{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB004", "name": "robots.txt blocks the full public site", "shortDescription": {"text": "robots.txt blocks the full public site"}, "fullDescription": {"text": "`User-agent: *` with `Disallow: /` prevents normal indexing and can also hide public docs from AI agents unless there is a clear exception."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /de"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /deleted."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /latitude."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /latitude."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 1.3% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 1.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 1.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `volta-cli/action@v4` is 1 major version(s) behind (latest v5.0.0)", "shortDescription": {"text": "GitHub Action `volta-cli/action@v4` is 1 major version(s) behind (latest v5.0.0)"}, "fullDescription": {"text": "`uses: volta-cli/action@v4` is 1 major version(s) behind the latest published release v5.0.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `zustand` is 1 major version(s) behind (4.4.6 -> 5.0.14)", "shortDescription": {"text": "npm package `zustand` is 1 major version(s) behind (4.4.6 -> 5.0.14)"}, "fullDescription": {"text": "`zustand` is pinned/resolved at 4.4.6 but the latest stable release on the npm registry is 5.0.14 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-73rr-hh4g-fpgx", "name": "diff: GHSA-73rr-hh4g-fpgx", "shortDescription": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "fullDescription": {"text": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /telegram/:id."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /telegram/:id."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED117", "name": "Workflow declares `permissions: write-all`", "shortDescription": {"text": "Workflow declares `permissions: write-all`"}, "fullDescription": {"text": "The job's GITHUB_TOKEN gets EVERY permission scope. If the workflow is ever compromised (mutable action, fork PR, injected step), the attacker can push to main, publish packages, alter releases. Use least-privilege by listing only the scopes the job actually needs."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `volta-cli/action` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `volta-cli/action` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: volta-cli/action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `passport-discord` pulled from URL/Git", "shortDescription": {"text": "package.json dep `passport-discord` pulled from URL/Git"}, "fullDescription": {"text": "`devDependencies.passport-discord` = `https://github.com/tonestrike/passport-discord.git` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:22-alpine` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "fullDescription": {"text": "`FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /import has no auth", "shortDescription": {"text": "Express POST /import has no auth"}, "fullDescription": {"text": "Express route POST /import declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1123"}, "properties": {"repository": "WatWowMap/ReactMap", "repoUrl": "https://github.com/WatWowMap/ReactMap", "branch": "main"}, "results": [{"ruleId": "WEB004", "level": "warning", "message": {"text": "robots.txt blocks the full public site"}, "properties": {"repobilityId": 111260, "scanner": "repobility-web-presence", "fingerprint": "2ddf9fdc45881d6bdc147bcb3c6de9d6afa48a973847300ac76842f3ac491c91", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "robots.txt contains a global disallow rule for the root path.", "evidence": {"rule_id": "WEB004", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309"], "correlation_key": "fp|2ddf9fdc45881d6bdc147bcb3c6de9d6afa48a973847300ac76842f3ac491c91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 111258, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111254, "scanner": "repobility-journey-contract", "fingerprint": "7c34162c556aaa741899cba68203982dd5d87de9b29e9b9ffcc906803c081613", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/pokemon/id", "correlation_key": "fp|7c34162c556aaa741899cba68203982dd5d87de9b29e9b9ffcc906803c081613", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/utils/fetchJson.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111253, "scanner": "repobility-journey-contract", "fingerprint": "e5baab8926b6a4b434b6e5741c47fe4cb18d77c94ae1c2a8d966c3324700c794", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/profiles/{param}", "correlation_key": "fp|e5baab8926b6a4b434b6e5741c47fe4cb18d77c94ae1c2a8d966c3324700c794", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111252, "scanner": "repobility-journey-contract", "fingerprint": "a1aba8b1a9cae10c1bb2f5d1e1ab84c05f98c23e496a7c519e48be16179bfe1c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/humans/{param}/switchprofile/{param}", "correlation_key": "fp|a1aba8b1a9cae10c1bb2f5d1e1ab84c05f98c23e496a7c519e48be16179bfe1c", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111251, "scanner": "repobility-journey-contract", "fingerprint": "e5bbfd047f41f5ca24324e30aa3af9669c6093bb5058a44c7837a32ed1494a85", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/humans/{param}/stop", "correlation_key": "fp|e5bbfd047f41f5ca24324e30aa3af9669c6093bb5058a44c7837a32ed1494a85", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111250, "scanner": "repobility-journey-contract", "fingerprint": "7e604c308b5f9f9b7341cb8c51e6b7e2921d64cad868614c73b2124fc0909a60", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/humans/{param}/start", "correlation_key": "fp|7e604c308b5f9f9b7341cb8c51e6b7e2921d64cad868614c73b2124fc0909a60", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111249, "scanner": "repobility-journey-contract", "fingerprint": "9a6c0f02aebe3f053ea7b9acbaaa75cb76a2b0a0fb5196ce1ddefd67cf1f8119", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/geofence/{param}", "correlation_key": "fp|9a6c0f02aebe3f053ea7b9acbaaa75cb76a2b0a0fb5196ce1ddefd67cf1f8119", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111248, "scanner": "repobility-journey-contract", "fingerprint": "37810a8d00a213b7772b76133b30cbe70f885e3a179bc83145981033cedc4821", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/humans/{param}/setareas", "correlation_key": "fp|37810a8d00a213b7772b76133b30cbe70f885e3a179bc83145981033cedc4821", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111247, "scanner": "repobility-journey-contract", "fingerprint": "9eb0b25e2d9acfe4311ce14d5bf12a958985a4d46b2b331ab10ba875742a3362", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/humans/one/{param}", "correlation_key": "fp|9eb0b25e2d9acfe4311ce14d5bf12a958985a4d46b2b331ab10ba875742a3362", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111246, "scanner": "repobility-journey-contract", "fingerprint": "ae6f4e07fa27fec5cf0bd10b6945164fb8bfd085c339ed9eda9cac74c2523662", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/humans/{param}", "correlation_key": "fp|ae6f4e07fa27fec5cf0bd10b6945164fb8bfd085c339ed9eda9cac74c2523662", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111245, "scanner": "repobility-journey-contract", "fingerprint": "55aab7c8bb4ebbda9cb6b6afab70be0c011f1d522d64a83bb24e5dbc97c28354", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/config/templates", "correlation_key": "fp|55aab7c8bb4ebbda9cb6b6afab70be0c011f1d522d64a83bb24e5dbc97c28354", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111244, "scanner": "repobility-journey-contract", "fingerprint": "ab776127d04caad7f230d55a0e790574460e50913ca3b40650c373c04dc9ecc4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/geofence/all/geojson", "correlation_key": "fp|ab776127d04caad7f230d55a0e790574460e50913ca3b40650c373c04dc9ecc4", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111243, "scanner": "repobility-journey-contract", "fingerprint": "610367e7d2fa558ebb1e31db805574b66a6537bba3bbfccec680a38e95bc338c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/config/poracleweb", "correlation_key": "fp|610367e7d2fa558ebb1e31db805574b66a6537bba3bbfccec680a38e95bc338c", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/Poracle.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 111242, "scanner": "repobility-journey-contract", "fingerprint": "b492c40c6eb55fb09965171839cb047720669562c4cc7ce51e19953fdadf87a5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|b492c40c6eb55fb09965171839cb047720669562c4cc7ce51e19953fdadf87a5", "backend_endpoint_count": 833}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/rootRouter.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /deleted."}, "properties": {"repobilityId": 111240, "scanner": "repobility-access-control", "fingerprint": "3a311b69456294453203b32a355b891a56bb73fdb736a696d31b73019c900eee", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/deleted", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|17|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 17}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /badge."}, "properties": {"repobilityId": 111239, "scanner": "repobility-access-control", "fingerprint": "d5634896b23f222422390a80fafa845f4b707f309f0aaf1422b76df5cc44321a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/badge", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|16|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /lon."}, "properties": {"repobilityId": 111238, "scanner": "repobility-access-control", "fingerprint": "83d4ec8b0491540c851f5acea52471b15e3b18289feaeb11850d40b6ad15d7b2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/lon", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|15|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /lat."}, "properties": {"repobilityId": 111237, "scanner": "repobility-access-control", "fingerprint": "8ba23a054c68b0255aa928ac596eef1950abf6a446b9e5fbb5c71bf389c5c9b3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/lat", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|14|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /url."}, "properties": {"repobilityId": 111236, "scanner": "repobility-access-control", "fingerprint": "93b6eb7f98f28dd4fd5a0158f69c03308954137aa9c3f4a523e8bbc59f99d10b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/url", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|13|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /name."}, "properties": {"repobilityId": 111235, "scanner": "repobility-access-control", "fingerprint": "cd4839456a49243e71d421e6a2f4e45175624d9af32626350c13400b02748d1a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/name", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|12|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 12}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /id."}, "properties": {"repobilityId": 111234, "scanner": "repobility-access-control", "fingerprint": "ea0ecec2b2206429263ba648f308e8e3bbd8cfd297139a53b63f3915753c7145", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/id", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|11|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /import."}, "properties": {"repobilityId": 111233, "scanner": "repobility-access-control", "fingerprint": "ef6164621b1b1fa71f2eb1ea8e71b53551688b4946398ccda6487f3ad1765443", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/import", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|60|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/users.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export."}, "properties": {"repobilityId": 111232, "scanner": "repobility-access-control", "fingerprint": "55684a47d790f0afc971c9ecb5d9a5d78b28fdc0adb1bbf870a974c0c6143d52", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/export", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|18|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/users.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 111231, "scanner": "repobility-access-control", "fingerprint": "f74ff8aafb61bdd9fc2bc46cfae643e1939e8193962bbd4fb46537a7462974cd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|8|cwe-285", "duplicate_count": 1, "identity_targets": ["authenticated"], "duplicate_rule_ids": ["AUC004", "AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["5dbcbf9cbb745a6fab21cca6cff1eca35a0b0ef2a57002189eaee55b6bb6f1d1", "f74ff8aafb61bdd9fc2bc46cfae643e1939e8193962bbd4fb46537a7462974cd"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/users.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /latitude."}, "properties": {"repobilityId": 111230, "scanner": "repobility-access-control", "fingerprint": "5fbf6efb6d9609f4b4843a0f83464ab6eaa8f85be1421efc9ef1b72509b33855", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/latitude", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|7|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/poracle.graphql"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /area."}, "properties": {"repobilityId": 111229, "scanner": "repobility-access-control", "fingerprint": "8ff9af4fefb9ca9e599a82949e09bf3821a22f286f9cb9b5fead182bd7315e42", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/area", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|6|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/poracle.graphql"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /missing."}, "properties": {"repobilityId": 111228, "scanner": "repobility-access-control", "fingerprint": "ad791323e8a8d128ab47db6196c17eb304f3d5d9f8fbddaaf2af55f2d833fae7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/missing", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|237|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 237}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /ai."}, "properties": {"repobilityId": 111227, "scanner": "repobility-access-control", "fingerprint": "a3e4017415ed028731ff3b6b5016e7e95cfb7eb04c773b8ef6d897311c155485", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/ai", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|236|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 236}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /human."}, "properties": {"repobilityId": 111226, "scanner": "repobility-access-control", "fingerprint": "14be9ef75fb73cac3605e18c0c2eb5c29870d71d05d7d55036288cd16070a08a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/human", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|235|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 235}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /admin."}, "properties": {"repobilityId": 111225, "scanner": "repobility-access-control", "fingerprint": "26a5a3bf6af9589983682fc7a37fda8b5e64ac728e2449c2962b7594ffba27b9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|231|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 231}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /loggedIn."}, "properties": {"repobilityId": 111224, "scanner": "repobility-access-control", "fingerprint": "5e3897214a4682985a55c594117318cf2b9c2ea147be16f9bfeebd182ba077ba", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/loggedIn", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|230|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 230}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /data."}, "properties": {"repobilityId": 111223, "scanner": "repobility-access-control", "fingerprint": "ccae7ea632f628ce29d34466228175cf4d9976be973dcf083bde5a0ee08ed350", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/data", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|226|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 226}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /name."}, "properties": {"repobilityId": 111222, "scanner": "repobility-access-control", "fingerprint": "de221e00a73d863f4c94350031a6512dca531c54cf5a5cf20952a00689a31b8b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/name", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|token|225|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/typeDefs/map.graphql"}, "region": {"startLine": 225}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 1.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 111218, "scanner": "repobility-access-control", "fingerprint": "8083b85a4e65ab970a52adf90c53eec36873e0d28115a4a70f2a658b0820ef2e", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 833, "correlation_key": "fp|8083b85a4e65ab970a52adf90c53eec36873e0d28115a4a70f2a658b0820ef2e", "auth_visible_percent": 1.3}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 111217, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js", "GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 111216, "scanner": "osv-scanner", "fingerprint": "70d0d7460be007a4193e90cfe82eaea7100a07bfac6179c6be94dea5dedb7db0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 111214, "scanner": "osv-scanner", "fingerprint": "d4b419a31e0e9347bcfafa58b7ad490de2bf201d666b0f13dc4b2518b663d57c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 111213, "scanner": "osv-scanner", "fingerprint": "128d26ea5f5b40a60e9c47ea7ffd50a69def1874a9520acb5439503c3ca8a9e7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 111212, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 111211, "scanner": "repobility-docker", "fingerprint": "7504fec8b8baca7f0695087834aad5cadd995e07873c6177d85311de83de7c6c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7504fec8b8baca7f0695087834aad5cadd995e07873c6177d85311de83de7c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 111210, "scanner": "repobility-docker", "fingerprint": "7844fcc39a832d3593af61abbf8bc28c6d5246d39d8c80fbe39847c9f250ce1e", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 18 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 18, "correlation_key": "fp|7844fcc39a832d3593af61abbf8bc28c6d5246d39d8c80fbe39847c9f250ce1e", "dependency_install_line": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 111207, "scanner": "repobility-threat-engine", "fingerprint": "af3c9921434b6462eb44958c885858289f9766dc7eb70814000476c016a69af3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "keys(tutorialData.filters).map((x) => [\n        x,\n        !!Math.round(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af3c9921434b6462eb44958c885858289f9766dc7eb70814000476c016a69af3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/tutorial/Sidebar.jsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 111206, "scanner": "repobility-threat-engine", "fingerprint": "e903367f89e07cf127cefd0242f76aafb3666c9c9b2c1a7403045642a4641764", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n      return null\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e903367f89e07cf127cefd0242f76aafb3666c9c9b2c1a7403045642a4641764"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/nest/NestTile.jsx"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 111178, "scanner": "repobility-threat-engine", "fingerprint": "8660e0bf583aa4763f48e38ebaf7c1674134d237fe846ced4ced429761c5b8ea", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/utils/checkadvfilter.js|18|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/checkAdvFilter.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 111177, "scanner": "repobility-threat-engine", "fingerprint": "544b9bf25c013922844f99d9b2b351a43aa9a70bf4ac46e90ecfdff557a7f438", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|98|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/filters/pokemon/functions.js"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 111176, "scanner": "repobility-threat-engine", "fingerprint": "1b3668dcae65ecdd325d02ea3147554d7db12c6834c0436507142aedde235cc1", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|src/utils/checkadvfilter.js|18|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/checkAdvFilter.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 111175, "scanner": "repobility-threat-engine", "fingerprint": "6b05e96b2b62a599287bbe4ff67d673a2b411492856c13c960924e9c058e55ef", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|98|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/filters/pokemon/functions.js"}, "region": {"startLine": 98}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `volta-cli/action@v4` is 1 major version(s) behind (latest v5.0.0)"}, "properties": {"repobilityId": 111170, "scanner": "repobility-dependency-currency", "fingerprint": "97ec6417b29c18d97cb73898e831788679e0b8002e17d5148fe51f6739a862db", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "volta-cli/action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v5.0.0", "correlation_key": "fp|97ec6417b29c18d97cb73898e831788679e0b8002e17d5148fe51f6739a862db", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4.1.1` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 111169, "scanner": "repobility-dependency-currency", "fingerprint": "40363415464f4e9f2e5633dd2658e3a165612511244e34b312ad942f95a63840", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|40363415464f4e9f2e5633dd2658e3a165612511244e34b312ad942f95a63840", "current_version": "v4.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4.1.1` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 111168, "scanner": "repobility-dependency-currency", "fingerprint": "a19e223acd1110542431a1b78406c60d92582357da1b396b400438f9a988a6a5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|a19e223acd1110542431a1b78406c60d92582357da1b396b400438f9a988a6a5", "current_version": "v4.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/config.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4.1.1` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 111167, "scanner": "repobility-dependency-currency", "fingerprint": "c6fe56f811c4966ed48395917b7820406d0b3d046851b8da2a520807ff1fc183", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|c6fe56f811c4966ed48395917b7820406d0b3d046851b8da2a520807ff1fc183", "current_version": "v4.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/locales.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4.1.1` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 111166, "scanner": "repobility-dependency-currency", "fingerprint": "02affe01dfe28c2afd7def94e4387244af6180be8242314a3a7dba67081461bd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|02affe01dfe28c2afd7def94e4387244af6180be8242314a3a7dba67081461bd", "current_version": "v4.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4.0.2` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 111165, "scanner": "repobility-dependency-currency", "fingerprint": "38255ec9741fab6c53f306a07001b548865ba6437714769bf55b0da6e3c26a37", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|38255ec9741fab6c53f306a07001b548865ba6437714769bf55b0da6e3c26a37", "current_version": "v4.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4.1.1` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 111164, "scanner": "repobility-dependency-currency", "fingerprint": "f5af99635c0ed9f60946e59ae5c88ca2cec905760a279506c6f4ad930006455c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|f5af99635c0ed9f60946e59ae5c88ca2cec905760a279506c6f4ad930006455c", "current_version": "v4.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4.0.2` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 111163, "scanner": "repobility-dependency-currency", "fingerprint": "4d7b8827f1f5a76cccd01c34f6fe1d90f92534b1042f53d5666754bc9d2d8752", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|4d7b8827f1f5a76cccd01c34f6fe1d90f92534b1042f53d5666754bc9d2d8752", "current_version": "v4.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sentry.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4.1.1` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 111162, "scanner": "repobility-dependency-currency", "fingerprint": "d5797f7120cdc9c1e18e1edd78f65e4ab908a462b7269700652729698e475e87", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|d5797f7120cdc9c1e18e1edd78f65e4ab908a462b7269700652729698e475e87", "current_version": "v4.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sentry.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `zustand` is 1 major version(s) behind (4.4.6 -> 5.0.14)"}, "properties": {"repobilityId": 111161, "scanner": "repobility-dependency-currency", "fingerprint": "47fd3516c880c715390af46f4a38472bbcf595fff88e4331c1f41a48ec99ea81", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "zustand", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.14", "correlation_key": "fp|47fd3516c880c715390af46f4a38472bbcf595fff88e4331c1f41a48ec99ea81", "current_version": "4.4.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-leaflet` is 1 major version(s) behind (4.2.1 -> 5.0.0)"}, "properties": {"repobilityId": 111159, "scanner": "repobility-dependency-currency", "fingerprint": "1164544491ed4d7f5a5e28639cf48770bdd75338e5547a8db7d36f7ce0ab8fb7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-leaflet", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.0", "correlation_key": "fp|1164544491ed4d7f5a5e28639cf48770bdd75338e5547a8db7d36f7ce0ab8fb7", "current_version": "4.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-ga4` is 2 major version(s) behind (^1.4.1 -> 3.0.1)"}, "properties": {"repobilityId": 111158, "scanner": "repobility-dependency-currency", "fingerprint": "4da3bbbcf34eea14c4be570d2b15386a02fcf25c7b659d00e02dcac816fa0f31", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-ga4", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.1", "correlation_key": "fp|4da3bbbcf34eea14c4be570d2b15386a02fcf25c7b659d00e02dcac816fa0f31", "current_version": "^1.4.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `nodes2ts` is 1 major version(s) behind (3.0.0 -> 4.0.2)"}, "properties": {"repobilityId": 111156, "scanner": "repobility-dependency-currency", "fingerprint": "ca147ba1777a1b1d71d3cae2518cac33679abbb3986edcf4456a69190c834697", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nodes2ts", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.2", "correlation_key": "fp|ca147ba1777a1b1d71d3cae2518cac33679abbb3986edcf4456a69190c834697", "current_version": "3.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `node-fetch` is 1 major version(s) behind (2.7.0 -> 3.3.2)"}, "properties": {"repobilityId": 111154, "scanner": "repobility-dependency-currency", "fingerprint": "c3f8bb7942a5f8decbe0457276e98d5a36a04d63605d978a575f609600e810ff", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "node-fetch", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.2", "correlation_key": "fp|c3f8bb7942a5f8decbe0457276e98d5a36a04d63605d978a575f609600e810ff", "current_version": "2.7.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `long` is 1 major version(s) behind (^4.0.0 -> 5.3.2)"}, "properties": {"repobilityId": 111152, "scanner": "repobility-dependency-currency", "fingerprint": "fb97131c1b092cfc863607b8742b4c10e29358c7e4b5770b10acffafe44e41f1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "long", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.3.2", "correlation_key": "fp|fb97131c1b092cfc863607b8742b4c10e29358c7e4b5770b10acffafe44e41f1", "current_version": "^4.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `i18next-http-backend` is 1 major version(s) behind (3.0.5 -> 4.0.0)"}, "properties": {"repobilityId": 111149, "scanner": "repobility-dependency-currency", "fingerprint": "e081222187d5b4b6c1794d33ca4feacfd2c548c13cbbc059f9d4e63f5754c883", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "i18next-http-backend", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.0", "correlation_key": "fp|e081222187d5b4b6c1794d33ca4feacfd2c548c13cbbc059f9d4e63f5754c883", "current_version": "3.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `helmet` is 1 major version(s) behind (7.1.0 -> 8.2.0)"}, "properties": {"repobilityId": 111147, "scanner": "repobility-dependency-currency", "fingerprint": "742846a1d3b7bfcb921dd63c181b1980cd0cc69b7ed32a3b67fad6042531fef6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "helmet", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.2.0", "correlation_key": "fp|742846a1d3b7bfcb921dd63c181b1980cd0cc69b7ed32a3b67fad6042531fef6", "current_version": "7.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `geo-tz` is 1 major version(s) behind (^7.0.7 -> 8.1.7)"}, "properties": {"repobilityId": 111146, "scanner": "repobility-dependency-currency", "fingerprint": "b1d499e2a5823592718ff9bbdd3b5ce2523348ac71d312b5967bc07077892ed1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "geo-tz", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.1.7", "correlation_key": "fp|b1d499e2a5823592718ff9bbdd3b5ce2523348ac71d312b5967bc07077892ed1", "current_version": "^7.0.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `express-rate-limit` is 1 major version(s) behind (7.4.0 -> 8.5.2)"}, "properties": {"repobilityId": 111145, "scanner": "repobility-dependency-currency", "fingerprint": "6efc0bab4930af75ab7872e278e95221087cecd9e403a0a32342392d7907c55b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express-rate-limit", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.2", "correlation_key": "fp|6efc0bab4930af75ab7872e278e95221087cecd9e403a0a32342392d7907c55b", "current_version": "7.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `dotenv` is 1 major version(s) behind (^16.3.1 -> 17.4.2)"}, "properties": {"repobilityId": 111144, "scanner": "repobility-dependency-currency", "fingerprint": "48d82cc9747d07ea070cab195f76aaff20138329cd3f1011b5b67ef1cc5ae160", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|48d82cc9747d07ea070cab195f76aaff20138329cd3f1011b5b67ef1cc5ae160", "current_version": "^16.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `date-fns-tz` is 1 major version(s) behind (^2.0.0 -> 3.2.0)"}, "properties": {"repobilityId": 111143, "scanner": "repobility-dependency-currency", "fingerprint": "87df3311b5f8ca8ec4d5d6b5044dc2a34020c12e843ac3d074f469a83dd59e1d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "date-fns-tz", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.2.0", "correlation_key": "fp|87df3311b5f8ca8ec4d5d6b5044dc2a34020c12e843ac3d074f469a83dd59e1d", "current_version": "^2.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chokidar` is 2 major version(s) behind (^3.5.3 -> 5.0.0)"}, "properties": {"repobilityId": 111141, "scanner": "repobility-dependency-currency", "fingerprint": "e4fdbd04966b349ea22db45ef62c8c5b0b69fbee56a0f059847a41a0d8df8a48", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chokidar", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.0", "correlation_key": "fp|e4fdbd04966b349ea22db45ef62c8c5b0b69fbee56a0f059847a41a0d8df8a48", "current_version": "^3.5.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `bcrypt` is 1 major version(s) behind (^5.0.1 -> 6.0.0)"}, "properties": {"repobilityId": 111140, "scanner": "repobility-dependency-currency", "fingerprint": "7f2f8982d4ae898f632ecfed729840d18460ace6e75e9175d6ff601d264afbae", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "bcrypt", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.0", "correlation_key": "fp|7f2f8982d4ae898f632ecfed729840d18460ace6e75e9175d6ff601d264afbae", "current_version": "^5.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@mui/material` is 4 major version(s) behind (5.16.7 -> 9.0.1)"}, "properties": {"repobilityId": 111139, "scanner": "repobility-dependency-currency", "fingerprint": "528a7c9bf4d2b5b8ef2628e354dc894e1e3a7b1810d34acb0f11c1e2ebe3ef00", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@mui/material", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.1", "correlation_key": "fp|528a7c9bf4d2b5b8ef2628e354dc894e1e3a7b1810d34acb0f11c1e2ebe3ef00", "current_version": "5.16.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@mui/lab` is 4 major version(s) behind (5.0.0-alpha.173 -> 9.0.0-beta.3)"}, "properties": {"repobilityId": 111138, "scanner": "repobility-dependency-currency", "fingerprint": "2b176a6e0aa874cdea8756e8303ac8815ce7fa992d507954d057d7c23e4345a5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@mui/lab", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.0-beta.3", "correlation_key": "fp|2b176a6e0aa874cdea8756e8303ac8815ce7fa992d507954d057d7c23e4345a5", "current_version": "5.0.0-alpha.173"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 111259, "scanner": "repobility-web-presence", "fingerprint": "12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 111257, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 111256, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 111255, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 111241, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js", "GraphQL"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-73rr-hh4g-fpgx", "level": "note", "message": {"text": "diff: GHSA-73rr-hh4g-fpgx"}, "properties": {"repobilityId": 111215, "scanner": "osv-scanner", "fingerprint": "03944092c5442fa60437db4400a4f39b63afd07f2762be40a6626a21c859ad4b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24001"], "package": "diff", "rule_id": "GHSA-73rr-hh4g-fpgx", "scanner": "osv-scanner", "correlation_key": "vuln|diff|CVE-2026-24001|yarn.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yarn.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `passport` is minor version(s) behind (^0.6.0 -> 0.7.0)"}, "properties": {"repobilityId": 111157, "scanner": "repobility-dependency-currency", "fingerprint": "1e529b5cfd646135bd4ea9be3385d11ce50da1727a19f27c09aad09ea2dc5567", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "passport", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.7.0", "correlation_key": "fp|1e529b5cfd646135bd4ea9be3385d11ce50da1727a19f27c09aad09ea2dc5567", "current_version": "^0.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `node-geocoder` is minor version(s) behind (^4.2.0 -> 4.4.1)"}, "properties": {"repobilityId": 111155, "scanner": "repobility-dependency-currency", "fingerprint": "0c7bf6613dcc5410ca1b3c28f5e7d8941f763d9ae7c014e7436989f1c82acf7b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "node-geocoder", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.4.1", "correlation_key": "fp|0c7bf6613dcc5410ca1b3c28f5e7d8941f763d9ae7c014e7436989f1c82acf7b", "current_version": "^4.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `mysql2` is minor version(s) behind (3.11.0 -> 3.22.4)"}, "properties": {"repobilityId": 111153, "scanner": "repobility-dependency-currency", "fingerprint": "5197743af1ea30e33eb9fbca6ba7f620396ae1c8ca0d7a10c35eeb9aab4ac8ca", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mysql2", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.22.4", "correlation_key": "fp|5197743af1ea30e33eb9fbca6ba7f620396ae1c8ca0d7a10c35eeb9aab4ac8ca", "current_version": "3.11.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `leaflet.locatecontrol` is minor version(s) behind (0.85.1 -> 0.90.0)"}, "properties": {"repobilityId": 111151, "scanner": "repobility-dependency-currency", "fingerprint": "5e2f760a030041088493d70d1aec41fdfa66251f8449542cbb5b5bb4420aff5f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "leaflet.locatecontrol", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.90.0", "correlation_key": "fp|5e2f760a030041088493d70d1aec41fdfa66251f8449542cbb5b5bb4420aff5f", "current_version": "0.85.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `knex` is minor version(s) behind (3.1.0 -> 3.2.10)"}, "properties": {"repobilityId": 111150, "scanner": "repobility-dependency-currency", "fingerprint": "36e431a14a7a1800183e72584a4dce2bb8bb3bab9d9b9d95a73ce17628e4dc9a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "knex", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.2.10", "correlation_key": "fp|36e431a14a7a1800183e72584a4dce2bb8bb3bab9d9b9d95a73ce17628e4dc9a", "current_version": "3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `i18next-browser-languagedetector` is minor version(s) behind (8.0.0 -> 8.2.1)"}, "properties": {"repobilityId": 111148, "scanner": "repobility-dependency-currency", "fingerprint": "dc0c97d1d9c36363273e6c0c3c8e038a70d9266da5fff981686291f435509411", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "i18next-browser-languagedetector", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.2.1", "correlation_key": "fp|dc0c97d1d9c36363273e6c0c3c8e038a70d9266da5fff981686291f435509411", "current_version": "8.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `compression` is minor version(s) behind (^1.7.4 -> 1.8.1)"}, "properties": {"repobilityId": 111142, "scanner": "repobility-dependency-currency", "fingerprint": "bf1d95fbf1cc0c024309949a2388b99f51a0220ae353a533f4f0b6826355f3d4", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "compression", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.8.1", "correlation_key": "fp|bf1d95fbf1cc0c024309949a2388b99f51a0220ae353a533f4f0b6826355f3d4", "current_version": "^1.7.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@monaco-editor/react` is minor version(s) behind (4.6.0 -> 4.7.0)"}, "properties": {"repobilityId": 111137, "scanner": "repobility-dependency-currency", "fingerprint": "0df923d19567b25754ea5e0d4d9e646c473a2dbaa18c0b82d8cac5330fc2bdbc", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@monaco-editor/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.7.0", "correlation_key": "fp|0df923d19567b25754ea5e0d4d9e646c473a2dbaa18c0b82d8cac5330fc2bdbc", "current_version": "4.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111119, "scanner": "repobility-ai-code-hygiene", "fingerprint": "071ff116caaa2bf0b51727960b8300de8e61fcb1cae0aa50b2554f92cffb6a38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/webhooks/WebhookAdv.jsx", "duplicate_line": 691, "correlation_key": "fp|071ff116caaa2bf0b51727960b8300de8e61fcb1cae0aa50b2554f92cffb6a38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/webhooks/human/Location.jsx"}, "region": {"startLine": 151}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111118, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3e5acbe35a67e84afa23d077a4616878cb998668ae2fb46a819ce1875183df3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/nest/NestPopup.jsx", "duplicate_line": 96, "correlation_key": "fp|b3e5acbe35a67e84afa23d077a4616878cb998668ae2fb46a819ce1875183df3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/pokemon/PokemonPopup.jsx"}, "region": {"startLine": 392}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111117, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef12c65c54aba16514ac8463c1586bebaadd8d6b9af4ac0a0c5b01f584ef43f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/drawer/Stations.jsx", "duplicate_line": 27, "correlation_key": "fp|ef12c65c54aba16514ac8463c1586bebaadd8d6b9af4ac0a0c5b01f584ef43f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/drawer/gyms/Raids.jsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111116, "scanner": "repobility-ai-code-hygiene", "fingerprint": "afa105b1144b3f2dc084f0ff9430f224fb199be1c9885bf8173fa9b344d713d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/utils/getPlacementCells.js", "duplicate_line": 16, "correlation_key": "fp|afa105b1144b3f2dc084f0ff9430f224fb199be1c9885bf8173fa9b344d713d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/utils/getTypeCells.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 111115, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27e22522865f1b99b6130ceed1e908a6b30bf03389356c1975616d343241a107", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/models/Backup.js", "duplicate_line": 8, "correlation_key": "fp|27e22522865f1b99b6130ceed1e908a6b30bf03389356c1975616d343241a107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/models/Badge.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 111208, "scanner": "repobility-threat-engine", "fingerprint": "29e92a91d1e4be588a285adea1125306390cdd7fe1af2ba2fde7cc6baca10ce4", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log('ReactMap Version:', CONFIG.client.version)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|src/index.jsx|1|console.log reactmap version: config.client.version"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/index.jsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 111205, "scanner": "repobility-threat-engine", "fingerprint": "bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "aggregated_count": 6}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 111204, "scanner": "repobility-threat-engine", "fingerprint": "d98c3a24d11252f459ad876872e06f5e2129b225ab7afd92808cc3481e8a8ee7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d98c3a24d11252f459ad876872e06f5e2129b225ab7afd92808cc3481e8a8ee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/builder/Motd.jsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 111203, "scanner": "repobility-threat-engine", "fingerprint": "0225d4f9c1283f2ee315a33e4ed241a21836c371f8f52fbc040c41429e938207", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0225d4f9c1283f2ee315a33e4ed241a21836c371f8f52fbc040c41429e938207"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/builder/LoginPage.jsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 111202, "scanner": "repobility-threat-engine", "fingerprint": "9d91632dbc500a02c420a725409c9b4af1eca4b23da39b9c3276a1779112d4d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d91632dbc500a02c420a725409c9b4af1eca4b23da39b9c3276a1779112d4d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/builder/DonorPage.jsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 111194, "scanner": "repobility-threat-engine", "fingerprint": "b7c14669017ac17f4db12a528258a3816694f17f5dd761479089aa28c6c6fa10", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b7c14669017ac17f4db12a528258a3816694f17f5dd761479089aa28c6c6fa10"}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 111186, "scanner": "repobility-threat-engine", "fingerprint": "a77883d7585100fde0f98c9df8d1307665bb2cbb9f49ae955bec59ad51a446f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a77883d7585100fde0f98c9df8d1307665bb2cbb9f49ae955bec59ad51a446f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.js"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 111185, "scanner": "repobility-threat-engine", "fingerprint": "133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "aggregated_count": 4}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 111184, "scanner": "repobility-threat-engine", "fingerprint": "4aaf30040bdc054f013248f0435abf24fb99e9b05e92d7757e788e3fa210826c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4aaf30040bdc054f013248f0435abf24fb99e9b05e92d7757e788e3fa210826c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/logUserAuth.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 111183, "scanner": "repobility-threat-engine", "fingerprint": "259bd81e3253c2a38bfb47e3344c42e52dbee7a16554c53f76f8ec0772c7bf92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|259bd81e3253c2a38bfb47e3344c42e52dbee7a16554c53f76f8ec0772c7bf92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/models/Route.js"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 111182, "scanner": "repobility-threat-engine", "fingerprint": "bffe0d6e5779ba00b4cc2a359da1919176eb8abb6f83481251ccadbde42af963", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bffe0d6e5779ba00b4cc2a359da1919176eb8abb6f83481251ccadbde42af963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 111174, "scanner": "repobility-threat-engine", "fingerprint": "f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f1e161962fe043d40b0b62354f7238946ffae30e19da416a3889d752e32876be", "aggregated_count": 8}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 111173, "scanner": "repobility-threat-engine", "fingerprint": "2fc2a49ad86bfc3e50ca537c5a9d70a823a38812d15c788ae8e73d049e063f72", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2fc2a49ad86bfc3e50ca537c5a9d70a823a38812d15c788ae8e73d049e063f72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/device/DevicePath.jsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 111172, "scanner": "repobility-threat-engine", "fingerprint": "9dbccb3ff793883c8358079291d4cabd94243c93413ce97ccf0acd24b978d312", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9dbccb3ff793883c8358079291d4cabd94243c93413ce97ccf0acd24b978d312"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/filters/StringFilter.jsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 111171, "scanner": "repobility-threat-engine", "fingerprint": "c5bc3bc2a72eb549419dc21598b6fddf2b1e6e1a22dc3449fa1b18f2c058ffb1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5bc3bc2a72eb549419dc21598b6fddf2b1e6e1a22dc3449fa1b18f2c058ffb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/loading.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `source-map` is patch version(s) behind (^0.7.4 -> 0.7.6)"}, "properties": {"repobilityId": 111160, "scanner": "repobility-dependency-currency", "fingerprint": "fdae10c5cf0c9abe321d3a22eeb2671fd48aacbeafcbffd57caa43bd78fefceb", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "source-map", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.7.6", "correlation_key": "fp|fdae10c5cf0c9abe321d3a22eeb2671fd48aacbeafcbffd57caa43bd78fefceb", "current_version": "^0.7.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /telegram/:id."}, "properties": {"repobilityId": 111221, "scanner": "repobility-access-control", "fingerprint": "398ac8862ea6b5a048ef409e02bdf04c3a8a562a55a229f4ab9f68027cca752a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/telegram/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|150|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/users.js"}, "region": {"startLine": 150}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /discord/:id."}, "properties": {"repobilityId": 111220, "scanner": "repobility-access-control", "fingerprint": "74adcc809e3084b01bf34e7d36e8e8c95c9c5fcaf4c48770223599236063963c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/discord/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|137|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/users.js"}, "region": {"startLine": 137}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id."}, "properties": {"repobilityId": 111219, "scanner": "repobility-access-control", "fingerprint": "3b2a6b38051bb48a62e4ebee8d37e1166970a975fbeabfcfbab66264f9797185", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|126|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/users.js"}, "region": {"startLine": 126}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 111209, "scanner": "repobility-docker", "fingerprint": "4856c11f698f24a8cdfdc055f5bc3cc4d44015592c1b33b23d2839d2095994d0", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4856c11f698f24a8cdfdc055f5bc3cc4d44015592c1b33b23d2839d2095994d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 111201, "scanner": "repobility-threat-engine", "fingerprint": "781611c210dbffe5c0114d0476d1c28d427be2b35beea84e7c4f2ee869cc9ae8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "existing.delete(area)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|781611c210dbffe5c0114d0476d1c28d427be2b35beea84e7c4f2ee869cc9ae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/store/useStorage.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 111200, "scanner": "repobility-threat-engine", "fingerprint": "7a861dc53f785e7e559d4c9a74f522ccaef8ce22194f49ecdd49a7c7df1cdbed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "req.session.save()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a861dc53f785e7e559d4c9a74f522ccaef8ce22194f49ecdd49a7c7df1cdbed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/rootRouter.js"}, "region": {"startLine": 168}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 111199, "scanner": "repobility-threat-engine", "fingerprint": "28dc0c57e90fe5b618c2c3c14a0aae9fc7b3538d7a4f1b743bf5f2fb2d6f39ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Router.post('/api/error/client', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|28dc0c57e90fe5b618c2c3c14a0aae9fc7b3538d7a4f1b743bf5f2fb2d6f39ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/rootRouter.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 111198, "scanner": "repobility-threat-engine", "fingerprint": "038a91e1cbc6d5e8c2cf3de181d78554d2c20b604205a5c2be69e555edc7e377", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/import', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|038a91e1cbc6d5e8c2cf3de181d78554d2c20b604205a5c2be69e555edc7e377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/users.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 111197, "scanner": "repobility-threat-engine", "fingerprint": "8deff7a3de1571878dd561d34d068bbd2afd2d2d58811b75872605f37eab50b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.put('/:category', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8deff7a3de1571878dd561d34d068bbd2afd2d2d58811b75872605f37eab50b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/available.js"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 111193, "scanner": "repobility-threat-engine", "fingerprint": "4d0d14627d92a59d82d16ba21bec816e9a453ff7bb293370096033d4ca5400b9", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (perm) => `${capCamel(perm)}: ${userPerms[perm] ? '\\u2705' : '\\u274c'}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4d0d14627d92a59d82d16ba21bec816e9a453ff7bb293370096033d4ca5400b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/logUserAuth.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 111192, "scanner": "repobility-threat-engine", "fingerprint": "aa95584516f3dffa56ad98fdc5cbb599f2f2eaed549eda7f7c02b64a5523b859", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n                ({ name, value }) =>\n                  `<p><strong>${name}</strong>: ${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa95584516f3dffa56ad98fdc5cbb599f2f2eaed549eda7f7c02b64a5523b859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/AuthClient.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 111191, "scanner": "repobility-threat-engine", "fingerprint": "5954b81c79404bc169397dd5426cdaba1729a2769e30fbc896577d1a31a8fc07", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((itemId) => `q${itemId}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5954b81c79404bc169397dd5426cdaba1729a2769e30fbc896577d1a31a8fc07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/models/Tappable.js"}, "region": {"startLine": 153}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 111190, "scanner": "repobility-threat-engine", "fingerprint": "2c3779386658ac14b170a716fd5e2a1e766a9dad36219faca62829aac0a3993c", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "bytes(req.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c3779386658ac14b170a716fd5e2a1e766a9dad36219faca62829aac0a3993c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/logger.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111189, "scanner": "repobility-threat-engine", "fingerprint": "5b9d190e637df08100c25a2746775bb617882c1371e05222741af86c0d3e9607", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5b9d190e637df08100c25a2746775bb617882c1371e05222741af86c0d3e9607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/secret.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111188, "scanner": "repobility-threat-engine", "fingerprint": "9b1924681b6c3a5ade0628edd1eefe162ef206b26d168f676de2b1541d4e1521", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9b1924681b6c3a5ade0628edd1eefe162ef206b26d168f676de2b1541d4e1521"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/logger.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 111187, "scanner": "repobility-threat-engine", "fingerprint": "bdff0f30888a9a579da9b9e99dc9cf1268ebfc5cb36049165512177e17c6d0a1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bdff0f30888a9a579da9b9e99dc9cf1268ebfc5cb36049165512177e17c6d0a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/error.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 111181, "scanner": "repobility-threat-engine", "fingerprint": "07ff18dc69370a78f73077f21c4cf93ee778f29c3e707b3db3290e728b6caf0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|07ff18dc69370a78f73077f21c4cf93ee778f29c3e707b3db3290e728b6caf0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/graphql/server.js"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 111180, "scanner": "repobility-threat-engine", "fingerprint": "21d47a85ae8285e702ae0b190f9f569d2c4b8e1b0d8b63426d428cd46c1c41df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21d47a85ae8285e702ae0b190f9f569d2c4b8e1b0d8b63426d428cd46c1c41df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/checkAdvFilter.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 111179, "scanner": "repobility-threat-engine", "fingerprint": "92c50aa3028ccc59cd1d42122c36c4b87d6db3da25c8306132bb020250850de9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92c50aa3028ccc59cd1d42122c36c4b87d6db3da25c8306132bb020250850de9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/filters/pokemon/functions.js"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED117", "level": "error", "message": {"text": "Workflow declares `permissions: write-all`"}, "properties": {"repobilityId": 111136, "scanner": "repobility-supply-chain", "fingerprint": "03664ad4f3efd66d25475cfc78810123a9559090740115969d57d3676e823e24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-write-all-permissions", "owasp": "A01:2021", "cwe_ids": ["CWE-269"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03664ad4f3efd66d25475cfc78810123a9559090740115969d57d3676e823e24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `volta-cli/action` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 111135, "scanner": "repobility-supply-chain", "fingerprint": "cb6db7be7e5d58317f4c97300fbf6ca07ca74a7013c7feffc9da524574202b41", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb6db7be7e5d58317f4c97300fbf6ca07ca74a7013c7feffc9da524574202b41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.1`"}, "properties": {"repobilityId": 111134, "scanner": "repobility-supply-chain", "fingerprint": "d543f2f4623d3638134708eb5b11b3becbdb872e90a9823133b245749fe3f384", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d543f2f4623d3638134708eb5b11b3becbdb872e90a9823133b245749fe3f384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.1`"}, "properties": {"repobilityId": 111133, "scanner": "repobility-supply-chain", "fingerprint": "d951c679a528023f2270eafc8d8146cef902f76565da1cf0c7d876ec9a4404d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d951c679a528023f2270eafc8d8146cef902f76565da1cf0c7d876ec9a4404d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/config.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED117", "level": "error", "message": {"text": "Workflow declares `permissions: write-all`"}, "properties": {"repobilityId": 111132, "scanner": "repobility-supply-chain", "fingerprint": "77558899ce5af86de46be1e04e8c932fe1029657ecac640e5e03ad9c1d8a038b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-write-all-permissions", "owasp": "A01:2021", "cwe_ids": ["CWE-269"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77558899ce5af86de46be1e04e8c932fe1029657ecac640e5e03ad9c1d8a038b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/locales.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.1`"}, "properties": {"repobilityId": 111131, "scanner": "repobility-supply-chain", "fingerprint": "5dbbbe8ced2fd34945eed60f3d3ed4a33a1e66eb873a6e0eb9227fc34361a3ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5dbbbe8ced2fd34945eed60f3d3ed4a33a1e66eb873a6e0eb9227fc34361a3ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/locales.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.1`"}, "properties": {"repobilityId": 111130, "scanner": "repobility-supply-chain", "fingerprint": "1ae8fcecab73035426efb945d192bccd66e49473e7e3e55c737a549bffb14936", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ae8fcecab73035426efb945d192bccd66e49473e7e3e55c737a549bffb14936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4.0.2`"}, "properties": {"repobilityId": 111129, "scanner": "repobility-supply-chain", "fingerprint": "a82c2343e04875d7ea02afe9fa9af394c0b1ae62fa15c7436ee6c18305d66a30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a82c2343e04875d7ea02afe9fa9af394c0b1ae62fa15c7436ee6c18305d66a30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.1`"}, "properties": {"repobilityId": 111128, "scanner": "repobility-supply-chain", "fingerprint": "653b2f5ca526c1b0884bd419ac8c7b0f0b06b0374fe0252a276c3ab0d3a4cf8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|653b2f5ca526c1b0884bd419ac8c7b0f0b06b0374fe0252a276c3ab0d3a4cf8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4.0.2`"}, "properties": {"repobilityId": 111127, "scanner": "repobility-supply-chain", "fingerprint": "e40588cc739e6f52e30a3eb04644c6c57849de83f23b68484f45d779ac056723", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e40588cc739e6f52e30a3eb04644c6c57849de83f23b68484f45d779ac056723"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sentry.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4.1.1`"}, "properties": {"repobilityId": 111126, "scanner": "repobility-supply-chain", "fingerprint": "090b6933c19c927d77b5e2825138c01654825c423a3990cebbc9e6b6897f71b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|090b6933c19c927d77b5e2825138c01654825c423a3990cebbc9e6b6897f71b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sentry.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `passport-discord` pulled from URL/Git"}, "properties": {"repobilityId": 111125, "scanner": "repobility-supply-chain", "fingerprint": "3255223fc4ffe0aeef6a88d45e413d988371e6f599f5026ac5f96aa8cffe686c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3255223fc4ffe0aeef6a88d45e413d988371e6f599f5026ac5f96aa8cffe686c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/types/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "properties": {"repobilityId": 111124, "scanner": "repobility-supply-chain", "fingerprint": "15c70163e0f73bc5be0182b049860d401b2be6be8a52e78110ba3b16dc1d1d8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15c70163e0f73bc5be0182b049860d401b2be6be8a52e78110ba3b16dc1d1d8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `passport-discord` pulled from URL/Git"}, "properties": {"repobilityId": 111123, "scanner": "repobility-supply-chain", "fingerprint": "3a6f606f19cd4ccc6ace721f81ed7fae5f90bafa455ffcb3fb2ab4a733d25de9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a6f606f19cd4ccc6ace721f81ed7fae5f90bafa455ffcb3fb2ab4a733d25de9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `chalkercli` pulled from URL/Git"}, "properties": {"repobilityId": 111122, "scanner": "repobility-supply-chain", "fingerprint": "74820bd4ddbf4dc1264888fa0efc9973fafd02171c25c73d2c744e2881fd0768", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74820bd4ddbf4dc1264888fa0efc9973fafd02171c25c73d2c744e2881fd0768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /import has no auth"}, "properties": {"repobilityId": 111121, "scanner": "repobility-route-auth", "fingerprint": "9a34ff5236c430b8dab301d7946dc7069fc83d51b5368496ba28272b3e419737", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9a34ff5236c430b8dab301d7946dc7069fc83d51b5368496ba28272b3e419737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/users.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /:category has no auth"}, "properties": {"repobilityId": 111120, "scanner": "repobility-route-auth", "fingerprint": "a72b25f40994d34a9215d30d242542d19cf890819679fe3b48157de3641605b0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a72b25f40994d34a9215d30d242542d19cf890819679fe3b48157de3641605b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/v1/available.js"}, "region": {"startLine": 113}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 111114, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 111196, "scanner": "repobility-threat-engine", "fingerprint": "9ac5ed64a1b662538617d0b693055a2f64e345b2c6940d444b7bd2479c8861f0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9ac5ed64a1b662538617d0b693055a2f64e345b2c6940d444b7bd2479c8861f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/state.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 111195, "scanner": "repobility-threat-engine", "fingerprint": "53f7e0cd91a152ab13e9750bdd48ff170faac39367bb66392cd9240d70db7c13", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(resolve", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53f7e0cd91a152ab13e9750bdd48ff170faac39367bb66392cd9240d70db7c13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/api/index.js"}, "region": {"startLine": 16}}}]}]}]}