{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 36 more): Same pattern found in 36 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/433"}, "properties": {"repository": "dotnet/aspnetcore", "repoUrl": "https://github.com/dotnet/aspnetcore.git", "branch": "main"}, "results": [{"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 22744, "scanner": "repobility-threat-engine", "fingerprint": "8a944afd2b7b3799f13807aac5954bbdc05bf49c5e677f490eb451cd004a3561", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|271|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/common/cross/install-debs.py"}, "region": {"startLine": 271}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22751, "scanner": "repobility-threat-engine", "fingerprint": "0cd1b13f4a66535e4c497a999aef8030fd2a0766006c9c87b2f6a13eddcde35d", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = D", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|43|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Components/Web.JS/src/Platform/Circuits/DefaultReconnectDisplay.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22750, "scanner": "repobility-threat-engine", "fingerprint": "98d091f1bcef035b013421aef6910f33d1999eb141edddee5c2cc058851fc3a4", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = m", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|421|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Components/Web.JS/src/Rendering/BrowserRenderer.ts"}, "region": {"startLine": 421}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 22749, "scanner": "repobility-threat-engine", "fingerprint": "98ab3791e397f02ecf04b2fb076b3d299af80e3cd3ac7af80d15a08cf465cb15", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = \\", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|376|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Middleware/Diagnostics.EntityFrameworkCore/src/Views/DatabaseErrorPage.Designer.cs"}, "region": {"startLine": 376}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 22758, "scanner": "repobility-threat-engine", "fingerprint": "6a7fe79d0ca7eece4aa37c439d78352c16e4ed269ecad3067e6b1a5e3c0413ad", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "Password = \"<redacted>\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Security/Authentication/Negotiate/samples/NegotiateAuthSample/Startup.cs"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 22757, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 22756, "scanner": "repobility-threat-engine", "fingerprint": "0e60c518b6309aac7b65c154a980896a25680da9ee02e103ed69698cb1a70a5e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.LogInformation(\"User changed their password successfully.\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|logger.loginformation user changed their password successfully."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Security/samples/Identity.ExternalClaims/Pages/Account/Manage/ChangePassword.cshtml.cs"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 22755, "scanner": "repobility-threat-engine", "fingerprint": "378a1016315f7f4db7181c6854b0a684b68805f1005386c68f43b32de2e38bd2", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.LogInformation(\"User created a new account with password.\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|logger.loginformation user created a new account with password."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Security/samples/Identity.ExternalClaims/Pages/Account/Register.cshtml.cs"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 22754, "scanner": "repobility-threat-engine", "fingerprint": "0591ce7296664b6996d383f21fcfe0be87e972d55359f5dbdb019b462c07ee57", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.LogWarning(\"Evaluating authorization requirement for age >= {age}\", requirement.Age)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|logger.logwarning evaluating authorization requirement for age age requirement.age"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Security/samples/CustomPolicyProvider/Authorization/MinimumAgeAuthorizationHandler.cs"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 22753, "scanner": "repobility-threat-engine", "fingerprint": "be487e4c3ed80873eadf85e51bb35ee62014d1871f37a75c6cf392fb57017e87", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|46|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Components/benchmarkapps/Wasm.Performance/TestApp/wwwroot/benchmarks/orgChartBenchmark.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "properties": {"repobilityId": 22748, "scanner": "repobility-threat-engine", "fingerprint": "de360f850ead589ee5e9ed6a342addc11eb9276bba1c673b6eea6332ec53bc3b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|de360f850ead589ee5e9ed6a342addc11eb9276bba1c673b6eea6332ec53bc3b"}}}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 22752, "scanner": "repobility-threat-engine", "fingerprint": "7a5cc12f111a3865a78a7d05a2593cd9f81798e5c0c116414ea1a3fd061e07e1", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a5cc12f111a3865a78a7d05a2593cd9f81798e5c0c116414ea1a3fd061e07e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Components/Web.JS/src/Services/NavigationEnhancement.ts"}, "region": {"startLine": 311}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22747, "scanner": "repobility-threat-engine", "fingerprint": "ca5095e4b4268942e7e7ed75f348fab2357127fb62363163c6ba3fa8fedec671", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ca5095e4b4268942e7e7ed75f348fab2357127fb62363163c6ba3fa8fedec671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Components/QuickGrid/Microsoft.AspNetCore.Components.QuickGrid/src/Pagination/Paginator.razor.cs"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22746, "scanner": "repobility-threat-engine", "fingerprint": "a1cfcc4ffc3418c36fcdfaf865bed650578944c4db45785396efc8d0758fea77", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1cfcc4ffc3418c36fcdfaf865bed650578944c4db45785396efc8d0758fea77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Components/QuickGrid/Microsoft.AspNetCore.Components.QuickGrid/src/QuickGrid.razor.cs"}, "region": {"startLine": 320}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22745, "scanner": "repobility-threat-engine", "fingerprint": "1d9a68b7c6cf57bb5afd2db0329276cbdef3efc969b2608335f4ee931e376098", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(H", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d9a68b7c6cf57bb5afd2db0329276cbdef3efc969b2608335f4ee931e376098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Middleware/Spa/SpaProxy/src/SpaProxyLaunchManager.cs"}, "region": {"startLine": 106}}}]}]}]}