10c8d2ca29c60d2cd99f114d22bc7cacd1118", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34518"], "package": "aiohttp", "rule_id": "GHSA-966j-vmvw-g2g9", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34518|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9548-qrrj-x5pj", "level": "note", "message": {"text": "aiohttp: GHSA-9548-qrrj-x5pj"}, "properties": {"repobilityId": 52081, "scanner": "osv-scanner", "fingerprint": "26c84fe0d4628bb6396f76d5f43b9aa826a5c67e603ab015fb704656fda5282f", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-53643"], "package": "aiohttp", "rule_id": "GHSA-9548-qrrj-x5pj", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-53643|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-69f9-5gxw-wvc2", "level": "note", "message": {"text": "aiohttp: GHSA-69f9-5gxw-wvc2"}, "properties": {"repobilityId": 52078, "scanner": "osv-scanner", "fingerprint": "d52483f6d766e371f06fd89af143e534408f1deaf71383f4d86ff4a9015f6c62", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69224"], "package": "aiohttp", "rule_id": "GHSA-69f9-5gxw-wvc2", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69224|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-63hf-3vf5-4wqf", "level": "note", "message": {"text": "aiohttp: GHSA-63hf-3vf5-4wqf"}, "properties": {"repobilityId": 52077, "scanner": "osv-scanner", "fingerprint": "c8d015473c39f92b7fc16083eb1406dd6e2199f42513aca03ad243e85c963da0", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34520"], "package": "aiohttp", "rule_id": "GHSA-63hf-3vf5-4wqf", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34520|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-54jq-c3m8-4m76", "level": "note", "message": {"text": "aiohttp: GHSA-54jq-c3m8-4m76"}, "properties": {"repobilityId": 52076, "scanner": "osv-scanner", "fingerprint": "7e674a3273f86fdb18dcd011240e15aa79ee716bf20bcd2db74a184df99c969c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69226"], "package": "aiohttp", "rule_id": "GHSA-54jq-c3m8-4m76", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69226|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3wq7-rqq7-wx6j", "level": "note", "message": {"text": "aiohttp: GHSA-3wq7-rqq7-wx6j"}, "properties": {"repobilityId": 52075, "scanner": "osv-scanner", "fingerprint": "87d6fddd1ec60ab5d7afd51278674c8d6280a62c0311da65cd03fef5f4128c4c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34517"], "package": "aiohttp", "rule_id": "GHSA-3wq7-rqq7-wx6j", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34517|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2vrm-gr82-f7m5", "level": "note", "message": {"text": "aiohttp: GHSA-2vrm-gr82-f7m5"}, "properties": {"repobilityId": 52074, "scanner": "osv-scanner", "fingerprint": "aefae760802c0092cc006965a854998aa045873d82460cd5fd7723ddeabfa45a", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34514"], "package": "aiohttp", "rule_id": "GHSA-2vrm-gr82-f7m5", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34514|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `batch_update_with_outcomes` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, continue=1, for=2, if=4, nested_bonus=5."}, "properties": {"repobilityId": 51714, "scanner": "repobility-threat-engine", "fingerprint": "25b910ddd4e92e996d294f44277976a18b54d58d0f0135bb9484cadd8b9ae2f9", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "batch_update_with_outcomes", "breakdown": {"if": 4, "for": 2, "break": 1, "continue": 1, "nested_bonus": 5}, "complexity": 13, "correlation_key": "fp|25b910ddd4e92e996d294f44277976a18b54d58d0f0135bb9484cadd8b9ae2f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/utils/memory.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=1, nested_bonus=3, or=2, ternary=1."}, "properties": {"repobilityId": 51712, "scanner": "repobility-threat-engine", "fingerprint": "8bd097834fcd0d3a1928d3c5c196a634bb68f9e90adc2114db35691883bc2f02", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 1, "or": 2, "for": 2, "ternary": 1, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|8bd097834fcd0d3a1928d3c5c196a634bb68f9e90adc2114db35691883bc2f02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke_structured_output.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51652, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0adf6da3babdb5e7bde4eaf5da0568ce7e03c82a0081cd105356902b66b52874", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/researchers/bear_researcher.py", "duplicate_line": 10, "correlation_key": "fp|0adf6da3babdb5e7bde4eaf5da0568ce7e03c82a0081cd105356902b66b52874"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/researchers/bull_researcher.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51651, "scanner": "repobility-ai-code-hygiene", "fingerprint": "275110285c9bf6a71cee2171aa7cab153a5182d897bcc042385dc1d4a8723aa5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/fundamentals_analyst.py", "duplicate_line": 27, "correlation_key": "fp|275110285c9bf6a71cee2171aa7cab153a5182d897bcc042385dc1d4a8723aa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/market_analyst.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 29922, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2dbd727cb98210494eae998ccb6ff4411014cd1480ce9650482f831370d1173e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/researchers/bear_researcher.py", "duplicate_line": 7, "correlation_key": "fp|2dbd727cb98210494eae998ccb6ff4411014cd1480ce9650482f831370d1173e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/researchers/bull_researcher.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 29921, "scanner": "repobility-ai-code-hygiene", "fingerprint": "017ba7ed2b200d897901f1a060a84c44f76e5633af631a07b8244fa76e5cb023", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/fundamentals_analyst.py", "duplicate_line": 27, "correlation_key": "fp|017ba7ed2b200d897901f1a060a84c44f76e5633af631a07b8244fa76e5cb023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/news_analyst.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 29920, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac841b84fb80a0b85714ea45536813ec87b8844a22c0180ce02d1efa3f98a978", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/fundamentals_analyst.py", "duplicate_line": 27, "correlation_key": "fp|ac841b84fb80a0b85714ea45536813ec87b8844a22c0180ce02d1efa3f98a978"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/news_analyst.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 29919, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e31f86f0e5a84212de6dac3a652edcc937826ed53342f0969bf6e7924094e594", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/fundamentals_analyst.py", "duplicate_line": 27, "correlation_key": "fp|e31f86f0e5a84212de6dac3a652edcc937826ed53342f0969bf6e7924094e594"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/market_analyst.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 3961, "scanner": "repobility-docker", "fingerprint": "6f82f915669a3638c3fe710128387245754ace6c0cefb8f31b1875c230b1ae57", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "tradingagents-ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6f82f915669a3638c3fe710128387245754ace6c0cefb8f31b1875c230b1ae57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 3959, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "tradingagents", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 3958, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3953, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5e4a2a71379da2a8c9c9c047d7273df2a39ab76cb070f24b756bdcfa3fdd57e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tradingagents/agents/analysts/market_analyst.py", "duplicate_line": 41, "correlation_key": "fp|b5e4a2a71379da2a8c9c9c047d7273df2a39ab76cb070f24b756bdcfa3fdd57e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/analysts/news_analyst.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 52071, "scanner": "repobility-threat-engine", "fingerprint": "7fdf018af401af5b27b28c655f675de9c8ef7cbd7fa8e74d8f88be9014a67faf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7fdf018af401af5b27b28c655f675de9c8ef7cbd7fa8e74d8f88be9014a67faf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 52070, "scanner": "repobility-threat-engine", "fingerprint": "3a961059059d3ad09e447330ecbd964edbe5dd33a666505df44d0498f10b2b4f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a961059059d3ad09e447330ecbd964edbe5dd33a666505df44d0498f10b2b4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 51726, "scanner": "repobility-threat-engine", "fingerprint": "b5133b8632f9aab9160d305234efe97ff51cf1d5a128ef54e65c610cf269e338", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b5133b8632f9aab9160d305234efe97ff51cf1d5a128ef54e65c610cf269e338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/llm_clients/capabilities.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 51723, "scanner": "repobility-threat-engine", "fingerprint": "9963e47690c2fa9dc3dea067ceefe80e37854233a8292a5eb70276fa356948c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9963e47690c2fa9dc3dea067ceefe80e37854233a8292a5eb70276fa356948c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/reddit.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 51722, "scanner": "repobility-threat-engine", "fingerprint": "a28cbeac28128be054c3f8e1a83589ca9ebddaa29ed78b582b0c2183d021e21c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a28cbeac28128be054c3f8e1a83589ca9ebddaa29ed78b582b0c2183d021e21c", "aggregated_count": 4}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 51721, "scanner": "repobility-threat-engine", "fingerprint": "07703c350c534373798ee9a71f773ae6442bb5baca43a0ab1500b2fe5be18bee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|07703c350c534373798ee9a71f773ae6442bb5baca43a0ab1500b2fe5be18bee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 51720, "scanner": "repobility-threat-engine", "fingerprint": "dc9a745a688f79300125187b9ca3e782c973087220298ec88124bff15300e5f6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc9a745a688f79300125187b9ca3e782c973087220298ec88124bff15300e5f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/agents/utils/structured.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 51719, "scanner": "repobility-threat-engine", "fingerprint": "62b68f0f060a2b3c0edfeff844673b1434c170b90e67895a2c026e2138a1c837", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62b68f0f060a2b3c0edfeff844673b1434c170b90e67895a2c026e2138a1c837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/__init__.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 51715, "scanner": "repobility-threat-engine", "fingerprint": "d683dd7f862c53a7d1d54a33e5815dea3a351ae865bc5298119fe512b5061bcb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 1, "or": 2, "for": 2, "ternary": 1, "nested_bonus": 3}, "aggregated": true, "complexity": 9, "correlation_key": "fp|d683dd7f862c53a7d1d54a33e5815dea3a351ae865bc5298119fe512b5061bcb", "aggregated_count": 17}}}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 51711, "scanner": "repobility-threat-engine", "fingerprint": "ee5028f5f1e5de14be23e0c88798f6a57042f166a1bfb9fef9f433ed8255b7bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee5028f5f1e5de14be23e0c88798f6a57042f166a1bfb9fef9f433ed8255b7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "main.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 51709, "scanner": "repobility-threat-engine", "fingerprint": "e7b90f996507750cdb267e0360381272b78ed5f6359c8467cd1b2ad84e592b1d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7b90f996507750cdb267e0360381272b78ed5f6359c8467cd1b2ad84e592b1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 51708, "scanner": "repobility-threat-engine", "fingerprint": "c77c6f48c4c70d681c04f58775dbc7c2891eb7a2581b457d0d7358e7c3537fea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c77c6f48c4c70d681c04f58775dbc7c2891eb7a2581b457d0d7358e7c3537fea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/announcements.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 51706, "scanner": "repobility-threat-engine", "fingerprint": "817826133ae37381832b714113054c3472da233c096c7374d0dee0f7c55310eb", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|817826133ae37381832b714113054c3472da233c096c7374d0dee0f7c55310eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/announcements.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "GHSA-gm62-xv2j-4w53", "level": "error", "message": {"text": "urllib3: GHSA-gm62-xv2j-4w53"}, "properties": {"repobilityId": 52137, "scanner": "osv-scanner", "fingerprint": "90d2dab6c7696851417f64b6b694544f6475f3b87570ebe7d7d274b6833a39fb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66418"], "package": "urllib3", "rule_id": "GHSA-gm62-xv2j-4w53", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66418|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38jv-5279-wg99", "level": "error", "message": {"text": "urllib3: GHSA-38jv-5279-wg99"}, "properties": {"repobilityId": 52135, "scanner": "osv-scanner", "fingerprint": "9849195c9b28418fdaea055af72e73abc5720794d7ced4292b75a84c952a823d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-21441"], "package": "urllib3", "rule_id": "GHSA-38jv-5279-wg99", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-21441|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xpw-w6gg-jr37", "level": "error", "message": {"text": "urllib3: GHSA-2xpw-w6gg-jr37"}, "properties": {"repobilityId": 52134, "scanner": "osv-scanner", "fingerprint": "af2758d7ff7965761ee75797c370b108b1da9526b5d6d412e519026ea7b3287c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66471"], "package": "urllib3", "rule_id": "GHSA-2xpw-w6gg-jr37", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2025-66471|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 52133, "scanner": "osv-scanner", "fingerprint": "202e502152aa0eef57a4c3f3a01e648d30977c8aa06b2acc05a839706b0597b4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["202e502152aa0eef57a4c3f3a01e648d30977c8aa06b2acc05a839706b0597b4", "b78af741547635e5ed59316b870c20991733a249d6cd722bd682d0d24fc35efa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7f5h-v6xp-fcq8", "level": "error", "message": {"text": "starlette: GHSA-7f5h-v6xp-fcq8"}, "properties": {"repobilityId": 52132, "scanner": "osv-scanner", "fingerprint": "c2580cef3cd83dfb4afe2f53686488b260d5efc47088a4ae83f70715b5e43c85", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62727"], "package": "starlette", "rule_id": "GHSA-7f5h-v6xp-fcq8", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2025-62727|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 52130, "scanner": "osv-scanner", "fingerprint": "993c965e051ac08384f28c004ed2828303fa08d6e623c80da1211dbce5cea7ce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wp53-j4wj-2cfg", "level": "error", "message": {"text": "python-multipart: GHSA-wp53-j4wj-2cfg"}, "properties": {"repobilityId": 52127, "scanner": "osv-scanner", "fingerprint": "df7b06460c1f153ec5ed3f56e147b2819f761a3e8389a8372f954682bd5975ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24486"], "package": "python-multipart", "rule_id": "GHSA-wp53-j4wj-2cfg", "scanner": "osv-scanner", "correlation_key": "vuln|python-multipart|CVE-2026-24486|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pp6c-gr5w-3c5g", "level": "error", "message": {"text": "python-multipart: GHSA-pp6c-gr5w-3c5g"}, "properties": {"repobilityId": 52126, "scanner": "osv-scanner", "fingerprint": "813234e13bf5f6c49b4449533cb686042249a04d5138b2bb710becb99802b5e4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42561"], "package": "python-multipart", "rule_id": "GHSA-pp6c-gr5w-3c5g", "scanner": "osv-scanner", "correlation_key": "vuln|python-multipart|CVE-2026-42561|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-120", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-120"}, "properties": {"repobilityId": 52123, "scanner": "osv-scanner", "fingerprint": "b81b67e8ab2cf04164f57838dc7c92ed537f13d09c8d538c92b1e563ff5e9dbf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-32597", "GHSA-752w-5fwx-jx9f"], "package": "pyjwt", "rule_id": "PYSEC-2026-120", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-32597|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-752w-5fwx-jx9f", "PYSEC-2026-120"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["097ffc8c319dbda74296c2d822fb7e784a728bbe5818ffd4fdf2ff87b23dc8a6", "b81b67e8ab2cf04164f57838dc7c92ed537f13d09c8d538c92b1e563ff5e9dbf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-183", "level": "error", "message": {"text": "pyjwt: PYSEC-2025-183"}, "properties": {"repobilityId": 52122, "scanner": "osv-scanner", "fingerprint": "a9f6a44b1288869f7fa1f9209194c8028f8fb2a8b3551efb3643480e2a16019d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-45768"], "package": "pyjwt", "rule_id": "PYSEC-2025-183", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2025-45768|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jr27-m4p2-rc6r", "level": "error", "message": {"text": "pyasn1: GHSA-jr27-m4p2-rc6r"}, "properties": {"repobilityId": 52120, "scanner": "osv-scanner", "fingerprint": "e45f3507cf940bdb1a3943f8d6a4bd14cda28ac838c7e73100d31793e87184d6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-30922"], "package": "pyasn1", "rule_id": "GHSA-jr27-m4p2-rc6r", "scanner": "osv-scanner", "correlation_key": "vuln|pyasn1|CVE-2026-30922|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-63vm-454h-vhhq", "level": "error", "message": {"text": "pyasn1: GHSA-63vm-454h-vhhq"}, "properties": {"repobilityId": 52119, "scanner": "osv-scanner", "fingerprint": "2ff90536024fb7010f08fc76000ad082f05d02d7be4fb44c1c406ad23d836b98", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23490"], "package": "pyasn1", "rule_id": "GHSA-63vm-454h-vhhq", "scanner": "osv-scanner", "correlation_key": "vuln|pyasn1|CVE-2026-23490|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7gcm-g887-7qv7", "level": "error", "message": {"text": "protobuf: GHSA-7gcm-g887-7qv7"}, "properties": {"repobilityId": 52118, "scanner": "osv-scanner", "fingerprint": "ddbbc0f7d498a39bbdef85fa83640eb41cd35a02b95dcb6c0a936bcf12caeb33", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-0994"], "package": "protobuf", "rule_id": "GHSA-7gcm-g887-7qv7", "scanner": "osv-scanner", "correlation_key": "vuln|protobuf|CVE-2026-0994|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-107", "level": "error", "message": {"text": "orjson: PYSEC-2026-107"}, "properties": {"repobilityId": 52117, "scanner": "osv-scanner", "fingerprint": "54a7b44c2e581c0a1198fb6ce38a7ac62df4f183a603ff7d99b5b2be6a94e331", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-67221", "GHSA-hx9q-6w63-j58v"], "package": "orjson", "rule_id": "PYSEC-2026-107", "scanner": "osv-scanner", "correlation_key": "vuln|orjson|CVE-2025-67221|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-hx9q-6w63-j58v", "PYSEC-2026-107"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["54a7b44c2e581c0a1198fb6ce38a7ac62df4f183a603ff7d99b5b2be6a94e331", "f11b026fd270c377cc0a95649112720fb7ff3d4aa4fda95b3f2ff20c6584307e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j975-95f5-7wqh", "level": "error", "message": {"text": "mcp: GHSA-j975-95f5-7wqh"}, "properties": {"repobilityId": 52116, "scanner": "osv-scanner", "fingerprint": "5d508707a27fd0f5c43d86fd0c67413417fa65059071b279258b94f4a967e160", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-53365"], "package": "mcp", "rule_id": "GHSA-j975-95f5-7wqh", "scanner": "osv-scanner", "correlation_key": "vuln|mcp|CVE-2025-53365|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9h52-p55h-vw2f", "level": "error", "message": {"text": "mcp: GHSA-9h52-p55h-vw2f"}, "properties": {"repobilityId": 52115, "scanner": "osv-scanner", "fingerprint": "2d4ae084aa3bb82a2bb44c4a0141be785454fdb08fa110e4c9be2e802e5ebcb1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-66416"], "package": "mcp", "rule_id": "GHSA-9h52-p55h-vw2f", "scanner": "osv-scanner", "correlation_key": "vuln|mcp|CVE-2025-66416|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-87", "level": "error", "message": {"text": "lxml: PYSEC-2026-87"}, "properties": {"repobilityId": 52113, "scanner": "osv-scanner", "fingerprint": "322a0865961b7021953b8ee180fbf247bf8e2b60187d5e62bdd8dfec70ee3b9e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41066", "GHSA-vfmq-68hx-4jfw"], "package": "lxml", "rule_id": "PYSEC-2026-87", "scanner": "osv-scanner", "correlation_key": "vuln|lxml|CVE-2026-41066|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-vfmq-68hx-4jfw", "PYSEC-2026-87"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["322a0865961b7021953b8ee180fbf247bf8e2b60187d5e62bdd8dfec70ee3b9e", "a39e439da8b77d5626d2bdaac15590d6e196e63e46d419f0293dad26fd229392"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3644-q5cj-c5c7", "level": "error", "message": {"text": "langsmith: GHSA-3644-q5cj-c5c7"}, "properties": {"repobilityId": 52111, "scanner": "osv-scanner", "fingerprint": "44f40e87c7d000c8fe81dc7d244ac6d97f20823a201b37061a5f52a33aa0883b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45134"], "package": "langsmith", "rule_id": "GHSA-3644-q5cj-c5c7", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-45134|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wwqv-p2pp-99h5", "level": "error", "message": {"text": "langgraph-checkpoint: GHSA-wwqv-p2pp-99h5"}, "properties": {"repobilityId": 52110, "scanner": "osv-scanner", "fingerprint": "302b304a3c278f560424484760688492c69e773b5da13e345b9771625de89163", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64439"], "package": "langgraph-checkpoint", "rule_id": "GHSA-wwqv-p2pp-99h5", "scanner": "osv-scanner", "correlation_key": "vuln|langgraph-checkpoint|CVE-2025-64439|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-83", "level": "error", "message": {"text": "langgraph: PYSEC-2026-83"}, "properties": {"repobilityId": 52108, "scanner": "osv-scanner", "fingerprint": "937e8562fa45598017a2614323e5cf03e37a9cf42a806656a6dc33c17852abaf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-28277", "GHSA-g48c-2wqr-h844"], "package": "langgraph", "rule_id": "PYSEC-2026-83", "scanner": "osv-scanner", "correlation_key": "vuln|langgraph|CVE-2026-28277|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-g48c-2wqr-h844", "PYSEC-2026-83"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5363376c1be09b0be7be8da8b0d1fc4e0e3157806257dfc60d68832eb538cf2e", "937e8562fa45598017a2614323e5cf03e37a9cf42a806656a6dc33c17852abaf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m42m-m8cr-8m58", "level": "error", "message": {"text": "langchain-text-splitters: GHSA-m42m-m8cr-8m58"}, "properties": {"repobilityId": 52107, "scanner": "osv-scanner", "fingerprint": "b0b95f0c7e4a7ac1bf354f22221cd2b8d033805deb5883c603986b8943a60fd7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-6985"], "package": "langchain-text-splitters", "rule_id": "GHSA-m42m-m8cr-8m58", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-text-splitters|CVE-2025-6985|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-77", "level": "error", "message": {"text": "langchain-text-splitters: PYSEC-2026-77"}, "properties": {"repobilityId": 52106, "scanner": "osv-scanner", "fingerprint": "94afa027cf4ff5d61e1e27d6bc78bd397b3ab51754cec68ada08640155534af0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41481", "GHSA-fv5p-p927-qmxr"], "package": "langchain-text-splitters", "rule_id": "PYSEC-2026-77", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-text-splitters|CVE-2026-41481|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-fv5p-p927-qmxr", "PYSEC-2026-77"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["94afa027cf4ff5d61e1e27d6bc78bd397b3ab51754cec68ada08640155534af0", "eb3ed13b07c164081c0189ff710ae281103fbbc1f3b9685e2b4b21fdb259c882"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-76", "level": "error", "message": {"text": "langchain-openai: PYSEC-2026-76"}, "properties": {"repobilityId": 52105, "scanner": "osv-scanner", "fingerprint": "23a48840e0723c568c96340dbf266074841b672e2b31e55905c4aabed83d6b95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41488", "GHSA-r7w7-9xr2-qq2r"], "package": "langchain-openai", "rule_id": "PYSEC-2026-76", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-openai|CVE-2026-41488|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r7w7-9xr2-qq2r", "PYSEC-2026-76"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0c8374d8758001b183cc2a328ee932ba95b1a46b6d84b1d4ca0d47ee8d18f93b", "23a48840e0723c568c96340dbf266074841b672e2b31e55905c4aabed83d6b95"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qh6h-p6c9-ff54", "level": "error", "message": {"text": "langchain-core: GHSA-qh6h-p6c9-ff54"}, "properties": {"repobilityId": 52104, "scanner": "osv-scanner", "fingerprint": "4e079fb60c5718e5090f1b26defc78ca583956e0e78557838110d8b2d6bf4f8f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34070"], "package": "langchain-core", "rule_id": "GHSA-qh6h-p6c9-ff54", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2026-34070|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwx-r37v-7724", "level": "error", "message": {"text": "langchain-core: GHSA-pjwx-r37v-7724"}, "properties": {"repobilityId": 52103, "scanner": "osv-scanner", "fingerprint": "1831ed456b10ded175deec0aea9220c97911bb300a0220289d7e4b115ed461e4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44843"], "package": "langchain-core", "rule_id": "GHSA-pjwx-r37v-7724", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-core|CVE-2026-44843|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pc6w-59fv-rh23", "level": "error", "message": {"text": "langchain-community: GHSA-pc6w-59fv-rh23"}, "properties": {"repobilityId": 52100, "scanner": "osv-scanner", "fingerprint": "10560ee74b31736a27157c95b37ee3269483efd23d99f17467885f13b87d1f33", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-6984"], "package": "langchain-community", "rule_id": "GHSA-pc6w-59fv-rh23", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-community|CVE-2025-6984|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3644-q5cj-c5c7", "level": "error", "message": {"text": "langchain: GHSA-3644-q5cj-c5c7"}, "properties": {"repobilityId": 52099, "scanner": "osv-scanner", "fingerprint": "66a1f54c2e865448dc8b4dbe88b9afc24514d3b048425d0782e3b29956584e0b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45134"], "package": "langchain", "rule_id": "GHSA-3644-q5cj-c5c7", "scanner": "osv-scanner", "correlation_key": "vuln|langchain|CVE-2026-45134|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qw2m-4pqf-rmpp", "level": "error", "message": {"text": "curl-cffi: GHSA-qw2m-4pqf-rmpp"}, "properties": {"repobilityId": 52095, "scanner": "osv-scanner", "fingerprint": "f7aec7b78bfd322f69bc940c5b4b9f93cfeecc567c4be4820759f5b82fedf721", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33752"], "package": "curl-cffi", "rule_id": "GHSA-qw2m-4pqf-rmpp", "scanner": "osv-scanner", "correlation_key": "vuln|curl-cffi|CVE-2026-33752|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g59-m95p-pgfq", "level": "error", "message": {"text": "chainlit: GHSA-2g59-m95p-pgfq"}, "properties": {"repobilityId": 52093, "scanner": "osv-scanner", "fingerprint": "2bff8f4fa6cfe2b4457f41bb88593eaaf98202cc63a3d00720e27686e3526a64", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22219"], "package": "chainlit", "rule_id": "GHSA-2g59-m95p-pgfq", "scanner": "osv-scanner", "correlation_key": "vuln|chainlit|CVE-2026-22219|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6mq8-rvhq-8wgg", "level": "error", "message": {"text": "aiohttp: GHSA-6mq8-rvhq-8wgg"}, "properties": {"repobilityId": 52080, "scanner": "osv-scanner", "fingerprint": "151037d2d228d04e832a7e1dbe5eab029940d82e4923e64309ece9b11e53171c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69223"], "package": "aiohttp", "rule_id": "GHSA-6mq8-rvhq-8wgg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2025-69223|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 52073, "scanner": "repobility-threat-engine", "fingerprint": "a7f5935945a6059887f9863011438f16f09dc4f0434be9ab786c844bb7602445", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a7f5935945a6059887f9863011438f16f09dc4f0434be9ab786c844bb7602445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/llm_clients/openai_client.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 52072, "scanner": "repobility-threat-engine", "fingerprint": "ea35209747eb7819d7276e5cb59fc70e8d2d1e36c7f69b0ee4cbcc644c52fdb7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(API_BASE_URL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea35209747eb7819d7276e5cb59fc70e8d2d1e36c7f69b0ee4cbcc644c52fdb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 52069, "scanner": "repobility-threat-engine", "fingerprint": "72503f755c1e01a99459e85fcde8ae735cd395dbd6e319b86d15fb07e49c1eb2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72503f755c1e01a99459e85fcde8ae735cd395dbd6e319b86d15fb07e49c1eb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_portfolio_manager_no_memory_param"}, "properties": {"repobilityId": 52058, "scanner": "repobility-ast-engine", "fingerprint": "719e32e8b07912ed547f7ac91e0c532fb2e6cc62bcac3879d0d10f1126d7c015", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|719e32e8b07912ed547f7ac91e0c532fb2e6cc62bcac3879d0d10f1126d7c015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_memory_log.py"}, "region": {"startLine": 820}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 52057, "scanner": "repobility-ast-engine", "fingerprint": "b136f5106da8f8fdfa0f7a659e07352b7799c9f43c980d8b7f2f5a3e915ed3a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b136f5106da8f8fdfa0f7a659e07352b7799c9f43c980d8b7f2f5a3e915ed3a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 52056, "scanner": "repobility-ast-engine", "fingerprint": "fd5be3b69e3d2652a71c68e01941ef582e196d84f8dbc1ee2d31899ed3f64604", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd5be3b69e3d2652a71c68e01941ef582e196d84f8dbc1ee2d31899ed3f64604"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 52055, "scanner": "repobility-ast-engine", "fingerprint": "69ca76c7ead0ba74d3198a3ea7ee0d914c99b5854e3e1f7c0ac41a74a39fbafa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|69ca76c7ead0ba74d3198a3ea7ee0d914c99b5854e3e1f7c0ac41a74a39fbafa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 52054, "scanner": "repobility-ast-engine", "fingerprint": "abdf06b8cdcdfd03ddf2493b6a18b7eda44b6045f5dfe07913de701ca4032fdc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|abdf06b8cdcdfd03ddf2493b6a18b7eda44b6045f5dfe07913de701ca4032fdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 52053, "scanner": "repobility-ast-engine", "fingerprint": "86d1726f0fb6c265abe9f6ced9ab0871985286025719576aa64a34ed67c12d1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86d1726f0fb6c265abe9f6ced9ab0871985286025719576aa64a34ed67c12d1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 52052, "scanner": "repobility-ast-engine", "fingerprint": "0974128a8cb73914b20aea42d557676b3898d1f2d10cdaf48d63194cb803d09e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0974128a8cb73914b20aea42d557676b3898d1f2d10cdaf48d63194cb803d09e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIsNone` used but never assigned in __init__"}, "properties": {"repobilityId": 52051, "scanner": "repobility-ast-engine", "fingerprint": "591a15929fde9ac696ce204fc73d61f2592f1ad1713e37c4f49f375c07f02cc5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|591a15929fde9ac696ce204fc73d61f2592f1ad1713e37c4f49f375c07f02cc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIsNone` used but never assigned in __init__"}, "properties": {"repobilityId": 52050, "scanner": "repobility-ast-engine", "fingerprint": "79c752fc3d219560cb5114d019a623693229b0e851dc3a8d40aa4efb83199ce1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|79c752fc3d219560cb5114d019a623693229b0e851dc3a8d40aa4efb83199ce1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 52049, "scanner": "repobility-ast-engine", "fingerprint": "743dc9e2e627e66d881798bd57d09ea85c9735eddb4866fbbb65daf0e58bab84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|743dc9e2e627e66d881798bd57d09ea85c9735eddb4866fbbb65daf0e58bab84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 52048, "scanner": "repobility-ast-engine", "fingerprint": "837f43c1660edc0380a03cf9f9cce2a3f509fb25720e4b66182e5ae5016605ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|837f43c1660edc0380a03cf9f9cce2a3f509fb25720e4b66182e5ae5016605ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_cli_env_skip.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._update_final_report` used but never assigned in __init__"}, "properties": {"repobilityId": 52046, "scanner": "repobility-ast-engine", "fingerprint": "344a28fc4f82010e5948ab2a6aed5d425b380ea650ef5d9bc4f602d556e18987", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|344a28fc4f82010e5948ab2a6aed5d425b380ea650ef5d9bc4f602d556e18987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/main.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._update_current_report` used but never assigned in __init__"}, "properties": {"repobilityId": 52045, "scanner": "repobility-ast-engine", "fingerprint": "846e5e00d2dab8fc52262bb51e6bd93d47c730dd669a20677da0aedf758de18c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|846e5e00d2dab8fc52262bb51e6bd93d47c730dd669a20677da0aedf758de18c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/main.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 51724, "scanner": "repobility-threat-engine", "fingerprint": "2b60252340c3c3c2539b2e03a9b085fb252c7764a09afd494a2f486a37ec352a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b60252340c3c3c2539b2e03a9b085fb252c7764a09afd494a2f486a37ec352a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/default_config.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 51718, "scanner": "repobility-threat-engine", "fingerprint": "2cfe6cfc233d2f2a3138f903549b0f35eea3df55527294f57ed81b7b40d23fb9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2cfe6cfc233d2f2a3138f903549b0f35eea3df55527294f57ed81b7b40d23fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/graph/checkpointer.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 51717, "scanner": "repobility-threat-engine", "fingerprint": "b024df9c3d61fbde97ac18def6c71b04b218acd23e69cf1377892d5a70c4962c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b024df9c3d61fbde97ac18def6c71b04b218acd23e69cf1377892d5a70c4962c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/yfinance_news.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 51716, "scanner": "repobility-threat-engine", "fingerprint": "605ec2f8f3b9f5fc84c2e1d5855ce1994af9acbd8f2c775512ee8492c9f6734e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|605ec2f8f3b9f5fc84c2e1d5855ce1994af9acbd8f2c775512ee8492c9f6734e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/__init__.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 51707, "scanner": "repobility-threat-engine", "fingerprint": "716f85f4918e093cb98344e44a630e09cc3d64d8cd4709e79befb3ac7b2e99fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|716f85f4918e093cb98344e44a630e09cc3d64d8cd4709e79befb3ac7b2e99fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "properties": {"repobilityId": 51704, "scanner": "repobility-supply-chain", "fingerprint": "7ff2e368a43bd4d0580bdb2fb26bcde3aaf62ec2f3bd362323245dba37cc4860", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ff2e368a43bd4d0580bdb2fb26bcde3aaf62ec2f3bd362323245dba37cc4860"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "properties": {"repobilityId": 51703, "scanner": "repobility-supply-chain", "fingerprint": "86501238955cd076654cf2551739b8a793de47eb8bc9db89cba7bc4fe0befa2d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86501238955cd076654cf2551739b8a793de47eb8bc9db89cba7bc4fe0befa2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_raises_on_empty_data"}, "properties": {"repobilityId": 51688, "scanner": "repobility-ast-engine", "fingerprint": "6bff5dbcb3a509fb654bf1ed1c40cab4dd325943bf2deacc68048e090735fa9c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6bff5dbcb3a509fb654bf1ed1c40cab4dd325943bf2deacc68048e090735fa9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_market_data_validator.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_raises_when_no_rows_on_or_before_date"}, "properties": {"repobilityId": 51687, "scanner": "repobility-ast-engine", "fingerprint": "820c1a124418052c4ffc50d238322aadf4584c31dae8aea968138caf44b4e6fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|820c1a124418052c4ffc50d238322aadf4584c31dae8aea968138caf44b4e6fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_market_data_validator.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_score_out_of_range_rejected"}, "properties": {"repobilityId": 51686, "scanner": "repobility-ast-engine", "fingerprint": "0e339094d600e1b554f1e85902a0ec54187d37c0ea4cfca5560494d4fe2b3721", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e339094d600e1b554f1e85902a0ec54187d37c0ea4cfca5560494d4fe2b3721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_structured_agents.py"}, "region": {"startLine": 285}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_makes_no_llm_calls"}, "properties": {"repobilityId": 51685, "scanner": "repobility-ast-engine", "fingerprint": "43bfefc3e04e2d380b6634885a28f6c6ac282b46d93794d559b7f6f6041d3fbc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43bfefc3e04e2d380b6634885a28f6c6ac282b46d93794d559b7f6f6041d3fbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_signal_processing.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_portfolio_manager_no_memory_param"}, "properties": {"repobilityId": 51684, "scanner": "repobility-ast-engine", "fingerprint": "e06fb7cd4b912566348818e17dd964cbe09fcb9a5900f2c34e367e350a40779f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e06fb7cd4b912566348818e17dd964cbe09fcb9a5900f2c34e367e350a40779f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_memory_log.py"}, "region": {"startLine": 810}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_update_noop_when_no_log_path"}, "properties": {"repobilityId": 51683, "scanner": "repobility-ast-engine", "fingerprint": "df26271a1dd1ab7614ca6d762ad8bfc17efbf5a8137a27265248a21372d9ac1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df26271a1dd1ab7614ca6d762ad8bfc17efbf5a8137a27265248a21372d9ac1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_memory_log.py"}, "region": {"startLine": 439}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_capabilities_dataclass_is_frozen"}, "properties": {"repobilityId": 51682, "scanner": "repobility-ast-engine", "fingerprint": "5a495dacaf3882277317d99727d9e7ff3b88a63fcc1e222f4d3d317e8968ffd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a495dacaf3882277317d99727d9e7ff3b88a63fcc1e222f4d3d317e8968ffd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_capabilities.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.date` used but never assigned in __init__"}, "properties": {"repobilityId": 51681, "scanner": "repobility-ast-engine", "fingerprint": "781c307d38c94e736d845c24126c09042fe93b12bf850a605586fe80cce03780", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|781c307d38c94e736d845c24126c09042fe93b12bf850a605586fe80cce03780"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ticker` used but never assigned in __init__"}, "properties": {"repobilityId": 51680, "scanner": "repobility-ast-engine", "fingerprint": "24a2fb9c9980a77cda544cd8e9fb0213062dfcf284cef72f95ae886e95e481fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24a2fb9c9980a77cda544cd8e9fb0213062dfcf284cef72f95ae886e95e481fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertRaises` used but never assigned in __init__"}, "properties": {"repobilityId": 51679, "scanner": "repobility-ast-engine", "fingerprint": "35264d33adeeeb80836ce80d20f79f64def3b0366d137d9e5ad9c3a52fa74edb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35264d33adeeeb80836ce80d20f79f64def3b0366d137d9e5ad9c3a52fa74edb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ticker` used but never assigned in __init__"}, "properties": {"repobilityId": 51678, "scanner": "repobility-ast-engine", "fingerprint": "6bec9a94d1f168a165aa65915b08c5d1885496f8e253ae4368d1945e5b8aeafa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6bec9a94d1f168a165aa65915b08c5d1885496f8e253ae4368d1945e5b8aeafa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.tmpdir` used but never assigned in __init__"}, "properties": {"repobilityId": 51677, "scanner": "repobility-ast-engine", "fingerprint": "4eccf2e5d6681b715e0fe430c48998722ea3c81aa15db069e64593148c630561", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4eccf2e5d6681b715e0fe430c48998722ea3c81aa15db069e64593148c630561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.date` used but never assigned in __init__"}, "properties": {"repobilityId": 51676, "scanner": "repobility-ast-engine", "fingerprint": "4639b73ff272d2c8a77d5960ce846a2bfc0c993abc05be5b961343e76dcd882b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4639b73ff272d2c8a77d5960ce846a2bfc0c993abc05be5b961343e76dcd882b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ticker` used but never assigned in __init__"}, "properties": {"repobilityId": 51675, "scanner": "repobility-ast-engine", "fingerprint": "84c3773b16fc3ff08ac8df115ceb4cc84755e90a3d847103b50f863d7d4d64dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84c3773b16fc3ff08ac8df115ceb4cc84755e90a3d847103b50f863d7d4d64dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.tmpdir` used but never assigned in __init__"}, "properties": {"repobilityId": 51674, "scanner": "repobility-ast-engine", "fingerprint": "7ca05343ed6ebb3df8761ef8411f96a1bce83a3536d811add1291320b4dce40c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ca05343ed6ebb3df8761ef8411f96a1bce83a3536d811add1291320b4dce40c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ticker` used but never assigned in __init__"}, "properties": {"repobilityId": 51673, "scanner": "repobility-ast-engine", "fingerprint": "5cb7f9f69ef0870e2e9c94af40a1d9cff61794de1be9d20f5de089b4f51ddece", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cb7f9f69ef0870e2e9c94af40a1d9cff61794de1be9d20f5de089b4f51ddece"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.tmpdir` used but never assigned in __init__"}, "properties": {"repobilityId": 51672, "scanner": "repobility-ast-engine", "fingerprint": "de68752417e4cb9b71f3d755d997cba07b4b4dd8f493712dabde11f4a3ca51fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de68752417e4cb9b71f3d755d997cba07b4b4dd8f493712dabde11f4a3ca51fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 51671, "scanner": "repobility-ast-engine", "fingerprint": "96e60c13866716d099081f3be4b4a5ca9146dc042ffb4696eaf9735b8bce39f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|96e60c13866716d099081f3be4b4a5ca9146dc042ffb4696eaf9735b8bce39f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 51670, "scanner": "repobility-ast-engine", "fingerprint": "d95a3912473be53f0c3479a68093083384aa6b8f9b1a4e3dce0300af2d629444", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d95a3912473be53f0c3479a68093083384aa6b8f9b1a4e3dce0300af2d629444"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.date` used but never assigned in __init__"}, "properties": {"repobilityId": 51669, "scanner": "repobility-ast-engine", "fingerprint": "df80b03c9611c7069824d08d9bc7c9398f8b2f12b6e3525b3ddd745e4876d7bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df80b03c9611c7069824d08d9bc7c9398f8b2f12b6e3525b3ddd745e4876d7bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ticker` used but never assigned in __init__"}, "properties": {"repobilityId": 51668, "scanner": "repobility-ast-engine", "fingerprint": "bd56015695108688342415b374cd8247a7beb450e752be9553589489a03cace2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bd56015695108688342415b374cd8247a7beb450e752be9553589489a03cace2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.tmpdir` used but never assigned in __init__"}, "properties": {"repobilityId": 51667, "scanner": "repobility-ast-engine", "fingerprint": "e66cdb8173be510048b4ef1f1d7bfc8094caaec7067a051730f36ac5888b2d70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e66cdb8173be510048b4ef1f1d7bfc8094caaec7067a051730f36ac5888b2d70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertTrue` used but never assigned in __init__"}, "properties": {"repobilityId": 51666, "scanner": "repobility-ast-engine", "fingerprint": "6f7fc1608b4dcaa699913065986a2f7807709040db9e698d8ab303d8ea9e517d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f7fc1608b4dcaa699913065986a2f7807709040db9e698d8ab303d8ea9e517d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.date` used but never assigned in __init__"}, "properties": {"repobilityId": 51665, "scanner": "repobility-ast-engine", "fingerprint": "30c8b585db552468900ecaec0121e2053812ef5335efc30eba9c86c5bd84a4df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|30c8b585db552468900ecaec0121e2053812ef5335efc30eba9c86c5bd84a4df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ticker` used but never assigned in __init__"}, "properties": {"repobilityId": 51664, "scanner": "repobility-ast-engine", "fingerprint": "9f9fb8b0178570f1b9051d6520a6121753c10484a6a1e26c0299a689e7f9f705", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9f9fb8b0178570f1b9051d6520a6121753c10484a6a1e26c0299a689e7f9f705"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.date` used but never assigned in __init__"}, "properties": {"repobilityId": 51663, "scanner": "repobility-ast-engine", "fingerprint": "a5f6723ac5bb2eea6871c04d1956a3f86029830bb42ee6b0e3590be58174554f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a5f6723ac5bb2eea6871c04d1956a3f86029830bb42ee6b0e3590be58174554f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.ticker` used but never assigned in __init__"}, "properties": {"repobilityId": 51662, "scanner": "repobility-ast-engine", "fingerprint": "def9274646a2c1617ad84970ba77e72db49de079147671ba4a404d18e50fa04c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|def9274646a2c1617ad84970ba77e72db49de079147671ba4a404d18e50fa04c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.tmpdir` used but never assigned in __init__"}, "properties": {"repobilityId": 51661, "scanner": "repobility-ast-engine", "fingerprint": "c14d9b3540545a77930792cde4c2537d57696aacd179eec2d3121a005aa4df0b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c14d9b3540545a77930792cde4c2537d57696aacd179eec2d3121a005aa4df0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_checkpoint_resume.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 51660, "scanner": "repobility-ast-engine", "fingerprint": "a1d86dd45b4b9976905561af3cf161fcf61d5ac170c0138a13983d464ea4be1f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a1d86dd45b4b9976905561af3cf161fcf61d5ac170c0138a13983d464ea4be1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_google_api_key.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.subTest` used but never assigned in __init__"}, "properties": {"repobilityId": 51659, "scanner": "repobility-ast-engine", "fingerprint": "d9e6ec1781bfbc6ab7aefc75bf5f1342450a609e9e406929ebbb3cb5e0d433b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d9e6ec1781bfbc6ab7aefc75bf5f1342450a609e9e406929ebbb3cb5e0d433b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_google_api_key.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invalid_int_raises"}, "properties": {"repobilityId": 51658, "scanner": "repobility-ast-engine", "fingerprint": "eaec26d82ee6132ffce64f3fcc2df447b805da356e35bd3f715fba357e230cfb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eaec26d82ee6132ffce64f3fcc2df447b805da356e35bd3f715fba357e230cfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_env_overrides.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._update_final_report` used but never assigned in __init__"}, "properties": {"repobilityId": 51656, "scanner": "repobility-ast-engine", "fingerprint": "d7f94c944874cf65d104f855f8a42aa32a0192fc8fe58c5c61007b87b2f2b830", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7f94c944874cf65d104f855f8a42aa32a0192fc8fe58c5c61007b87b2f2b830"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/main.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._update_current_report` used but never assigned in __init__"}, "properties": {"repobilityId": 51655, "scanner": "repobility-ast-engine", "fingerprint": "04b8251aa4b8e9ac6e88c699f8aa8f08cb5abe125b1fa09a7519dc3a43dd513b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04b8251aa4b8e9ac6e88c699f8aa8f08cb5abe125b1fa09a7519dc3a43dd513b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/main.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 29925, "scanner": "repobility-threat-engine", "fingerprint": "a6bbde47e0f42bc51112fb1cb826928e2d1b5011d26af9215db823467ce2193b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6bbde47e0f42bc51112fb1cb826928e2d1b5011d26af9215db823467ce2193b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/llm_clients/openai_client.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 29924, "scanner": "repobility-threat-engine", "fingerprint": "836c092bf432c64286793258c15ffb4c4eb8eb73eb5f294a49bdf4aeb81b992a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|836c092bf432c64286793258c15ffb4c4eb8eb73eb5f294a49bdf4aeb81b992a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/llm_clients/azure_client.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 29923, "scanner": "repobility-threat-engine", "fingerprint": "6d8a42354b3990cace9b0e970279cc10c43f503311a1a0ff6ac1882675c5fcfc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(API_BASE_URL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6d8a42354b3990cace9b0e970279cc10c43f503311a1a0ff6ac1882675c5fcfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/dataflows/alpha_vantage_common.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 4278, "scanner": "repobility-threat-engine", "fingerprint": "b2614da0abff70f43d2fab45f559eefd07858c45747f76e1d717e45b215f1018", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f\"DELETE", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|85|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/graph/checkpointer.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 3956, "scanner": "repobility-threat-engine", "fingerprint": "290d71203a69fe8dfe11f93c0bbb02a02dc67e5d1a8ba73fc907c79825f2d3ba", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f\"DELETE", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|81|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/graph/checkpointer.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 51725, "scanner": "repobility-threat-engine", "fingerprint": "5785a07be31fb03f4c3236e653b0acf774c0a2973f65cb5b4560279659445b6f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5785a07be31fb03f4c3236e653b0acf774c0a2973f65cb5b4560279659445b6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tradingagents/graph/checkpointer.py"}, "region": {"startLine": 85}}}]}]}]}