{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 27.3% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 27.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 27.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xx6v-rp6x-q39c", "name": "axios: GHSA-xx6v-rp6x-q39c", "shortDescription": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "fullDescription": {"text": "Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w9j2-pvgh-6h63", "name": "axios: GHSA-w9j2-pvgh-6h63", "shortDescription": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "fullDescription": {"text": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vf2m-468p-8v99", "name": "axios: GHSA-vf2m-468p-8v99", "shortDescription": {"text": "axios: GHSA-vf2m-468p-8v99"}, "fullDescription": {"text": "Axios: HTTP adapter streamed responses bypass maxContentLength"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-m7pr-hjqh-92cm", "name": "axios: GHSA-m7pr-hjqh-92cm", "shortDescription": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "fullDescription": {"text": "Axios: no_proxy bypass via IP alias allows SSRF"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fvcv-3m26-pcqx", "name": "axios: GHSA-fvcv-3m26-pcqx", "shortDescription": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "fullDescription": {"text": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-898c-q2cr-xwhg", "name": "axios: GHSA-898c-q2cr-xwhg", "shortDescription": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "fullDescription": {"text": "axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-62hf-57xw-28j9", "name": "axios: GHSA-62hf-57xw-28j9", "shortDescription": {"text": "axios: GHSA-62hf-57xw-28j9"}, "fullDescription": {"text": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c9x-8gcm-mpgx", "name": "axios: GHSA-5c9x-8gcm-mpgx", "shortDescription": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "fullDescription": {"text": "Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-445q-vr5w-6q77", "name": "axios: GHSA-445q-vr5w-6q77", "shortDescription": {"text": "axios: GHSA-445q-vr5w-6q77"}, "fullDescription": {"text": "Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3w6x-2g7m-8v23", "name": "axios: GHSA-3w6x-2g7m-8v23", "shortDescription": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "fullDescription": {"text": "Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-72xp-p242-47p9", "name": "symfony/routing: GHSA-72xp-p242-47p9", "shortDescription": {"text": "symfony/routing: GHSA-72xp-p242-47p9"}, "fullDescription": {"text": "Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation \u2192 Off-Site //host URL Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vqc8-7275-q272", "name": "symfony/mime: GHSA-vqc8-7275-q272", "shortDescription": {"text": "symfony/mime: GHSA-vqc8-7275-q272"}, "fullDescription": {"text": "Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xx3c-qf5g-hc39", "name": "symfony/mailer: GHSA-xx3c-qf5g-hc39", "shortDescription": {"text": "symfony/mailer: GHSA-xx3c-qf5g-hc39"}, "fullDescription": {"text": "Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6439-2f28-8p8q", "name": "symfony/http-kernel: GHSA-6439-2f28-8p8q", "shortDescription": {"text": "symfony/http-kernel: GHSA-6439-2f28-8p8q"}, "fullDescription": {"text": "Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `ozzie.test` image has no explicit tag", "shortDescription": {"text": "Compose service `ozzie.test` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `stylelint-config-standard` is 4 major version(s) behind (36.0.1 -> 40.0.0)", "shortDescription": {"text": "npm package `stylelint-config-standard` is 4 major version(s) behind (36.0.1 -> 40.0.0)"}, "fullDescription": {"text": "`stylelint-config-standard` is pinned/resolved at 36.0.1 but the latest stable release on the npm registry is 40.0.0 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-xhjh-pmcv-23jw", "name": "axios: GHSA-xhjh-pmcv-23jw", "shortDescription": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "fullDescription": {"text": "Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2p3-7m5p-cv8x", "name": "symfony/yaml: GHSA-c2p3-7m5p-cv8x", "shortDescription": {"text": "symfony/yaml: GHSA-c2p3-7m5p-cv8x"}, "fullDescription": {"text": "Symfony hardened the parser when handling untrusted input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9frc-8383-795m", "name": "symfony/yaml: GHSA-9frc-8383-795m", "shortDescription": {"text": "symfony/yaml: GHSA-9frc-8383-795m"}, "fullDescription": {"text": "Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4qpc-3hr4-r2p4", "name": "symfony/yaml: GHSA-4qpc-3hr4-r2p4", "shortDescription": {"text": "symfony/yaml: GHSA-4qpc-3hr4-r2p4"}, "fullDescription": {"text": "Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion (\"Billion Laughs\")"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2xf4-cg6j-vhgq", "name": "symfony/polyfill-intl-idn: GHSA-2xf4-cg6j-vhgq", "shortDescription": {"text": "symfony/polyfill-intl-idn: GHSA-2xf4-cg6j-vhgq"}, "fullDescription": {"text": "symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r854-jrxh-36qx", "name": "phpseclib/phpseclib: GHSA-r854-jrxh-36qx", "shortDescription": {"text": "phpseclib/phpseclib: GHSA-r854-jrxh-36qx"}, "fullDescription": {"text": "phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Environment placeholders are not committed secrets, but database official images often support *_FILE variables so Compose secrets can provide narrower filesystem-based access."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /prs/{id}."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /prs/{id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8qp-cvcw-x6jj", "name": "axios: GHSA-q8qp-cvcw-x6jj", "shortDescription": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "fullDescription": {"text": "Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pf86-5x62-jrwf", "name": "axios: GHSA-pf86-5x62-jrwf", "shortDescription": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "fullDescription": {"text": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p92q-9vqr-4j8v", "name": "axios: GHSA-p92q-9vqr-4j8v", "shortDescription": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "fullDescription": {"text": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j5f8-grm9-p9fc", "name": "axios: GHSA-j5f8-grm9-p9fc", "shortDescription": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "fullDescription": {"text": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hfxv-24rg-xrqf", "name": "axios: GHSA-hfxv-24rg-xrqf", "shortDescription": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "fullDescription": {"text": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-777c-7fjr-54vf", "name": "axios: GHSA-777c-7fjr-54vf", "shortDescription": {"text": "axios: GHSA-777c-7fjr-54vf"}, "fullDescription": {"text": "Allocation of Resources Without Limits or Throttling in Axios"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6chq-wfr3-2hj9", "name": "axios: GHSA-6chq-wfr3-2hj9", "shortDescription": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "fullDescription": {"text": "Axios: Header Injection via Prototype Pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-pjwm-pj3p-43mv", "name": "axios: GHSA-pjwm-pj3p-43mv", "shortDescription": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "fullDescription": {"text": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3g43-6gmg-66jw", "name": "axios: GHSA-3g43-6gmg-66jw", "shortDescription": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "fullDescription": {"text": "axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-35jp-ww65-95wh", "name": "axios: GHSA-35jp-ww65-95wh", "shortDescription": {"text": "axios: GHSA-35jp-ww65-95wh"}, "fullDescription": {"text": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qpmx-3rfj-7rhv", "name": "symfony/mime: GHSA-qpmx-3rfj-7rhv", "shortDescription": {"text": "symfony/mime: GHSA-qpmx-3rfj-7rhv"}, "fullDescription": {"text": "Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\\Component\\Mime\\Address"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3qpq-r242-jqj7", "name": "phpseclib/phpseclib: GHSA-3qpq-r242-jqj7", "shortDescription": {"text": "phpseclib/phpseclib: GHSA-3qpq-r242-jqj7"}, "fullDescription": {"text": "phpseclib has a CVE-2024-27355 mitigation bypass \u2014 OID amplification DoS in ASN1::decodeOID()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `tighten/duster-action` pinned to mutable ref `@v3`", "shortDescription": {"text": "Action `tighten/duster-action` pinned to mutable ref `@v3`"}, "fullDescription": {"text": "`uses: tighten/duster-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1019"}, "properties": {"repository": "tighten/ozzie", "repoUrl": "https://github.com/tighten/ozzie", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 95612, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 95611, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 27.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 95604, "scanner": "repobility-access-control", "fingerprint": "1a5c957fed77051b83f7ec491fa132909bd838d304bff7ef9d4395f92924ebe7", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 11, "correlation_key": "fp|1a5c957fed77051b83f7ec491fa132909bd838d304bff7ef9d4395f92924ebe7", "auth_visible_percent": 27.3}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 95603, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Laravel"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 95602, "scanner": "osv-scanner", "fingerprint": "47af66b2941511910bef679f7fdc36232d020247a0f6ed279e094f6f5cfdf3b5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 95601, "scanner": "osv-scanner", "fingerprint": "33aa829b4458c5ef73d832c9e568cf3032217bd31f4b18cc6a572d90111a50bb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 95600, "scanner": "osv-scanner", "fingerprint": "248c1e434ec83c5a892dfdf2f0e0aa80ddc9030d3cbaccddc0f5a14a5c6577be", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 95597, "scanner": "osv-scanner", "fingerprint": "424de426cd602f1c8b6679b49b7bfe47ca14575769f019abfeaa4836511a1e32", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 95596, "scanner": "osv-scanner", "fingerprint": "e8eb0ab1ffbb15b3b127c7436af364aa04d69dbc42fb22d21fcb4f304d428269", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xx6v-rp6x-q39c", "level": "warning", "message": {"text": "axios: GHSA-xx6v-rp6x-q39c"}, "properties": {"repobilityId": 95595, "scanner": "osv-scanner", "fingerprint": "1b1ce84a73c4616c503ae499f1e9f71bb5504b91f278108b93fbda72873fe978", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42042"], "package": "axios", "rule_id": "GHSA-xx6v-rp6x-q39c", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42042|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w9j2-pvgh-6h63", "level": "warning", "message": {"text": "axios: GHSA-w9j2-pvgh-6h63"}, "properties": {"repobilityId": 95593, "scanner": "osv-scanner", "fingerprint": "34143b1c2129cf5bfede7709a53959ce3124636b59db9a50161a482b0a2c00eb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42041"], "package": "axios", "rule_id": "GHSA-w9j2-pvgh-6h63", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42041|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vf2m-468p-8v99", "level": "warning", "message": {"text": "axios: GHSA-vf2m-468p-8v99"}, "properties": {"repobilityId": 95592, "scanner": "osv-scanner", "fingerprint": "75b233cf541f7bb7a8024aafc53dfc9a485058fd533514a7d10efb41bf7448ea", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42036"], "package": "axios", "rule_id": "GHSA-vf2m-468p-8v99", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42036|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-m7pr-hjqh-92cm", "level": "warning", "message": {"text": "axios: GHSA-m7pr-hjqh-92cm"}, "properties": {"repobilityId": 95588, "scanner": "osv-scanner", "fingerprint": "1cec90618bebb188c17fe310fb3033768a72b6137c6a40c836779024308147c0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42038"], "package": "axios", "rule_id": "GHSA-m7pr-hjqh-92cm", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42038|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fvcv-3m26-pcqx", "level": "warning", "message": {"text": "axios: GHSA-fvcv-3m26-pcqx"}, "properties": {"repobilityId": 95585, "scanner": "osv-scanner", "fingerprint": "194638f48fb7480a0400250b68d28c6069ca8218bc89ba146b8f6d04c4d3278f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40175"], "package": "axios", "rule_id": "GHSA-fvcv-3m26-pcqx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-40175|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-898c-q2cr-xwhg", "level": "warning", "message": {"text": "axios: GHSA-898c-q2cr-xwhg"}, "properties": {"repobilityId": 95584, "scanner": "osv-scanner", "fingerprint": "e0f789ea8b2d8f62959bbaf20e3ba5535e687b8c3be953373597bdc70b626254", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44490"], "package": "axios", "rule_id": "GHSA-898c-q2cr-xwhg", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44490|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-62hf-57xw-28j9", "level": "warning", "message": {"text": "axios: GHSA-62hf-57xw-28j9"}, "properties": {"repobilityId": 95581, "scanner": "osv-scanner", "fingerprint": "19b18323ef10e595c7d22624ffcae0cf84c0d84d20f975340eba11740cb6399e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42039"], "package": "axios", "rule_id": "GHSA-62hf-57xw-28j9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42039|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c9x-8gcm-mpgx", "level": "warning", "message": {"text": "axios: GHSA-5c9x-8gcm-mpgx"}, "properties": {"repobilityId": 95580, "scanner": "osv-scanner", "fingerprint": "e6cd3ab5e59f556a7738149d19ec8d30eb349cd423503e51002e40fb93d566c1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42034"], "package": "axios", "rule_id": "GHSA-5c9x-8gcm-mpgx", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42034|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-445q-vr5w-6q77", "level": "warning", "message": {"text": "axios: GHSA-445q-vr5w-6q77"}, "properties": {"repobilityId": 95579, "scanner": "osv-scanner", "fingerprint": "c7dc7346c89b379676f951ef9dafc8289422df6a7bc1d3e0ad138a1f1bddb81f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42037"], "package": "axios", "rule_id": "GHSA-445q-vr5w-6q77", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42037|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3w6x-2g7m-8v23", "level": "warning", "message": {"text": "axios: GHSA-3w6x-2g7m-8v23"}, "properties": {"repobilityId": 95578, "scanner": "osv-scanner", "fingerprint": "5cf4f362c78e0884a4fbf39c4fc1a01408751d99e053455c539b6a3630054c12", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42044"], "package": "axios", "rule_id": "GHSA-3w6x-2g7m-8v23", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42044|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-72xp-p242-47p9", "level": "warning", "message": {"text": "symfony/routing: GHSA-72xp-p242-47p9"}, "properties": {"repobilityId": 95570, "scanner": "osv-scanner", "fingerprint": "75801524d88154cd71709fca2b4b2cc7ca271369b7b540bb8899e1d7c717254a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45065"], "package": "symfony/routing", "rule_id": "GHSA-72xp-p242-47p9", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/routing|CVE-2026-45065|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vqc8-7275-q272", "level": "warning", "message": {"text": "symfony/mime: GHSA-vqc8-7275-q272"}, "properties": {"repobilityId": 95568, "scanner": "osv-scanner", "fingerprint": "9cf90911cb341361f4199f7e1be12a9a218779c7aa4bc15ca12c40af360efaee", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45070"], "package": "symfony/mime", "rule_id": "GHSA-vqc8-7275-q272", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/mime|CVE-2026-45070|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xx3c-qf5g-hc39", "level": "warning", "message": {"text": "symfony/mailer: GHSA-xx3c-qf5g-hc39"}, "properties": {"repobilityId": 95566, "scanner": "osv-scanner", "fingerprint": "5a6efc68e011b8613fac2d33c1b4a1535cd638acd26013e07891f8dde700fce1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45068"], "package": "symfony/mailer", "rule_id": "GHSA-xx3c-qf5g-hc39", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/mailer|CVE-2026-45068|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6439-2f28-8p8q", "level": "warning", "message": {"text": "symfony/http-kernel: GHSA-6439-2f28-8p8q"}, "properties": {"repobilityId": 95565, "scanner": "osv-scanner", "fingerprint": "583cec73bcc84bf5f7ae8b5dc25ba3dbfafad74c6d955af752ad16fbb36a8f05", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45075"], "package": "symfony/http-kernel", "rule_id": "GHSA-6439-2f28-8p8q", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/http-kernel|CVE-2026-45075|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 95560, "scanner": "repobility-docker", "fingerprint": "88a20aafd7c89d959131e8be624514a4bda18734847596ebc77e2bd1ad2cf731", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "ozzie.test", "dependency": "mysql", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|88a20aafd7c89d959131e8be624514a4bda18734847596ebc77e2bd1ad2cf731", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `ozzie.test` image has no explicit tag"}, "properties": {"repobilityId": 95557, "scanner": "repobility-docker", "fingerprint": "a0f10d79d953252f0ca57b3ea76dc6520975469e8351e05a3a7798cefabb724b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "sail-8.2/app", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a0f10d79d953252f0ca57b3ea76dc6520975469e8351e05a3a7798cefabb724b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 95555, "scanner": "repobility-threat-engine", "fingerprint": "0c7e0b7652e20026b7fed3414b693ed5a08398fc7821e36a9d490228b27cc5bc", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a class=\"text-indigo no-underline\" href=\"https://github.com/{{ $maintainer }}\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|16|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/components/project.blade.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `stylelint-config-standard` is 4 major version(s) behind (36.0.1 -> 40.0.0)"}, "properties": {"repobilityId": 95545, "scanner": "repobility-dependency-currency", "fingerprint": "440e61cb21950aa8897f655cf4d02c814e049d6e1f9f873bd47ab20563c0e40c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "stylelint-config-standard", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "40.0.0", "correlation_key": "fp|440e61cb21950aa8897f655cf4d02c814e049d6e1f9f873bd47ab20563c0e40c", "current_version": "36.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `stylelint` is 1 major version(s) behind (16.26.1 -> 17.12.0)"}, "properties": {"repobilityId": 95544, "scanner": "repobility-dependency-currency", "fingerprint": "d6d0e1eccb8a8341e77091ec82c3fe2f222472dad8e373cb76ac594c62c7215c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "stylelint", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.12.0", "correlation_key": "fp|d6d0e1eccb8a8341e77091ec82c3fe2f222472dad8e373cb76ac594c62c7215c", "current_version": "16.26.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `luxon` is 2 major version(s) behind (1.28.1 -> 3.7.2)"}, "properties": {"repobilityId": 95541, "scanner": "repobility-dependency-currency", "fingerprint": "8efd66e9ef3c1466262af7f7f5bf119a1371f41a416076900b62097756f245dc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "luxon", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.7.2", "correlation_key": "fp|8efd66e9ef3c1466262af7f7f5bf119a1371f41a416076900b62097756f245dc", "current_version": "1.28.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `laravel-vite-plugin` is 1 major version(s) behind (2.1.0 -> 3.1.0)"}, "properties": {"repobilityId": 95540, "scanner": "repobility-dependency-currency", "fingerprint": "e1a8de3c9883af527435f19afd533abeb978dbe160199cabaae3e87121c1ddc5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "laravel-vite-plugin", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.0", "correlation_key": "fp|e1a8de3c9883af527435f19afd533abeb978dbe160199cabaae3e87121c1ddc5", "current_version": "2.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eslint-plugin-vue` is 1 major version(s) behind (9.33.0 -> 10.9.2)"}, "properties": {"repobilityId": 95539, "scanner": "repobility-dependency-currency", "fingerprint": "1778fc42ecfa8d2ca5daeb7724a8c7d4b31e849d89bd279b13161fd73a25c5d5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-vue", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.9.2", "correlation_key": "fp|1778fc42ecfa8d2ca5daeb7724a8c7d4b31e849d89bd279b13161fd73a25c5d5", "current_version": "9.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `eslint-import-resolver-typescript` is 1 major version(s) behind (3.10.1 -> 4.4.5)"}, "properties": {"repobilityId": 95538, "scanner": "repobility-dependency-currency", "fingerprint": "76e1c84a5f671b8f80c0bea3b778d549fbbdc7a24e2d0ac35412bfb86bd3e50e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-import-resolver-typescript", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.4.5", "correlation_key": "fp|76e1c84a5f671b8f80c0bea3b778d549fbbdc7a24e2d0ac35412bfb86bd3e50e", "current_version": "3.10.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `cross-env` is 3 major version(s) behind (7.0.3 -> 10.1.0)"}, "properties": {"repobilityId": 95537, "scanner": "repobility-dependency-currency", "fingerprint": "128f153e37e60e4e535abf56696b01745e4738bb265c3de05046d3a2c218f77c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cross-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.0", "correlation_key": "fp|128f153e37e60e4e535abf56696b01745e4738bb265c3de05046d3a2c218f77c", "current_version": "7.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `concurrently` is 1 major version(s) behind (9.2.1 -> 10.0.3)"}, "properties": {"repobilityId": 95536, "scanner": "repobility-dependency-currency", "fingerprint": "2757b27dca2ffebfb2257764c2b15532b9648fc1f7633684da4376786a056d8f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "concurrently", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.3", "correlation_key": "fp|2757b27dca2ffebfb2257764c2b15532b9648fc1f7633684da4376786a056d8f", "current_version": "9.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@inertiajs/vue3` is 1 major version(s) behind (2.3.18 -> 3.3.1)"}, "properties": {"repobilityId": 95534, "scanner": "repobility-dependency-currency", "fingerprint": "4afbfdc022ab5ba06d4cfa1b319d93b7e08c1f2dd1fffe3127c9509e4a165dd2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@inertiajs/vue3", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.1", "correlation_key": "fp|4afbfdc022ab5ba06d4cfa1b319d93b7e08c1f2dd1fffe3127c9509e4a165dd2", "current_version": "2.3.18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `dotenv` is 1 major version(s) behind (16.6.1 -> 17.4.2)"}, "properties": {"repobilityId": 95532, "scanner": "repobility-dependency-currency", "fingerprint": "ed32d98d590c66d304d1b3e95e2f20326dbd6cb582d6bd82fcf862bd26917cb6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|ed32d98d590c66d304d1b3e95e2f20326dbd6cb582d6bd82fcf862bd26917cb6", "current_version": "16.6.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 95613, "scanner": "repobility-web-presence", "fingerprint": "12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 95610, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 95609, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 95608, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 95607, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Laravel"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-xhjh-pmcv-23jw", "level": "note", "message": {"text": "axios: GHSA-xhjh-pmcv-23jw"}, "properties": {"repobilityId": 95594, "scanner": "osv-scanner", "fingerprint": "ac4cde2863facff6aec7b8b941ad5c0b93216a4d6e47c06e5de7098a0e1f38a9", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42040"], "package": "axios", "rule_id": "GHSA-xhjh-pmcv-23jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42040|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2p3-7m5p-cv8x", "level": "note", "message": {"text": "symfony/yaml: GHSA-c2p3-7m5p-cv8x"}, "properties": {"repobilityId": 95573, "scanner": "osv-scanner", "fingerprint": "ada89df15cfca6791915097c1420ba59a74223a75a93a407d0372d4c6d20dc4c", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45133"], "package": "symfony/yaml", "rule_id": "GHSA-c2p3-7m5p-cv8x", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/yaml|CVE-2026-45133|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9frc-8383-795m", "level": "note", "message": {"text": "symfony/yaml: GHSA-9frc-8383-795m"}, "properties": {"repobilityId": 95572, "scanner": "osv-scanner", "fingerprint": "e466562eba273f21fade2f8774387844b3a0b90211ccd87841d700fdcb099852", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45305"], "package": "symfony/yaml", "rule_id": "GHSA-9frc-8383-795m", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/yaml|CVE-2026-45305|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4qpc-3hr4-r2p4", "level": "note", "message": {"text": "symfony/yaml: GHSA-4qpc-3hr4-r2p4"}, "properties": {"repobilityId": 95571, "scanner": "osv-scanner", "fingerprint": "3cb0af7753f6224f5235d3c98b264f70db0ff8804e8f139ff5fd23d6d3c4702d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45304"], "package": "symfony/yaml", "rule_id": "GHSA-4qpc-3hr4-r2p4", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/yaml|CVE-2026-45304|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2xf4-cg6j-vhgq", "level": "note", "message": {"text": "symfony/polyfill-intl-idn: GHSA-2xf4-cg6j-vhgq"}, "properties": {"repobilityId": 95569, "scanner": "osv-scanner", "fingerprint": "3189382a8aadbe69a42a5df187c3d0d77d612bd74f22eb7fd6a32740c5c49be2", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46644"], "package": "symfony/polyfill-intl-idn", "rule_id": "GHSA-2xf4-cg6j-vhgq", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/polyfill-intl-idn|CVE-2026-46644|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r854-jrxh-36qx", "level": "note", "message": {"text": "phpseclib/phpseclib: GHSA-r854-jrxh-36qx"}, "properties": {"repobilityId": 95564, "scanner": "osv-scanner", "fingerprint": "424355890d5cec10f18b63c052613d74334955a651ef4a026507c21ed456ebd0", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40194"], "package": "phpseclib/phpseclib", "rule_id": "GHSA-r854-jrxh-36qx", "scanner": "osv-scanner", "correlation_key": "vuln|phpseclib/phpseclib|CVE-2026-40194|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 95562, "scanner": "repobility-docker", "fingerprint": "dd4b28a39cf1adb6cf9ce66e159052d30471e70d5d2dfe5498f11aa2df22a75e", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "mysql", "variables": ["MYSQL_ROOT_PASSWORD", "MYSQL_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|dd4b28a39cf1adb6cf9ce66e159052d30471e70d5d2dfe5498f11aa2df22a75e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 95559, "scanner": "repobility-docker", "fingerprint": "f0af14d3794e5a4a7d50b25771553bfe9b10596cac6458df20ebde9abb880a74", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ozzie.test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f0af14d3794e5a4a7d50b25771553bfe9b10596cac6458df20ebde9abb880a74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 95558, "scanner": "repobility-docker", "fingerprint": "437f186c1149a4075739b956d35a9b36ffc79694edaa2f8dcf449a6ab3743001", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ozzie.test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|437f186c1149a4075739b956d35a9b36ffc79694edaa2f8dcf449a6ab3743001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `prettier-plugin-tailwindcss` is minor version(s) behind (0.5.14 -> 0.8.0)"}, "properties": {"repobilityId": 95543, "scanner": "repobility-dependency-currency", "fingerprint": "9d862c8f7b33486c79277d4b50d0c903976b8e87ebc0c02fb95bb686e1c4cac8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier-plugin-tailwindcss", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.8.0", "correlation_key": "fp|9d862c8f7b33486c79277d4b50d0c903976b8e87ebc0c02fb95bb686e1c4cac8", "current_version": "0.5.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 95556, "scanner": "repobility-threat-engine", "fingerprint": "9d4e593c4a3b7d0b6e71baa34938fac5327439d2032775569e58b189468347d3", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d4e593c4a3b7d0b6e71baa34938fac5327439d2032775569e58b189468347d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vite.config.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 95554, "scanner": "repobility-threat-engine", "fingerprint": "d71724ef9ebc40c9f37835e9a17943f9474ef3b21970d0351d917057cdfb2b85", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d71724ef9ebc40c9f37835e9a17943f9474ef3b21970d0351d917057cdfb2b85", "aggregated_count": 1}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 95553, "scanner": "repobility-threat-engine", "fingerprint": "9e5173fd016b9c87e709f217b33b50db02664863c94d112fd07dc34b6250747b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e5173fd016b9c87e709f217b33b50db02664863c94d112fd07dc34b6250747b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/errors/403.blade.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 95552, "scanner": "repobility-threat-engine", "fingerprint": "89eb1405c3314dab45100f265fb02b65640ed6320baf75e4b5dc3e6dfe799ecf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89eb1405c3314dab45100f265fb02b65640ed6320baf75e4b5dc3e6dfe799ecf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/components/project.blade.php"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 95551, "scanner": "repobility-threat-engine", "fingerprint": "2a8ee0077cac13931853c647913f503611481c1c114b4de2a0ada0484e6c8b64", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a8ee0077cac13931853c647913f503611481c1c114b4de2a0ada0484e6c8b64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/app.blade.php"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `ziggy-js` is patch version(s) behind (2.6.1 -> 2.6.2)"}, "properties": {"repobilityId": 95546, "scanner": "repobility-dependency-currency", "fingerprint": "824e463422027deb9560e0e3e02c5b9d1fcc89a3fc36bf511646ae4b01fa3b16", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ziggy-js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.6.2", "correlation_key": "fp|824e463422027deb9560e0e3e02c5b9d1fcc89a3fc36bf511646ae4b01fa3b16", "current_version": "2.6.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `prettier` is patch version(s) behind (3.8.1 -> 3.8.3)"}, "properties": {"repobilityId": 95542, "scanner": "repobility-dependency-currency", "fingerprint": "8e622dc4840a2da8b18fdd4d24f7c414643f431c66326e1911276e2546c8e2e0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|8e622dc4840a2da8b18fdd4d24f7c414643f431c66326e1911276e2546c8e2e0", "current_version": "3.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitejs/plugin-vue` is patch version(s) behind (6.0.4 -> 6.0.7)"}, "properties": {"repobilityId": 95535, "scanner": "repobility-dependency-currency", "fingerprint": "9529ebf639f3d4d5c013e09bfb7545b1207ce9cdbdfcec5feb5dd2edc6bb2527", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-vue", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.7", "correlation_key": "fp|9529ebf639f3d4d5c013e09bfb7545b1207ce9cdbdfcec5feb5dd2edc6bb2527", "current_version": "6.0.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@babel/preset-env` is patch version(s) behind (7.29.0 -> 7.29.7)"}, "properties": {"repobilityId": 95533, "scanner": "repobility-dependency-currency", "fingerprint": "361cd3d2bbba412dca5196ce92eb9c7180e87f0c87586b94fd2e2ac0ca813f44", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/preset-env", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|361cd3d2bbba412dca5196ce92eb9c7180e87f0c87586b94fd2e2ac0ca813f44", "current_version": "7.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /prs/{id}."}, "properties": {"repobilityId": 95606, "scanner": "repobility-access-control", "fingerprint": "994095670d014e37fe16e7258ed1682396ebd2b07296a49450d2ccd9a4137faf", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/prs/{id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|16|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /issues/{id}."}, "properties": {"repobilityId": 95605, "scanner": "repobility-access-control", "fingerprint": "5dbb2b391a5e973d4b0a59dd5c30f3d50d994d42d6124362b54250236191deda", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/issues/{id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|13|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 95599, "scanner": "osv-scanner", "fingerprint": "d9e8ef847898100d4370c43984678fe5fed930d5324ab88248c2d2156d522d84", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 95598, "scanner": "osv-scanner", "fingerprint": "bbadb454e2f0de5491c967e3dd8f97119c293cd0aafbefed77d3b3e72652865f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8qp-cvcw-x6jj", "level": "error", "message": {"text": "axios: GHSA-q8qp-cvcw-x6jj"}, "properties": {"repobilityId": 95591, "scanner": "osv-scanner", "fingerprint": "227360aed11ec8bdb889d76e79a95312b59f3197640206e03d2f2bf06a607670", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42264"], "package": "axios", "rule_id": "GHSA-q8qp-cvcw-x6jj", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42264|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pf86-5x62-jrwf", "level": "error", "message": {"text": "axios: GHSA-pf86-5x62-jrwf"}, "properties": {"repobilityId": 95590, "scanner": "osv-scanner", "fingerprint": "85231d16fa0670b64ae9f8132cf7c08e1fdfbd3e2d0d6d52e3b4f18fcf41140d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42033"], "package": "axios", "rule_id": "GHSA-pf86-5x62-jrwf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42033|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p92q-9vqr-4j8v", "level": "error", "message": {"text": "axios: GHSA-p92q-9vqr-4j8v"}, "properties": {"repobilityId": 95589, "scanner": "osv-scanner", "fingerprint": "db661ef3efd6ae15f09e8cb75e1d440d922b39de4793cfc737ed0754eca534ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44487"], "package": "axios", "rule_id": "GHSA-p92q-9vqr-4j8v", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44487|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j5f8-grm9-p9fc", "level": "error", "message": {"text": "axios: GHSA-j5f8-grm9-p9fc"}, "properties": {"repobilityId": 95587, "scanner": "osv-scanner", "fingerprint": "ed7033fc0c9299b56ea00c92631f81ed72ec873142f864f792ab8b0cede67c2f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44486"], "package": "axios", "rule_id": "GHSA-j5f8-grm9-p9fc", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44486|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hfxv-24rg-xrqf", "level": "error", "message": {"text": "axios: GHSA-hfxv-24rg-xrqf"}, "properties": {"repobilityId": 95586, "scanner": "osv-scanner", "fingerprint": "3a1a1d65de131fd423fbc959231b59156b65c45d65668fe2f857f475aba62a80", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44496"], "package": "axios", "rule_id": "GHSA-hfxv-24rg-xrqf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44496|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-777c-7fjr-54vf", "level": "error", "message": {"text": "axios: GHSA-777c-7fjr-54vf"}, "properties": {"repobilityId": 95583, "scanner": "osv-scanner", "fingerprint": "59a250c97b1e71652419bc7d1715d1574255c84ea0b98401688c8d00b7cdd35b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44488"], "package": "axios", "rule_id": "GHSA-777c-7fjr-54vf", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44488|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6chq-wfr3-2hj9", "level": "error", "message": {"text": "axios: GHSA-6chq-wfr3-2hj9"}, "properties": {"repobilityId": 95582, "scanner": "osv-scanner", "fingerprint": "0163353f19ab7429440b05a23b295e76326681ed071d11603964579ea2cf98ca", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42035"], "package": "axios", "rule_id": "GHSA-6chq-wfr3-2hj9", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-42035|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-pjwm-pj3p-43mv", "level": "error", "message": {"text": "axios: GHSA-pjwm-pj3p-43mv"}, "properties": {"repobilityId": 95577, "scanner": "osv-scanner", "fingerprint": "a687f86314a62c9c73eab486dfb458616263bea26dbbefe9cae8473e8efb3071", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44492"], "package": "axios", "rule_id": "GHSA-pjwm-pj3p-43mv", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2025-62718|package-lock.json", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-3p68-rc4w-qgx5", "GHSA-pjwm-pj3p-43mv", "GHSA-pmwg-cvhr-8vh7"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["249424ea52d1680c90188a3009a5089eca8b7c3d4358b7cb0d9a3ce6eed688cd", "352ef1cd474b601fa456ed0f288719e41b7b4a8bda1ee8fd4003083d6cb57ea4", "a687f86314a62c9c73eab486dfb458616263bea26dbbefe9cae8473e8efb3071"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3g43-6gmg-66jw", "level": "error", "message": {"text": "axios: GHSA-3g43-6gmg-66jw"}, "properties": {"repobilityId": 95576, "scanner": "osv-scanner", "fingerprint": "b5c421280bf74d1ec2fdb6a0fdc96df80fa8eb9206e2916a9891b6414df8b155", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44495"], "package": "axios", "rule_id": "GHSA-3g43-6gmg-66jw", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44495|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-35jp-ww65-95wh", "level": "error", "message": {"text": "axios: GHSA-35jp-ww65-95wh"}, "properties": {"repobilityId": 95575, "scanner": "osv-scanner", "fingerprint": "3588119f3e3a3569888076b3b7dda23c8c3a97e0038f21a03c294eba6757dbf6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44494"], "package": "axios", "rule_id": "GHSA-35jp-ww65-95wh", "scanner": "osv-scanner", "correlation_key": "vuln|axios|CVE-2026-44494|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 95574, "scanner": "osv-scanner", "fingerprint": "ad52739427efbb114a916176e346643bbd15d1155c76f28185e965208050ec44", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qpmx-3rfj-7rhv", "level": "error", "message": {"text": "symfony/mime: GHSA-qpmx-3rfj-7rhv"}, "properties": {"repobilityId": 95567, "scanner": "osv-scanner", "fingerprint": "326069cf8867506b9fd015c70a86f8e3eeaba1fac7de6730c3099ba2307adba3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45067"], "package": "symfony/mime", "rule_id": "GHSA-qpmx-3rfj-7rhv", "scanner": "osv-scanner", "correlation_key": "vuln|symfony/mime|CVE-2026-45067|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3qpq-r242-jqj7", "level": "error", "message": {"text": "phpseclib/phpseclib: GHSA-3qpq-r242-jqj7"}, "properties": {"repobilityId": 95563, "scanner": "osv-scanner", "fingerprint": "fbad38f2235256501a37c70f689f0fe75bef55375d133576f81b47b08196e437", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44167"], "package": "phpseclib/phpseclib", "rule_id": "GHSA-3qpq-r242-jqj7", "scanner": "osv-scanner", "correlation_key": "vuln|phpseclib/phpseclib|CVE-2024-27355|composer.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "composer.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 95561, "scanner": "repobility-docker", "fingerprint": "4cdea457d137f5acebe769821ed4f847b14fadc9d6050395a7330684a338b082", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${FORWARD_DB_PORT:-3306}:3306", "target": "3306", "host_ip": "${FORWARD_DB_PORT", "published": "-3306}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4cdea457d137f5acebe769821ed4f847b14fadc9d6050395a7330684a338b082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 95550, "scanner": "repobility-threat-engine", "fingerprint": "494ab2c2e768eb3aaa7edd3ff1d6594907bccbe9d5506ab00b567a1e594c9a84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|494ab2c2e768eb3aaa7edd3ff1d6594907bccbe9d5506ab00b567a1e594c9a84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Nova/User.php"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 95549, "scanner": "repobility-threat-engine", "fingerprint": "1d01aa45fd13393521f1cf982faf56b2235e7cbe45bda91f16bb47db9a515ef4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(\n        e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d01aa45fd13393521f1cf982faf56b2235e7cbe45bda91f16bb47db9a515ef4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vite.config.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 95548, "scanner": "repobility-threat-engine", "fingerprint": "e401dc52323559f4800f671d84fa463700b0a78fa9d14f3b2ce1a9852f558ac3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e401dc52323559f4800f671d84fa463700b0a78fa9d14f3b2ce1a9852f558ac3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/ts/functions/url.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 95547, "scanner": "repobility-threat-engine", "fingerprint": "10b9dc220ff0c1ae2e2b41f1f449ccc96d09f4c288bdb169e9a97e0edd6886b6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10b9dc220ff0c1ae2e2b41f1f449ccc96d09f4c288bdb169e9a97e0edd6886b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Notifications/SendOzzieStats.php"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `tighten/duster-action` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 95531, "scanner": "repobility-supply-chain", "fingerprint": "20d256be004a4ce4c64c7cdc26a0fa3d04fe37688bf45c593bf45eff91f4936c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20d256be004a4ce4c64c7cdc26a0fa3d04fe37688bf45c593bf45eff91f4936c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/duster-lint.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95530, "scanner": "repobility-supply-chain", "fingerprint": "06d7910a4dfdda502899090bff68e820379397628bacf85c197812eb659536ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06d7910a4dfdda502899090bff68e820379397628bacf85c197812eb659536ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/duster-lint.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `shivammathur/setup-php` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 95529, "scanner": "repobility-supply-chain", "fingerprint": "9e2e391ca81a504c81d3a7e122fe957ef6a1fdf4d14082824f6f83bcd4f744f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e2e391ca81a504c81d3a7e122fe957ef6a1fdf4d14082824f6f83bcd4f744f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95528, "scanner": "repobility-supply-chain", "fingerprint": "cf0c084e0e296b212619e6f66d5494a61db325f23d3beab21973d08836ab38bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf0c084e0e296b212619e6f66d5494a61db325f23d3beab21973d08836ab38bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 20}}}]}]}]}