{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-887c-mr87-cxwp", "name": "torch: GHSA-887c-mr87-cxwp", "shortDescription": {"text": "torch: GHSA-887c-mr87-cxwp"}, "fullDescription": {"text": "PyTorch Improper Resource Shutdown or Release vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4m77-cmpx-vjc4", "name": "jupyterlab: GHSA-4m77-cmpx-vjc4", "shortDescription": {"text": "jupyterlab: GHSA-4m77-cmpx-vjc4"}, "fullDescription": {"text": "JupyterLab vulnerable to SXSS in Markdown Preview"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6w46-j5rx-g56g", "name": "pytest: GHSA-6w46-j5rx-g56g", "shortDescription": {"text": "pytest: GHSA-6w46-j5rx-g56g"}, "fullDescription": {"text": "pytest has vulnerable tmpdir handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rcv9-qm8p-9p6j", "name": "transformers: GHSA-rcv9-qm8p-9p6j", "shortDescription": {"text": "transformers: GHSA-rcv9-qm8p-9p6j"}, "fullDescription": {"text": "Hugging Face Transformers library has Regular Expression Denial of Service"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q2wp-rjmx-x6x9", "name": "transformers: GHSA-q2wp-rjmx-x6x9", "shortDescription": {"text": "transformers: GHSA-q2wp-rjmx-x6x9"}, "fullDescription": {"text": "Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jjph-296x-mrcr", "name": "transformers: GHSA-jjph-296x-mrcr", "shortDescription": {"text": "transformers: GHSA-jjph-296x-mrcr"}, "fullDescription": {"text": "Transformers vulnerable to ReDoS attack through its get_imports() function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fpwr-67px-3qhx", "name": "transformers: GHSA-fpwr-67px-3qhx", "shortDescription": {"text": "transformers: GHSA-fpwr-67px-3qhx"}, "fullDescription": {"text": "Transformers Regular Expression Denial of Service (ReDoS) vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9356-575x-2w9m", "name": "transformers: GHSA-9356-575x-2w9m", "shortDescription": {"text": "transformers: GHSA-9356-575x-2w9m"}, "fullDescription": {"text": "Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6rvg-6v2m-4j46", "name": "transformers: GHSA-6rvg-6v2m-4j46", "shortDescription": {"text": "transformers: GHSA-6rvg-6v2m-4j46"}, "fullDescription": {"text": "Transformers Regular Expression Denial of Service (ReDoS) vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-69w3-r845-3855", "name": "transformers: GHSA-69w3-r845-3855", "shortDescription": {"text": "transformers: GHSA-69w3-r845-3855"}, "fullDescription": {"text": "HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-59p9-h35m-wg4g", "name": "transformers: GHSA-59p9-h35m-wg4g", "shortDescription": {"text": "transformers: GHSA-59p9-h35m-wg4g"}, "fullDescription": {"text": "Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7r-h757-3r74", "name": "transformers: GHSA-4w7r-h757-3r74", "shortDescription": {"text": "transformers: GHSA-4w7r-h757-3r74"}, "fullDescription": {"text": "Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37mw-44qp-f5jm", "name": "transformers: GHSA-37mw-44qp-f5jm", "shortDescription": {"text": "transformers: GHSA-37mw-44qp-f5jm"}, "fullDescription": {"text": "Transformers is vulnerable to ReDoS attack through its DonutProcessor class"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "ADD can fetch remote URLs without checksum verification. This makes builds dependent on mutable network content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `check_quotes_in_source` has cognitive complexity 22 (SonarSource scale). ", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `check_quotes_in_source` has cognitive complexity 22 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 22."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/github-script@v8` is 1 major version(s) behind (latest v9.0.0)", "shortDescription": {"text": "GitHub Action `actions/github-script@v8` is 1 major version(s) behind (latest v9.0.0)"}, "fullDescription": {"text": "`uses: actions/github-script@v8` is 1 major version(s) behind the latest published release v9.0.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED124", "name": "requirements.txt: `tqdm` has no version pin", "shortDescription": {"text": "requirements.txt: `tqdm` has no version pin"}, "fullDescription": {"text": "Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `load_dataset_to_dataframe` (dict)", "shortDescription": {"text": "Mutable default argument in `load_dataset_to_dataframe` (dict)"}, "fullDescription": {"text": "`def load_dataset_to_dataframe(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "GHSA-g7vv-2v7x-gj9p", "name": "tqdm: GHSA-g7vv-2v7x-gj9p", "shortDescription": {"text": "tqdm: GHSA-g7vv-2v7x-gj9p"}, "fullDescription": {"text": "tqdm CLI arguments injection attack"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vvfj-2jqx-52jm", "name": "jupyterlab: GHSA-vvfj-2jqx-52jm", "shortDescription": {"text": "jupyterlab: GHSA-vvfj-2jqx-52jm"}, "fullDescription": {"text": "JupyterLab LaTeX typesetter links did not enforce `noopener` attribute"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v492-6xx2-p57g", "name": "chainlit: GHSA-v492-6xx2-p57g", "shortDescription": {"text": "chainlit: GHSA-v492-6xx2-p57g"}, "fullDescription": {"text": "Chainlit contains an authorization bypass vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-phhr-52qp-3mj4", "name": "transformers: GHSA-phhr-52qp-3mj4", "shortDescription": {"text": "transformers: GHSA-phhr-52qp-3mj4"}, "fullDescription": {"text": "Transformers's Improper Input Validation vulnerability can be exploited through username injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37q5-v5qm-c9v8", "name": "transformers: GHSA-37q5-v5qm-c9v8", "shortDescription": {"text": "transformers: GHSA-37q5-v5qm-c9v8"}, "fullDescription": {"text": "Transformers Deserialization of Untrusted Data vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 4 more): Same pattern found in 4 a", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path (and 4 more): Same pattern found in 4 additional files. Review if need", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-139", "name": "torch: PYSEC-2026-139", "shortDescription": {"text": "torch: PYSEC-2026-139"}, "fullDescription": {"text": "A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-209", "name": "torch: PYSEC-2025-209", "shortDescription": {"text": "torch: PYSEC-2025-209"}, "fullDescription": {"text": "An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when a PyTorch model consists of torch.Tensor.to_sparse() and torch.Tensor.to_dense() and is compiled by Inductor."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-208", "name": "torch: PYSEC-2025-208", "shortDescription": {"text": "torch: PYSEC-2025-208"}, "fullDescription": {"text": "A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv() and is compiled by Inductor, leading to a Denial of Service (DoS)."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-207", "name": "torch: PYSEC-2025-207", "shortDescription": {"text": "torch: PYSEC-2025-207"}, "fullDescription": {"text": "A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS)."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-206", "name": "torch: PYSEC-2025-206", "shortDescription": {"text": "torch: PYSEC-2025-206"}, "fullDescription": {"text": "pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long()."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-205", "name": "torch: PYSEC-2025-205", "shortDescription": {"text": "torch: PYSEC-2025-205"}, "fullDescription": {"text": "A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS)."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-204", "name": "torch: PYSEC-2025-204", "shortDescription": {"text": "torch: PYSEC-2025-204"}, "fullDescription": {"text": "pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-203", "name": "torch: PYSEC-2025-203", "shortDescription": {"text": "torch: PYSEC-2025-203"}, "fullDescription": {"text": "An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service (DoS) when performing a slice operation."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-198", "name": "torch: PYSEC-2025-198", "shortDescription": {"text": "torch: PYSEC-2025-198"}, "fullDescription": {"text": "In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2) produces incorrect results."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-191", "name": "torch: PYSEC-2025-191", "shortDescription": {"text": "torch: PYSEC-2025-191"}, "fullDescription": {"text": "A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The security policy of the project warns to use unknown models which might establish malicious effects."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-259", "name": "torch: PYSEC-2024-259", "shortDescription": {"text": "torch: PYSEC-2024-259"}, "fullDescription": {"text": "In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rch3-82jr-f9w9", "name": "jupyterlab: GHSA-rch3-82jr-f9w9", "shortDescription": {"text": "jupyterlab: GHSA-rch3-82jr-f9w9"}, "fullDescription": {"text": "Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mqcg-5x36-vfcg", "name": "jupyterlab: GHSA-mqcg-5x36-vfcg", "shortDescription": {"text": "jupyterlab: GHSA-mqcg-5x36-vfcg"}, "fullDescription": {"text": "JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9q39-rmj3-p4r2", "name": "jupyterlab: GHSA-9q39-rmj3-p4r2", "shortDescription": {"text": "jupyterlab: GHSA-9q39-rmj3-p4r2"}, "fullDescription": {"text": "HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-44cc-43rp-5947", "name": "jupyterlab: GHSA-44cc-43rp-5947", "shortDescription": {"text": "jupyterlab: GHSA-44cc-43rp-5947"}, "fullDescription": {"text": "JupyterLab vulnerable to potential authentication and CSRF tokens leak"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-164", "name": "jupyterlab: PYSEC-2026-164", "shortDescription": {"text": "jupyterlab: PYSEC-2026-164"}, "fullDescription": {"text": "JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-110", "name": "scikit-learn: PYSEC-2024-110", "shortDescription": {"text": "scikit-learn: PYSEC-2024-110"}, "fullDescription": {"text": "A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-38vq-g6vr-w8wf", "name": "sentencepiece: GHSA-38vq-g6vr-w8wf", "shortDescription": {"text": "sentencepiece: GHSA-38vq-g6vr-w8wf"}, "fullDescription": {"text": "Sentencepiece has a a heap overflow issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g59-m95p-pgfq", "name": "chainlit: GHSA-2g59-m95p-pgfq", "shortDescription": {"text": "chainlit: GHSA-2g59-m95p-pgfq"}, "fullDescription": {"text": "Chainlit contain a server-side request forgery (SSRF) vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-40", "name": "transformers: PYSEC-2025-40", "shortDescription": {"text": "transformers: PYSEC-2025-40"}, "fullDescription": {"text": "A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-218", "name": "transformers: PYSEC-2025-218", "shortDescription": {"text": "transformers: PYSEC-2025-218"}, "fullDescription": {"text": "Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-217", "name": "transformers: PYSEC-2025-217", "shortDescription": {"text": "transformers: PYSEC-2025-217"}, "fullDescription": {"text": "Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28308."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-216", "name": "transformers: PYSEC-2025-216", "shortDescription": {"text": "transformers: PYSEC-2025-216"}, "fullDescription": {"text": "Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.\n\nThe specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-215", "name": "transformers: PYSEC-2025-215", "shortDescription": {"text": "transformers: PYSEC-2025-215"}, "fullDescription": {"text": "Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.\n\nThe specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user.\n\n. Was ZDI-CAN-28252."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-214", "name": "transformers: PYSEC-2025-214", "shortDescription": {"text": "transformers: PYSEC-2025-214"}, "fullDescription": {"text": "Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint.\n\nThe specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28251."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-213", "name": "transformers: PYSEC-2025-213", "shortDescription": {"text": "transformers: PYSEC-2025-213"}, "fullDescription": {"text": "Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27984."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-212", "name": "transformers: PYSEC-2025-212", "shortDescription": {"text": "transformers: PYSEC-2025-212"}, "fullDescription": {"text": "Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2025-211", "name": "transformers: PYSEC-2025-211", "shortDescription": {"text": "transformers: PYSEC-2025-211"}, "fullDescription": {"text": "Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-229", "name": "transformers: PYSEC-2024-229", "shortDescription": {"text": "transformers: PYSEC-2024-229"}, "fullDescription": {"text": "Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-228", "name": "transformers: PYSEC-2024-228", "shortDescription": {"text": "transformers: PYSEC-2024-228"}, "fullDescription": {"text": "Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2024-227", "name": "transformers: PYSEC-2024-227", "shortDescription": {"text": "transformers: PYSEC-2024-227"}, "fullDescription": {"text": "Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2023-301", "name": "transformers: PYSEC-2023-301", "shortDescription": {"text": "transformers: PYSEC-2023-301"}, "fullDescription": {"text": "Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC080", "name": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-", "shortDescription": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "fullDescription": {"text": "Add `filter='data'` (Python \u2265 3.12) or manually validate member paths against `os.path.abspath`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-python` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "Dockerfile `ADD https://astral.sh/uv/install.sh`", "shortDescription": {"text": "Dockerfile `ADD https://astral.sh/uv/install.sh`"}, "fullDescription": {"text": "Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `pytorch/pytorch:2.5.0-cuda12.4-cudnn9-runtime` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `pytorch/pytorch:2.5.0-cuda12.4-cudnn9-runtime` not pinned by digest"}, "fullDescription": {"text": "`FROM pytorch/pytorch:2.5.0-cuda12.4-cudnn9-runtime` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_dataloader", "shortDescription": {"text": "Phantom test coverage: test_dataloader"}, "fullDescription": {"text": "Test function `test_dataloader` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.cache_k` used but never assigned in __init__", "shortDescription": {"text": "`self.cache_k` used but never assigned in __init__"}, "fullDescription": {"text": "Method `forward` of class `MultiHeadAttention` reads `self.cache_k`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-53q9-r3pm-6pq6", "name": "torch: GHSA-53q9-r3pm-6pq6", "shortDescription": {"text": "torch: GHSA-53q9-r3pm-6pq6"}, "fullDescription": {"text": "PyTorch: `torch.load` with `weights_only=True` leads to remote code execution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3863-2447-669p", "name": "transformers: GHSA-3863-2447-669p", "shortDescription": {"text": "transformers: GHSA-3863-2447-669p"}, "fullDescription": {"text": "transformers has a Deserialization of Untrusted Data vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/773"}, "properties": {"repository": "rasbt/LLMs-from-scratch", "repoUrl": "https://github.com/rasbt/LLMs-from-scratch", "branch": "main"}, "results": [{"ruleId": "GHSA-887c-mr87-cxwp", "level": "warning", "message": {"text": "torch: GHSA-887c-mr87-cxwp"}, "properties": {"repobilityId": 65226, "scanner": "osv-scanner", "fingerprint": "cd9d29a18f3a471b652a188ecab309d7b384d6896b51dcb4aac681c221f407db", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-3730", "CVE-2025-3730"], "package": "torch", "rule_id": "GHSA-887c-mr87-cxwp", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-3730|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4m77-cmpx-vjc4", "level": "warning", "message": {"text": "jupyterlab: GHSA-4m77-cmpx-vjc4"}, "properties": {"repobilityId": 65209, "scanner": "osv-scanner", "fingerprint": "821f3badfe9935900d7e82c8c088be672b14b7d050f13145b851a2d49cc51d82", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-jupyter-base-notebook-2024-22420", "BIT-jupyter-notebook-2024-22420", "BIT-jupyterlab-2024-22420", "CVE-2024-22420"], "package": "jupyterlab", "rule_id": "GHSA-4m77-cmpx-vjc4", "scanner": "osv-scanner", "correlation_key": "vuln|jupyterlab|CVE-2024-22420|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6w46-j5rx-g56g", "level": "warning", "message": {"text": "pytest: GHSA-6w46-j5rx-g56g"}, "properties": {"repobilityId": 65204, "scanner": "osv-scanner", "fingerprint": "0b11722a217b3fc92bc093eedf0e9934d649ff377aecaa71f62ee791031c6645", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-71176"], "package": "pytest", "rule_id": "GHSA-6w46-j5rx-g56g", "scanner": "osv-scanner", "correlation_key": "vuln|pytest|CVE-2025-71176|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/07_gpt_to_llama/tests/test-requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rcv9-qm8p-9p6j", "level": "warning", "message": {"text": "transformers: GHSA-rcv9-qm8p-9p6j"}, "properties": {"repobilityId": 65200, "scanner": "osv-scanner", "fingerprint": "c11ea4151da70acf66cc70caf7b9c6a75b5878617f405f346e1d5b68f644d7c7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-6051"], "package": "transformers", "rule_id": "GHSA-rcv9-qm8p-9p6j", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-6051|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-rcv9-qm8p-9p6j"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3e949baf178ce318eb536af0456e6bf00eaacbea3fbc28aa69b62a6cdc72d09e", "c11ea4151da70acf66cc70caf7b9c6a75b5878617f405f346e1d5b68f644d7c7", "fa3559f0b3d029a4dbc1712cb2fdc193aacd9bc1cefc2202703d4a8d1ebb9291"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q2wp-rjmx-x6x9", "level": "warning", "message": {"text": "transformers: GHSA-q2wp-rjmx-x6x9"}, "properties": {"repobilityId": 65199, "scanner": "osv-scanner", "fingerprint": "86749490afa5583da5ca4300103b33f31f1616f3f81f743ac97cf7409400c74d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-3263"], "package": "transformers", "rule_id": "GHSA-q2wp-rjmx-x6x9", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-3263|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-q2wp-rjmx-x6x9"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["8350f1e4c023f1dd8bd754c3612122bfd0ac38ed2338c770225fbcd9c9b8119b", "86749490afa5583da5ca4300103b33f31f1616f3f81f743ac97cf7409400c74d", "da0f3b41273f285c7ddeafe83ff8f1ef553143bdc0b6bc574ffebd933dad05d9"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jjph-296x-mrcr", "level": "warning", "message": {"text": "transformers: GHSA-jjph-296x-mrcr"}, "properties": {"repobilityId": 65197, "scanner": "osv-scanner", "fingerprint": "accba55284c561098072d48a00a26ec70f55d804ed838bfa4e904155d613625a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-3264"], "package": "transformers", "rule_id": "GHSA-jjph-296x-mrcr", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-3264|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-jjph-296x-mrcr"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0f8fd9bb4b4d2aeee8681c4f742abfb0292f32562445d99b50cc31a1d10a1b41", "accba55284c561098072d48a00a26ec70f55d804ed838bfa4e904155d613625a", "c3785b92b43efa27a690b4f814a9b8898e00dc83c79d22619f3d836a0672c399"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fpwr-67px-3qhx", "level": "warning", "message": {"text": "transformers: GHSA-fpwr-67px-3qhx"}, "properties": {"repobilityId": 65196, "scanner": "osv-scanner", "fingerprint": "3b568c378f8ff43d294e87ca15ee4b0d896b0005d4938f3581a7655efc8ca9d0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-1194"], "package": "transformers", "rule_id": "GHSA-fpwr-67px-3qhx", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-1194|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-fpwr-67px-3qhx"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3537abd72fc5fc36be98cd116e5c325129c61563d641e61df321f75d987852e1", "3b568c378f8ff43d294e87ca15ee4b0d896b0005d4938f3581a7655efc8ca9d0", "ad2ad49ae3842a3005d7100070f9b7862d2bb48b2d6b017651dd261cb512701f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9356-575x-2w9m", "level": "warning", "message": {"text": "transformers: GHSA-9356-575x-2w9m"}, "properties": {"repobilityId": 65195, "scanner": "osv-scanner", "fingerprint": "fc5a9553d525f4a259595ea98c09ed11465d556823a0f8fa26ce6aa83c90e581", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-5197"], "package": "transformers", "rule_id": "GHSA-9356-575x-2w9m", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-5197|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-9356-575x-2w9m"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["05c13b6f0e8494f12cae3f3901a2510c8745b00d98306445e18bc719c6e6c52e", "df55477820beb1a32327e71c654ecf0406407bdabfbb243d02a04a5bf2fc5dd0", "fc5a9553d525f4a259595ea98c09ed11465d556823a0f8fa26ce6aa83c90e581"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6rvg-6v2m-4j46", "level": "warning", "message": {"text": "transformers: GHSA-6rvg-6v2m-4j46"}, "properties": {"repobilityId": 65194, "scanner": "osv-scanner", "fingerprint": "1984843c2c77f87ade2fab468d094b71865f2dd8580e2e4b6984d7ce50bcce5f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-12720"], "package": "transformers", "rule_id": "GHSA-6rvg-6v2m-4j46", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2024-12720|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-6rvg-6v2m-4j46"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["00cb6e9a33a9317313a4c592b770f90f44af4e9bb9cb3e3f7497b680db982185", "1984843c2c77f87ade2fab468d094b71865f2dd8580e2e4b6984d7ce50bcce5f", "595d59a3c5e729f974612b14081cd913808b084411c307d37f87163dad81497e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-69w3-r845-3855", "level": "warning", "message": {"text": "transformers: GHSA-69w3-r845-3855"}, "properties": {"repobilityId": 65193, "scanner": "osv-scanner", "fingerprint": "88a0f08bdb00b4e80945de5f15579cf4770f3642eb8f59f164132a951d7fdeeb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-1839"], "package": "transformers", "rule_id": "GHSA-69w3-r845-3855", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2026-1839|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-69w3-r845-3855"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["88a0f08bdb00b4e80945de5f15579cf4770f3642eb8f59f164132a951d7fdeeb", "9b8a5fc527c77c9d6c4111912e3a7dc70211ac75db124a23a8e987d39aca2c83", "d2ba75492cdcb0de728be11449771eb2fd7a640fab23fd22fa0207ba7828a5ed"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-59p9-h35m-wg4g", "level": "warning", "message": {"text": "transformers: GHSA-59p9-h35m-wg4g"}, "properties": {"repobilityId": 65192, "scanner": "osv-scanner", "fingerprint": "0430d98756d90d6a2a7510791ddc3e56ec01c431955e0d4f9f8fa5544951c463", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-6638"], "package": "transformers", "rule_id": "GHSA-59p9-h35m-wg4g", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-6638|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-59p9-h35m-wg4g"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0430d98756d90d6a2a7510791ddc3e56ec01c431955e0d4f9f8fa5544951c463", "c465fb2522121dd0d9722380e5c4dcdd5d88cd38fcb9795960d7f722503a8d44", "d4e8b9109a8d092cd91b6356e35e3700856fc1a29c2e3d5b15d2a0ca6faa6a18"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7r-h757-3r74", "level": "warning", "message": {"text": "transformers: GHSA-4w7r-h757-3r74"}, "properties": {"repobilityId": 65191, "scanner": "osv-scanner", "fingerprint": "8cf8bc91e6e4a21b48b80970311c4f20c4ae5988978cd0cbd2895631bc24b97a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-6921"], "package": "transformers", "rule_id": "GHSA-4w7r-h757-3r74", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-6921|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-4w7r-h757-3r74"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["09c1a3a4f02b05c3e95e60c08f1eaf23ffb287bb0fd21ceeb853a78bf9912050", "1ad0f2e6690325614b7639692ff513f921140e543b686bf107273d2a488e7458", "8cf8bc91e6e4a21b48b80970311c4f20c4ae5988978cd0cbd2895631bc24b97a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37mw-44qp-f5jm", "level": "warning", "message": {"text": "transformers: GHSA-37mw-44qp-f5jm"}, "properties": {"repobilityId": 65189, "scanner": "osv-scanner", "fingerprint": "67d8dd67c49638d24b13a4b409a1f7e495e6581c9ca07077d597a6c7ffd33a10", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-3933"], "package": "transformers", "rule_id": "GHSA-37mw-44qp-f5jm", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-3933|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-37mw-44qp-f5jm"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["67d8dd67c49638d24b13a4b409a1f7e495e6581c9ca07077d597a6c7ffd33a10", "daaea13c1f07f94f877114fa6e89b32d62dd113593f7073a68f51a20eeeab37a", "fe8360e899a8ec2c337c2d41e9e8b968043c889052d80c206af6942cbeb044dd"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 65173, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 65172, "scanner": "repobility-docker", "fingerprint": "ec10131e7622e2e7d4b0edcaa86122bc91f1c94fa9f8e4a586692449aac26586", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "pytorch/pytorch:2.5.0-cuda12.4-cudnn9-runtime", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ec10131e7622e2e7d4b0edcaa86122bc91f1c94fa9f8e4a586692449aac26586"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/03_optional-docker-environment/.devcontainer/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 65170, "scanner": "repobility-docker", "fingerprint": "8b29b40579a151aa352a20e78273366f8e8d16f7d29a6635e50716fa21233e9b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8b29b40579a151aa352a20e78273366f8e8d16f7d29a6635e50716fa21233e9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/03_optional-docker-environment/.devcontainer/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 65165, "scanner": "repobility-threat-engine", "fingerprint": "0fcb86bc9b5514b9bdcf0fdf4279b731acf04f59fb157ca4890ef3d6c7fbcf11", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|33|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/ch06.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 65164, "scanner": "repobility-threat-engine", "fingerprint": "9758f98a5e9bbba9073fa248a32f873330ce9a818eb8afec73c9ec28f309187e", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|46|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/03_bonus_imdb-classification/download_prepare_dataset.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65109, "scanner": "repobility-threat-engine", "fingerprint": "5bcbb4dd8cf66bd99ca4d42d13e4a8a300b9901c330d8c147ff670812a89b4dc", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|149|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/utils.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65108, "scanner": "repobility-threat-engine", "fingerprint": "6784cf3d17a0fe1f47e103c21f9f376c77377d0b7a889ccf98acc6ea7dd7292b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/05_bpe-from-scratch/tests.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `check_quotes_in_source` has cognitive complexity 22 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, continue=2, for=2, if=5, nested_bonus=12."}, "properties": {"repobilityId": 65104, "scanner": "repobility-threat-engine", "fingerprint": "3100afbe865b688d497e20b248c584a90dea417981706f354e1b5f3b0049805c", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 22 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "check_quotes_in_source", "breakdown": {"if": 5, "for": 2, "break": 1, "continue": 2, "nested_bonus": 12}, "complexity": 22, "correlation_key": "fp|3100afbe865b688d497e20b248c584a90dea417981706f354e1b5f3b0049805c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check_double_quotes.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65103, "scanner": "repobility-agent-runtime", "fingerprint": "305bbde07be12b5fe0da25fc736f67a278df740c3a56b876151afd4a36521c14", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|305bbde07be12b5fe0da25fc736f67a278df740c3a56b876151afd4a36521c14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/01_optional-python-setup-preferences/native-uv.md"}, "region": {"startLine": 33}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65102, "scanner": "repobility-agent-runtime", "fingerprint": "46854ba29796c85c3d011f24c0188db479355f173779db4cb86757812322b95a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|46854ba29796c85c3d011f24c0188db479355f173779db4cb86757812322b95a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/01_optional-python-setup-preferences/native-pixi.md"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65101, "scanner": "repobility-agent-runtime", "fingerprint": "c5e4c3dbb0d0c69f341e75c87cd272bd9bf1ebbbb54424cd59c7bc790361f0f6", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c5e4c3dbb0d0c69f341e75c87cd272bd9bf1ebbbb54424cd59c7bc790361f0f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pep8-linter.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65100, "scanner": "repobility-agent-runtime", "fingerprint": "a1c8db45e864340583231206e7a2c5e95cab9544b314ff7f918cfcd71ff3eafb", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a1c8db45e864340583231206e7a2c5e95cab9544b314ff7f918cfcd71ff3eafb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-spelling-errors.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65099, "scanner": "repobility-agent-runtime", "fingerprint": "7b9e4de9b3d009c7a6103741ff9d2763b8be3a33fd0af4a15afbfd8d59c0b6bc", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7b9e4de9b3d009c7a6103741ff9d2763b8be3a33fd0af4a15afbfd8d59c0b6bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-links.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65098, "scanner": "repobility-agent-runtime", "fingerprint": "b776d28e6284b3e244187f737a1829cab96501c5dad7835190218ab1c04b3bbf", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b776d28e6284b3e244187f737a1829cab96501c5dad7835190218ab1c04b3bbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pytorch-rc.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65097, "scanner": "repobility-agent-runtime", "fingerprint": "cea817869741a0fe8f57e304d159d0bead1594d0cb87f0bbd14febb08ca3f4f1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cea817869741a0fe8f57e304d159d0bead1594d0cb87f0bbd14febb08ca3f4f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-old-pytorch.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65096, "scanner": "repobility-agent-runtime", "fingerprint": "b480a509d6cc3860ad9627353a90645e3dfe016db615430ffa73ea4d5aea7916", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b480a509d6cc3860ad9627353a90645e3dfe016db615430ffa73ea4d5aea7916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-macos-uv.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65095, "scanner": "repobility-agent-runtime", "fingerprint": "1b40943eb9d9af5906f8810ce9934246e7ab238e2c6a3fc1d866114cfa6b3040", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1b40943eb9d9af5906f8810ce9934246e7ab238e2c6a3fc1d866114cfa6b3040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-linux-uv.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65094, "scanner": "repobility-agent-runtime", "fingerprint": "0434bb629fb2986ac0e3c157332754a1c08f732f98392e83cc779e45dd0b7909", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0434bb629fb2986ac0e3c157332754a1c08f732f98392e83cc779e45dd0b7909"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-latest-python.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/github-script@v8` is 1 major version(s) behind (latest v9.0.0)"}, "properties": {"repobilityId": 65089, "scanner": "repobility-dependency-currency", "fingerprint": "8b5d720f015520d987e6428c81af3ab0f129cfcf0ddd480ee407879a1aafce06", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/github-script", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v9.0.0", "correlation_key": "fp|8b5d720f015520d987e6428c81af3ab0f129cfcf0ddd480ee407879a1aafce06", "current_version": "v8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/required-checks.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `tqdm` has no version pin"}, "properties": {"repobilityId": 65071, "scanner": "repobility-supply-chain", "fingerprint": "a57e8689b5ab2d9304e9e614a1f8235398be418d8a87d6524802c5fed8fbf03d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a57e8689b5ab2d9304e9e614a1f8235398be418d8a87d6524802c5fed8fbf03d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `requests` has no version pin"}, "properties": {"repobilityId": 65070, "scanner": "repobility-supply-chain", "fingerprint": "0504f9bf89ac1d17b3d58e1dbd36295881c9e2f67ab0b0accc9a87e12e86e163", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0504f9bf89ac1d17b3d58e1dbd36295881c9e2f67ab0b0accc9a87e12e86e163"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `thop` has no version pin"}, "properties": {"repobilityId": 65045, "scanner": "repobility-supply-chain", "fingerprint": "38fe50c26f036e6f70823e97263c947ef88c822e0802cd938f28aeb7b571bd7c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38fe50c26f036e6f70823e97263c947ef88c822e0802cd938f28aeb7b571bd7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/02_performance-analysis/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65044, "scanner": "repobility-ast-engine", "fingerprint": "8f7eedd42db79f7407f9d9f0f2b60b2aac20d19f9281beef86a62f2d7d12ad20", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f7eedd42db79f7407f9d9f0f2b60b2aac20d19f9281beef86a62f2d7d12ad20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65038, "scanner": "repobility-ast-engine", "fingerprint": "83290b1f3e3be53c5827dd3fc1a83e4459e9f2a0d2f4ed150532e1027add7434", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|83290b1f3e3be53c5827dd3fc1a83e4459e9f2a0d2f4ed150532e1027add7434"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_qwen3.py"}, "region": {"startLine": 638}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65034, "scanner": "repobility-ast-engine", "fingerprint": "c1a0dbd398a60b28de855238217bc1464b865cc3e0affdbc56024f88c307d7cd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1a0dbd398a60b28de855238217bc1464b865cc3e0affdbc56024f88c307d7cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/ch05.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65033, "scanner": "repobility-ast-engine", "fingerprint": "ea22d39ebec99037577840cfa65bf992466a1f8a87c242342fde3571e449c35c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ea22d39ebec99037577840cfa65bf992466a1f8a87c242342fde3571e449c35c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check_double_quotes.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65032, "scanner": "repobility-ast-engine", "fingerprint": "e5246910db65847a3dd5f64633bbf020667c2aeb9aa64212cd0517a028b6976a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e5246910db65847a3dd5f64633bbf020667c2aeb9aa64212cd0517a028b6976a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/02_installing-python-libraries/python_environment_check.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65029, "scanner": "repobility-ast-engine", "fingerprint": "9cd129b77ab78f5bdf31eb8c2ec5e5526b958323460d063d75a969c64a84fd0c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9cd129b77ab78f5bdf31eb8c2ec5e5526b958323460d063d75a969c64a84fd0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/17_gemma4/tests/test_e4b/gemma4_e4b_layer_debugger.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65028, "scanner": "repobility-ast-engine", "fingerprint": "7a2f178fc1a9e55f916bfe169e2d61d904c0534c170308d0988657e71e4a3734", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a2f178fc1a9e55f916bfe169e2d61d904c0534c170308d0988657e71e4a3734"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/17_gemma4/tests/test_e4b/gemma4_e4b_layer_debugger.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65027, "scanner": "repobility-ast-engine", "fingerprint": "e9860ec446553892d5e9a896054959cdbe0079547c3f0918d47675440d847e67", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e9860ec446553892d5e9a896054959cdbe0079547c3f0918d47675440d847e67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/17_gemma4/tests/test_e2b/gemma4_e2b_layer_debugger.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65026, "scanner": "repobility-ast-engine", "fingerprint": "f40aff76aecdd5f097e1ed1741e3d25005222ff2869a98d5997fc19b520844d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f40aff76aecdd5f097e1ed1741e3d25005222ff2869a98d5997fc19b520844d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/17_gemma4/tests/test_e2b/gemma4_e2b_layer_debugger.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65022, "scanner": "repobility-ast-engine", "fingerprint": "7a41a15736db729b131f74df62ab467e64605c87b69a7733e998297263b61871", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a41a15736db729b131f74df62ab467e64605c87b69a7733e998297263b61871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/16_qwen3.5/tests/test_qwen3_5_nb.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65021, "scanner": "repobility-ast-engine", "fingerprint": "d88eacce3f8f4e118ae7175b59b08af83eda240c0624f7a1221023415e63f847", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d88eacce3f8f4e118ae7175b59b08af83eda240c0624f7a1221023415e63f847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/16_qwen3.5/tests/test_qwen3_5_nb.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65019, "scanner": "repobility-ast-engine", "fingerprint": "71bbc1170844f105677d9a7ee5dd25d2ba84a080040b50563a80c76b6faa90bb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|71bbc1170844f105677d9a7ee5dd25d2ba84a080040b50563a80c76b6faa90bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/16_qwen3.5/tests/qwen3_5_layer_debugger.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65018, "scanner": "repobility-ast-engine", "fingerprint": "ca56b060b34a7123ca16107e4b777789b28782dfce23793d304667d7d95597b6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ca56b060b34a7123ca16107e4b777789b28782dfce23793d304667d7d95597b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/16_qwen3.5/tests/qwen3_5_layer_debugger.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65009, "scanner": "repobility-ast-engine", "fingerprint": "e96c7d988d40284321dcc7a5f735f4b18a0452106b8218c581238a16b35faa61", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e96c7d988d40284321dcc7a5f735f4b18a0452106b8218c581238a16b35faa61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 65008, "scanner": "repobility-ast-engine", "fingerprint": "2e8c07225fcf96ecb95584855b5817ba684ae765c17683a5e48cbbd5b2304871", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e8c07225fcf96ecb95584855b5817ba684ae765c17683a5e48cbbd5b2304871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch07/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `load_dataset_to_dataframe` (dict)"}, "properties": {"repobilityId": 64981, "scanner": "repobility-ast-engine", "fingerprint": "b8428992b7e87068edf16778f04ac250226f855955a06b841ce80fdea721e56e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8428992b7e87068edf16778f04ac250226f855955a06b841ce80fdea721e56e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/03_bonus_imdb-classification/download_prepare_dataset.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 64980, "scanner": "repobility-ast-engine", "fingerprint": "21e64f618f98d76cf695b50bc62b8b9a62480122a3a08e512ef5ef7024959c45", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21e64f618f98d76cf695b50bc62b8b9a62480122a3a08e512ef5ef7024959c45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/03_bonus_imdb-classification/gpt_download.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 64978, "scanner": "repobility-ast-engine", "fingerprint": "16a66c2145445270c7da90c2f1d27978e9aef9b6649fc7b0d663d6c73272d2da", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16a66c2145445270c7da90c2f1d27978e9aef9b6649fc7b0d663d6c73272d2da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 64976, "scanner": "repobility-ast-engine", "fingerprint": "fb517fcee994548fcd3e12307ee5908dd1c3fe6be1a1729ad6aa4c33f0b645b8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb517fcee994548fcd3e12307ee5908dd1c3fe6be1a1729ad6aa4c33f0b645b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/02_bonus_additional-experiments/gpt_download.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 64944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad5462a4501d2200add2eaf55b1a256457833bbbdea261f4b4aa077254779b63", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "optimized", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "ch04/03_kv-cache/gpt_with_kv_cache.py", "correlation_key": "fp|ad5462a4501d2200add2eaf55b1a256457833bbbdea261f4b4aa077254779b63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g7vv-2v7x-gj9p", "level": "note", "message": {"text": "tqdm: GHSA-g7vv-2v7x-gj9p"}, "properties": {"repobilityId": 65227, "scanner": "osv-scanner", "fingerprint": "2fc7f41e979e53a5d43b8517deaa42d75fee3ca5503d849f8c42b74406a60060", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-34062"], "package": "tqdm", "rule_id": "GHSA-g7vv-2v7x-gj9p", "scanner": "osv-scanner", "correlation_key": "vuln|tqdm|CVE-2024-34062|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vvfj-2jqx-52jm", "level": "note", "message": {"text": "jupyterlab: GHSA-vvfj-2jqx-52jm"}, "properties": {"repobilityId": 65213, "scanner": "osv-scanner", "fingerprint": "b2a2ff29e380520c8cf4ff8f8187825e60b9d4be44069214f1459e5571faff3d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-jupyterlab-2025-59842", "CVE-2025-59842"], "package": "jupyterlab", "rule_id": "GHSA-vvfj-2jqx-52jm", "scanner": "osv-scanner", "correlation_key": "vuln|jupyterlab|CVE-2025-59842|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g7vv-2v7x-gj9p", "level": "note", "message": {"text": "tqdm: GHSA-g7vv-2v7x-gj9p"}, "properties": {"repobilityId": 65206, "scanner": "osv-scanner", "fingerprint": "65bfb16e5fe89446fddb5f7ddbf61a1784143d0587adbea6bcd3780a19a1b82f", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-34062"], "package": "tqdm", "rule_id": "GHSA-g7vv-2v7x-gj9p", "scanner": "osv-scanner", "correlation_key": "vuln|tqdm|CVE-2024-34062|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-g7vv-2v7x-gj9p"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4ac606af71d464f08873f9ac3baeae4c541c827a49b0a0e485f46b6158410958", "65bfb16e5fe89446fddb5f7ddbf61a1784143d0587adbea6bcd3780a19a1b82f", "ee09d1d9f08d7b0b8804b9cca4264b106d749dad9b76c703ebb03a88823846e4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch07/02_dataset-utilities/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v492-6xx2-p57g", "level": "note", "message": {"text": "chainlit: GHSA-v492-6xx2-p57g"}, "properties": {"repobilityId": 65202, "scanner": "osv-scanner", "fingerprint": "45250c632fd398df899e8ef7f3dff6d494b76d0f4a08488c04908ec27372a4a1", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-68492"], "package": "chainlit", "rule_id": "GHSA-v492-6xx2-p57g", "scanner": "osv-scanner", "correlation_key": "vuln|chainlit|CVE-2025-68492|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-v492-6xx2-p57g"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["45250c632fd398df899e8ef7f3dff6d494b76d0f4a08488c04908ec27372a4a1", "6ec8f257c448f2866ff51c94e5a5848d18ef1261916fa95135c1df7cdb7487bc", "a992febb7ebb977450f45732285e347851190adfb34fb50807b94c1c81826801", "ca7e14de76830b54ee3f96cb48c5288551224f25e244e4c1f53e0bdd5335653b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/06_user_interface/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-phhr-52qp-3mj4", "level": "note", "message": {"text": "transformers: GHSA-phhr-52qp-3mj4"}, "properties": {"repobilityId": 65198, "scanner": "osv-scanner", "fingerprint": "2d5a2b52061ba3a1c4d9af95db7d09e5f1148e9828aadae80d62de1bbe7f8956", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-3777"], "package": "transformers", "rule_id": "GHSA-phhr-52qp-3mj4", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-3777|token", "duplicate_count": 2, "duplicate_rule_ids": ["GHSA-phhr-52qp-3mj4"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["2d5a2b52061ba3a1c4d9af95db7d09e5f1148e9828aadae80d62de1bbe7f8956", "376242acd4f2e16c42e4699b4b8d93782b53c6e61ede09a6e7a3fa52648bae74", "d854b92ede22e947b52eb123a3f9254f562285d2bd6f90dbbad733d9230aab42"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37q5-v5qm-c9v8", "level": "note", "message": {"text": "transformers: GHSA-37q5-v5qm-c9v8"}, "properties": {"repobilityId": 65190, "scanner": "osv-scanner", "fingerprint": "59ee487e8a2e180edb93c38391f04becc2e6fede4f561fb8ca8ddccee21534a2", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-3568"], "package": "transformers", "rule_id": "GHSA-37q5-v5qm-c9v8", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2024-3568|token", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-37q5-v5qm-c9v8"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1025ac8677ac21d892ed94e9d43f3cf311f710f0c390d0fc6ef16bb10909e2b9", "59ee487e8a2e180edb93c38391f04becc2e6fede4f561fb8ca8ddccee21534a2"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 65171, "scanner": "repobility-docker", "fingerprint": "7dbfcc50e3d74e91945189f2d214a94fc35a40233014d2cfa52db9b6fc2a0973", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7dbfcc50e3d74e91945189f2d214a94fc35a40233014d2cfa52db9b6fc2a0973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/03_optional-docker-environment/.devcontainer/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 65169, "scanner": "repobility-docker", "fingerprint": "fff6bf0558607099d3f7ef16ac53cbffcdeea71f1ee11165c9103aa5d6a4c6a4", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fff6bf0558607099d3f7ef16ac53cbffcdeea71f1ee11165c9103aa5d6a4c6a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/03_optional-docker-environment/.devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 65160, "scanner": "repobility-threat-engine", "fingerprint": "6d253368c6ae51b7515cc9097e57acad3de2b2055d1fbe151d883f5ce12f2a01", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(file_path):\n        response = requests.get(url, timeout=30)\n        response.raise_f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6d253368c6ae51b7515cc9097e57acad3de2b2055d1fbe151d883f5ce12f2a01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/18_muon/gpt_train_muon.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 65159, "scanner": "repobility-threat-engine", "fingerprint": "f73245cc78125839a322f8299a9618d6daab4c7131cf63c2aedc6b9347d38d5c", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(file_path):\n        response = requests.get(url, timeout=30)\n        response.raise_f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f73245cc78125839a322f8299a9618d6daab4c7131cf63c2aedc6b9347d38d5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/18_muon/gpt_train.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 65158, "scanner": "repobility-threat-engine", "fingerprint": "d546acf164c0a33d0997b9e612ec443d0e90d975dc86e3d7c2dde255ebe90aa0", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(file_path):\n        response = requests.get(url, timeout=30)\n        response.raise_f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d546acf164c0a33d0997b9e612ec443d0e90d975dc86e3d7c2dde255ebe90aa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_train.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `download_file` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=3, if=3, nested_bonus=6, ternary=1."}, "properties": {"repobilityId": 65106, "scanner": "repobility-threat-engine", "fingerprint": "237528e8b709b9b1f471e6f17f2ab617bed0f375d5ce365255e02233712a7b3b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "download_file", "breakdown": {"if": 3, "except": 3, "ternary": 1, "nested_bonus": 6}, "complexity": 13, "correlation_key": "fp|237528e8b709b9b1f471e6f17f2ab617bed0f375d5ce365255e02233712a7b3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `calc_loss_loader` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, elif=1, else=2, for=1, if=2, nested_bonus=1."}, "properties": {"repobilityId": 65105, "scanner": "repobility-threat-engine", "fingerprint": "2e89d1d00a34e52bf45c48fb15964ac66d4bd81749484c32155f16b2b711fabb", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "calc_loss_loader", "breakdown": {"if": 2, "for": 1, "elif": 1, "else": 2, "break": 1, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|2e89d1d00a34e52bf45c48fb15964ac66d4bd81749484c32155f16b2b711fabb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-D/01_main-chapter-code/previous_chapters.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65093, "scanner": "repobility-dependency-currency", "fingerprint": "950cb2ea0484211225fcf03f22ba9ec378f65294abe3028e63a9f2fabc3e21e5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|950cb2ea0484211225fcf03f22ba9ec378f65294abe3028e63a9f2fabc3e21e5", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pytorch-rc.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65091, "scanner": "repobility-dependency-currency", "fingerprint": "413336833ae09485c145f3e27751f25f3fc2c81ef52a98f5fdb7bd4be31c0c46", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|413336833ae09485c145f3e27751f25f3fc2c81ef52a98f5fdb7bd4be31c0c46", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-macos-uv.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65088, "scanner": "repobility-dependency-currency", "fingerprint": "96a97f896919ad3ca533b100e6d1a447b5925d2f908b5d49bf16ba94f15915fd", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|96a97f896919ad3ca533b100e6d1a447b5925d2f908b5d49bf16ba94f15915fd", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pip.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65086, "scanner": "repobility-dependency-currency", "fingerprint": "46ca53fe234c18dfe64949327b5d7fc6f1d180234fd4cc8be153fdf4413aac1d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|46ca53fe234c18dfe64949327b5d7fc6f1d180234fd4cc8be153fdf4413aac1d", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-windows-uv-pip.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65084, "scanner": "repobility-dependency-currency", "fingerprint": "cf8e16a5f0a94aae09ea747b57249361eb448060682cc4c4d33d90b3368ccc95", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|cf8e16a5f0a94aae09ea747b57249361eb448060682cc4c4d33d90b3368ccc95", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-spelling-errors.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65082, "scanner": "repobility-dependency-currency", "fingerprint": "edb418d37c9d66b7b1f73afeddf0f082901dca31bc20afc64ea6c80e60e29477", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|edb418d37c9d66b7b1f73afeddf0f082901dca31bc20afc64ea6c80e60e29477", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pep8-linter.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65080, "scanner": "repobility-dependency-currency", "fingerprint": "76882594586a4e5496f071c5a60aec0e00ef6e0b3b91a3c574f6f21441cb4aff", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|76882594586a4e5496f071c5a60aec0e00ef6e0b3b91a3c574f6f21441cb4aff", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-links.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65078, "scanner": "repobility-dependency-currency", "fingerprint": "e75f146856bbf2625208e2f155ade407547786546ffad6b85f7caa6341c7c5c0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|e75f146856bbf2625208e2f155ade407547786546ffad6b85f7caa6341c7c5c0", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-linux-uv.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65075, "scanner": "repobility-dependency-currency", "fingerprint": "7d8ea1ca6f0b737c9e0979cb4a6dd409123a8f4668f042624072cba581ff428a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|7d8ea1ca6f0b737c9e0979cb4a6dd409123a8f4668f042624072cba581ff428a", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-latest-python.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `actions/setup-python@v6` is minor version(s) behind (latest v6.2.0)"}, "properties": {"repobilityId": 65073, "scanner": "repobility-dependency-currency", "fingerprint": "768a8ef09430a25b89ffb09e2ff2ed9096e0151eda738eef53fa5fff4c2b398b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-python", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.2.0", "correlation_key": "fp|768a8ef09430a25b89ffb09e2ff2ed9096e0151eda738eef53fa5fff4c2b398b", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-old-pytorch.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 64975, "scanner": "repobility-ai-code-hygiene", "fingerprint": "734338cd10e1f42fa15899bbbf7bbf410cfae9cba3665f7723bdf87f32583008", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "FeedForward", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "appendix-D/01_main-chapter-code/previous_chapters.py", "correlation_key": "fp|734338cd10e1f42fa15899bbbf7bbf410cfae9cba3665f7723bdf87f32583008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64974, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58b0c0d2de4ce083027d0a3f17ec4d5c16861541ac066240ea8aefcddf1c5379", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-D/01_main-chapter-code/previous_chapters.py", "duplicate_line": 58, "correlation_key": "fp|58b0c0d2de4ce083027d0a3f17ec4d5c16861541ac066240ea8aefcddf1c5379"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/05_mla/gpt_with_kv_mla.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64973, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93b2e17e42b36df59e114664179200798c4f3a857e2d95f5c40ec518d528e873", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/01_main-chapter-code/gpt.py", "duplicate_line": 52, "correlation_key": "fp|93b2e17e42b36df59e114664179200798c4f3a857e2d95f5c40ec518d528e873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/05_mla/gpt_with_kv_mla.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64972, "scanner": "repobility-ai-code-hygiene", "fingerprint": "196acdb27b83c0d8a153aa34ef97b021db31305dea861cf63fafe4087d034da6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/04_gqa/gpt_with_kv_mha.py", "duplicate_line": 46, "correlation_key": "fp|196acdb27b83c0d8a153aa34ef97b021db31305dea861cf63fafe4087d034da6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/05_mla/gpt_with_kv_mla.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64971, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8bc9bbea348fcec29a623af068592bb24fcdef86318161c1afc700b18f051d12", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/04_gqa/gpt_with_kv_gqa.py", "duplicate_line": 49, "correlation_key": "fp|8bc9bbea348fcec29a623af068592bb24fcdef86318161c1afc700b18f051d12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/05_mla/gpt_with_kv_mla.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64970, "scanner": "repobility-ai-code-hygiene", "fingerprint": "780a66da42fb3b9f34fbda5619113f4b0f32c612ce290e9bcbc311d27fb395e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py", "duplicate_line": 74, "correlation_key": "fp|780a66da42fb3b9f34fbda5619113f4b0f32c612ce290e9bcbc311d27fb395e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/05_mla/gpt_with_kv_mha.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64969, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9f1d3917c8491e97fde7efc254a9b1879c04b3e549681cd03337dc4f4a42657", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/04_gqa/gpt_with_kv_gqa.py", "duplicate_line": 48, "correlation_key": "fp|f9f1d3917c8491e97fde7efc254a9b1879c04b3e549681cd03337dc4f4a42657"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/05_mla/gpt_with_kv_mha.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64968, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e763394cb3ecaba8b3c03dd745b75ebaee870eb6b485df927f095af26e28731e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache.py", "duplicate_line": 22, "correlation_key": "fp|e763394cb3ecaba8b3c03dd745b75ebaee870eb6b485df927f095af26e28731e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/05_mla/gpt_with_kv_mha.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64967, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a699b2d3751e6fbc6b10728f41ff8f26ab843c17d7261a1a0b563c1d19ffe8d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/04_gqa/gpt_with_kv_mha.py", "duplicate_line": 1, "correlation_key": "fp|a699b2d3751e6fbc6b10728f41ff8f26ab843c17d7261a1a0b563c1d19ffe8d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/05_mla/gpt_with_kv_mha.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64966, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f5235408785c4db1f98b8b60035e13362a51c8cbd9189d3bb9e6181d2c71a791", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py", "duplicate_line": 74, "correlation_key": "fp|f5235408785c4db1f98b8b60035e13362a51c8cbd9189d3bb9e6181d2c71a791"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/04_gqa/gpt_with_kv_mha.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64965, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd520b4081819377a4991d0d0ffdc94f4742d4984ef2f860c3fc3dfac51d2b03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/04_gqa/gpt_with_kv_gqa.py", "duplicate_line": 48, "correlation_key": "fp|cd520b4081819377a4991d0d0ffdc94f4742d4984ef2f860c3fc3dfac51d2b03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/04_gqa/gpt_with_kv_mha.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64964, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd56e5500a556a57bcaf054344ee9703b818a8695d46796c92027d1101207ca7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache.py", "duplicate_line": 22, "correlation_key": "fp|bd56e5500a556a57bcaf054344ee9703b818a8695d46796c92027d1101207ca7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/04_gqa/gpt_with_kv_mha.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64963, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b3cb3360169fa8e59ae0ca77c91cc71275050247c9a270518be5ce580754121", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py", "duplicate_line": 74, "correlation_key": "fp|1b3cb3360169fa8e59ae0ca77c91cc71275050247c9a270518be5ce580754121"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/04_gqa/gpt_with_kv_gqa.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64962, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8313653f60f92e65828a333a01f5f6d12186a47d290e2378dcce87f0c5c718c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache.py", "duplicate_line": 57, "correlation_key": "fp|8313653f60f92e65828a333a01f5f6d12186a47d290e2378dcce87f0c5c718c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/04_gqa/gpt_with_kv_gqa.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64961, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f73e2a5d1cf9ef9b775337923293a3d5cb9a90be730ec435dee1993f0f70fcbf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-D/01_main-chapter-code/previous_chapters.py", "duplicate_line": 87, "correlation_key": "fp|f73e2a5d1cf9ef9b775337923293a3d5cb9a90be730ec435dee1993f0f70fcbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_with_kv_cache.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64960, "scanner": "repobility-ai-code-hygiene", "fingerprint": "657ae33bd3d162d2d1ad7cfb43e2b2c47c07ae7a0ab2d2ad5b19a9935b766afc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py", "duplicate_line": 74, "correlation_key": "fp|657ae33bd3d162d2d1ad7cfb43e2b2c47c07ae7a0ab2d2ad5b19a9935b766afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_with_kv_cache.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64959, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb4be44b9c100767f0b9360c9d1b663f4c50de23756c9c32d10068b8e5ce654f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/01_main-chapter-code/gpt.py", "duplicate_line": 26, "correlation_key": "fp|bb4be44b9c100767f0b9360c9d1b663f4c50de23756c9c32d10068b8e5ce654f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_with_kv_cache.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64958, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ec9f30d47b7e1065ca2e9c15e0fab135b1c5e0edc5f93485bef1872b8cbccd8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_ch04.py", "duplicate_line": 1, "correlation_key": "fp|3ec9f30d47b7e1065ca2e9c15e0fab135b1c5e0edc5f93485bef1872b8cbccd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_with_kv_cache.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64957, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d47e279312eededb7e8949ef5c9e0a9132f44b767404745a8c56d92864b3268d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py", "duplicate_line": 74, "correlation_key": "fp|d47e279312eededb7e8949ef5c9e0a9132f44b767404745a8c56d92864b3268d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_ch04.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64956, "scanner": "repobility-ai-code-hygiene", "fingerprint": "09af3bdaf2a7af7ff48d94c1fbda258a91ca63c042f518a695af16b668649200", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-D/01_main-chapter-code/previous_chapters.py", "duplicate_line": 45, "correlation_key": "fp|09af3bdaf2a7af7ff48d94c1fbda258a91ca63c042f518a695af16b668649200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_ch04.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64955, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16d3272d6294a0fde2711cd4b22062ab6cb70acd421757b997a52e6e51cd55f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/01_main-chapter-code/gpt.py", "duplicate_line": 26, "correlation_key": "fp|16d3272d6294a0fde2711cd4b22062ab6cb70acd421757b997a52e6e51cd55f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_ch04.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64954, "scanner": "repobility-ai-code-hygiene", "fingerprint": "01a795cff0d198bc548747d463fe908d9a24956978f52c4c42f155dc34434d7b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/01_main-chapter-code/gpt.py", "duplicate_line": 18, "correlation_key": "fp|01a795cff0d198bc548747d463fe908d9a24956978f52c4c42f155dc34434d7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/01_main-chapter-code/previous_chapters.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64953, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3d4e302c2e9a11a5df5a4e961d7e365f5e02e1c4507e2b740a7b615c7c7ba45", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-D/01_main-chapter-code/previous_chapters.py", "duplicate_line": 6, "correlation_key": "fp|a3d4e302c2e9a11a5df5a4e961d7e365f5e02e1c4507e2b740a7b615c7c7ba45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/01_main-chapter-code/previous_chapters.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64952, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87e823e866097581769151cda78dbcff1fb013dd5f05cbb0e57d255b5a21c6cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-E/01_main-chapter-code/previous_chapters.py", "duplicate_line": 8, "correlation_key": "fp|87e823e866097581769151cda78dbcff1fb013dd5f05cbb0e57d255b5a21c6cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/01_main-chapter-code/previous_chapters.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64951, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6612f0a9162c7627d5b7154d28bad3cbbff57b474ecbacb42a641337c7902190", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py", "duplicate_line": 74, "correlation_key": "fp|6612f0a9162c7627d5b7154d28bad3cbbff57b474ecbacb42a641337c7902190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/01_main-chapter-code/gpt.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64950, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4a1ef65df526decfff5576bd9adea9064c39a0d35fee27a80ea4819d9963b1c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-D/01_main-chapter-code/previous_chapters.py", "duplicate_line": 6, "correlation_key": "fp|4a1ef65df526decfff5576bd9adea9064c39a0d35fee27a80ea4819d9963b1c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/01_main-chapter-code/gpt.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dc21971757a4641fa20806d341ed4c378f17eedcc60e53235a85ddcd41cbaa81", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-E/01_main-chapter-code/previous_chapters.py", "duplicate_line": 8, "correlation_key": "fp|dc21971757a4641fa20806d341ed4c378f17eedcc60e53235a85ddcd41cbaa81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/01_main-chapter-code/gpt.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f929aa2e2f556ca22090273e29d64dd484b7223400b324fc8024ea6dd2b3dbe7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py", "duplicate_line": 74, "correlation_key": "fp|f929aa2e2f556ca22090273e29d64dd484b7223400b324fc8024ea6dd2b3dbe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/previous_chapters.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64947, "scanner": "repobility-ai-code-hygiene", "fingerprint": "589fed3482e7b6a455b71f35adf7c658f7821ff822e920b706629929cdaee899", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-D/01_main-chapter-code/previous_chapters.py", "duplicate_line": 6, "correlation_key": "fp|589fed3482e7b6a455b71f35adf7c658f7821ff822e920b706629929cdaee899"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/previous_chapters.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e862cb43daa2a5d3654bc75bffdd2c6fd2c733a896accaf080c53dee446a2952", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ch04/03_kv-cache/gpt_with_kv_cache_optimized.py", "duplicate_line": 74, "correlation_key": "fp|e862cb43daa2a5d3654bc75bffdd2c6fd2c733a896accaf080c53dee446a2952"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-D/01_main-chapter-code/previous_chapters.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26b35134e0de71fab71aac16c27308fb0b5153d80ef8de43b1117a812a58b2b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "appendix-A/01_main-chapter-code/DDP-script-torchrun.py", "duplicate_line": 18, "correlation_key": "fp|26b35134e0de71fab71aac16c27308fb0b5153d80ef8de43b1117a812a58b2b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-A/01_main-chapter-code/DDP-script.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 65168, "scanner": "repobility-threat-engine", "fingerprint": "d81c9d635e2c70a5de58d91762bc4af0bfd3174f8198e42902d080ab31eece39", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d81c9d635e2c70a5de58d91762bc4af0bfd3174f8198e42902d080ab31eece39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/03_bonus_imdb-classification/download_prepare_dataset.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC124", "level": "none", "message": {"text": "[SEC124] TOCTOU file access (os.access then open) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 65161, "scanner": "repobility-threat-engine", "fingerprint": "9843309aef86983a2adb3ef0d0e92bd6df3f585e717204c8b6ad2d08fe551cf3", "category": "race_condition", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9843309aef86983a2adb3ef0d0e92bd6df3f585e717204c8b6ad2d08fe551cf3"}}}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 65157, "scanner": "repobility-threat-engine", "fingerprint": "a12a7593397736040ae699af811f9350657e9df7602744d1ad4327b17b93eb62", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a12a7593397736040ae699af811f9350657e9df7602744d1ad4327b17b93eb62"}}}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 65156, "scanner": "repobility-threat-engine", "fingerprint": "29e53198b18a08ca59f10f06ec88e867b1daf0dbc6be99b63717e2e2b9bdad84", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "evidence": {"match": "torch.load(", "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|ch05/18_muon/gpt_train.py|242|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/18_muon/gpt_train.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 65155, "scanner": "repobility-threat-engine", "fingerprint": "8afca91f07b5c1fb183ecae4dd886babb6628bec4a4c39988753caa0813d896c", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "evidence": {"match": "torch.load(", "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|49|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/06_user_interface/app_own.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 65154, "scanner": "repobility-threat-engine", "fingerprint": "c5fce199379729f23ea0630a48889d06bf58810e852abffc029f2d71c4311803", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "evidence": {"match": "torch.load(", "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|242|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_train.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 65153, "scanner": "repobility-threat-engine", "fingerprint": "535b73062a88cf9610540f285133809f84bf0bab37bf1789b63d0dbc9fa7ba1e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|535b73062a88cf9610540f285133809f84bf0bab37bf1789b63d0dbc9fa7ba1e", "aggregated_count": 2}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 65152, "scanner": "repobility-threat-engine", "fingerprint": "7fc81e5ee30dc9e563d0f52051fd2ed9313c877f61cc044f302d61e454dac23d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7fc81e5ee30dc9e563d0f52051fd2ed9313c877f61cc044f302d61e454dac23d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/07_moe/memory_estimator_moe.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 65151, "scanner": "repobility-threat-engine", "fingerprint": "859ddbe665be47ebbc672036ea225c300329ef363bcb76c3dd84ac7abec41f71", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|859ddbe665be47ebbc672036ea225c300329ef363bcb76c3dd84ac7abec41f71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_ch04.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 65150, "scanner": "repobility-threat-engine", "fingerprint": "40451764b377f6ea52560c878d320b3d12b535dbc5041a78ba3b530d4c4d7478", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40451764b377f6ea52560c878d320b3d12b535dbc5041a78ba3b530d4c4d7478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/05_bpe-from-scratch/tests.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 65147, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 65146, "scanner": "repobility-threat-engine", "fingerprint": "202426bb6a1318534fe90c4a26a4c4dacfa0415190e6f46cdcb71616f68ade96", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "print(\"Output text:\\n\", token_ids_to_text(token_ids, tokenizer)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|25|print output text: n token_ids_to_text token_ids tokenizer"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_generate.py"}, "region": {"startLine": 251}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 65145, "scanner": "repobility-threat-engine", "fingerprint": "1fb41f848d33f75d0445fc81e5db1cc0c4683954c85589edb5ae6d1aa1e22746", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"\\nOutput:\", token_ids)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|24|print noutput: token_ids"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_ch04.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 65143, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 65139, "scanner": "repobility-threat-engine", "fingerprint": "e63c66d59d7a88ad341acbfc51ff38504bb48b8d9366e7752d47ee1fb8ca17e0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e63c66d59d7a88ad341acbfc51ff38504bb48b8d9366e7752d47ee1fb8ca17e0", "aggregated_count": 15}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 65138, "scanner": "repobility-threat-engine", "fingerprint": "244b689f1c59475291caf899329fd6a38d584a9733192ab529ea177631d57b8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|244b689f1c59475291caf899329fd6a38d584a9733192ab529ea177631d57b8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 65137, "scanner": "repobility-threat-engine", "fingerprint": "07d35794d23e737f8710d296c03569fc84db836c14156c4f29c39549b2f7ace3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|07d35794d23e737f8710d296c03569fc84db836c14156c4f29c39549b2f7ace3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/bpe_openai_gpt2.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 65136, "scanner": "repobility-threat-engine", "fingerprint": "0c3042a42040a095e58127277bd10f5f6aca0152d626be8a50d5504c3160d978", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c3042a42040a095e58127277bd10f5f6aca0152d626be8a50d5504c3160d978"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 65135, "scanner": "repobility-threat-engine", "fingerprint": "97e83b35d6d87ad95e23d12f8a95338efdb63b7f12c389b8e08fe5a80cf94e6e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|97e83b35d6d87ad95e23d12f8a95338efdb63b7f12c389b8e08fe5a80cf94e6e", "aggregated_count": 3}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 65134, "scanner": "repobility-threat-engine", "fingerprint": "e549ab0a7cb9f7ab5d9bf63653dae148781708943ccd5eaa1187cfebfc9b2e4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e549ab0a7cb9f7ab5d9bf63653dae148781708943ccd5eaa1187cfebfc9b2e4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 65133, "scanner": "repobility-threat-engine", "fingerprint": "24ca51c3a3ab27563ef21ff87c876102fac931358441fe69ff692fbe7d0046d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|24ca51c3a3ab27563ef21ff87c876102fac931358441fe69ff692fbe7d0046d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 65132, "scanner": "repobility-threat-engine", "fingerprint": "b7dbe3bf96266d5ce56e11f69314e8684ca9360eb815e2f6cf3c7295489bc040", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7dbe3bf96266d5ce56e11f69314e8684ca9360eb815e2f6cf3c7295489bc040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 65131, "scanner": "repobility-threat-engine", "fingerprint": "bd632c4ade7e75e1a901d5e2da5e3e85b36e57e91ccdfbe5098de1738a5edc96", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bd632c4ade7e75e1a901d5e2da5e3e85b36e57e91ccdfbe5098de1738a5edc96", "aggregated_count": 3}}}, {"ruleId": "SEC114", "level": "none", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 65127, "scanner": "repobility-threat-engine", "fingerprint": "ca7b550924ef010fa5b4944dbaf0a8b62878b41385152fd8f78f27a9cfd0e28a", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca7b550924ef010fa5b4944dbaf0a8b62878b41385152fd8f78f27a9cfd0e28a"}}}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 65123, "scanner": "repobility-threat-engine", "fingerprint": "305d8167933f36d27a495ed0641959ff33f3d665d31f8f680a969d86851e3ac2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|305d8167933f36d27a495ed0641959ff33f3d665d31f8f680a969d86851e3ac2"}}}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 65122, "scanner": "repobility-threat-engine", "fingerprint": "bc590b8b02d2605772b6fe3e8ccf0f3c8bc358bccf41b85cf750e8ef4fae6cd8", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|bc590b8b02d2605772b6fe3e8ccf0f3c8bc358bccf41b85cf750e8ef4fae6cd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 65121, "scanner": "repobility-threat-engine", "fingerprint": "66c483c6e26349ff5b322dd25ad68666bbdb023e098dfb25587bd849e87b4758", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|66c483c6e26349ff5b322dd25ad68666bbdb023e098dfb25587bd849e87b4758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 65119, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "SEC013", "level": "none", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 65115, "scanner": "repobility-threat-engine", "fingerprint": "61f00f2482bc0620c8bb2b5e214895b164194fc5407dff2821a768b5fb34841c", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|61f00f2482bc0620c8bb2b5e214895b164194fc5407dff2821a768b5fb34841c"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 65111, "scanner": "repobility-threat-engine", "fingerprint": "e7c13b7af3bba6f3745af35df663cf916bb6f292ea634f8fc6dfdd7da3c81216", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7c13b7af3bba6f3745af35df663cf916bb6f292ea634f8fc6dfdd7da3c81216"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65110, "scanner": "repobility-threat-engine", "fingerprint": "4c65ed54ffd09703cccabbaee2b00f8e0c53b47fa2e20eea1d3d02f0fb6fb2ea", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|160|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-A/01_main-chapter-code/DDP-script-torchrun.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "properties": {"repobilityId": 65107, "scanner": "repobility-threat-engine", "fingerprint": "e73953417d9f2ca9f8a94fbd30ff8e6f289ec5e7444c727341ccdd69f1a797de", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "check_quotes_in_source", "breakdown": {"if": 5, "for": 2, "break": 1, "continue": 2, "nested_bonus": 12}, "aggregated": true, "complexity": 22, "correlation_key": "fp|e73953417d9f2ca9f8a94fbd30ff8e6f289ec5e7444c727341ccdd69f1a797de", "aggregated_count": 36}}}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65092, "scanner": "repobility-dependency-currency", "fingerprint": "c9fcfabbc5b0be13699f4c433d4428ea4b7ffbd3c42a8b730244c1ea0276d7d5", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|c9fcfabbc5b0be13699f4c433d4428ea4b7ffbd3c42a8b730244c1ea0276d7d5", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pytorch-rc.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65090, "scanner": "repobility-dependency-currency", "fingerprint": "e0fab46754de88075a59b9a771f5ee8c0158e6ffc7cfc7f11a421dbdc0cd1447", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|e0fab46754de88075a59b9a771f5ee8c0158e6ffc7cfc7f11a421dbdc0cd1447", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-macos-uv.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65087, "scanner": "repobility-dependency-currency", "fingerprint": "8f1a92583670782c98259c320076b25c89b73eff0269ed6da829f0c34d0b8f60", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|8f1a92583670782c98259c320076b25c89b73eff0269ed6da829f0c34d0b8f60", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pip.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65085, "scanner": "repobility-dependency-currency", "fingerprint": "372c1c1b09d18d5e8762e6124285f17288c863498d1ad1858480161bfa9eb45c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|372c1c1b09d18d5e8762e6124285f17288c863498d1ad1858480161bfa9eb45c", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-windows-uv-pip.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65083, "scanner": "repobility-dependency-currency", "fingerprint": "0b23c81ee92d28d002d50334a3a0f48a60a8d7854b314d802699b53cb71e5a9a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|0b23c81ee92d28d002d50334a3a0f48a60a8d7854b314d802699b53cb71e5a9a", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-spelling-errors.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65081, "scanner": "repobility-dependency-currency", "fingerprint": "0fca570b42434a75f4d283e5b7b33d756b51a8846b3a548d8df7fda97b9afe87", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|0fca570b42434a75f4d283e5b7b33d756b51a8846b3a548d8df7fda97b9afe87", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pep8-linter.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65079, "scanner": "repobility-dependency-currency", "fingerprint": "491c98be68d87f3421b87984e36e796c794452bfa77536fbd885e494b41ac926", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|491c98be68d87f3421b87984e36e796c794452bfa77536fbd885e494b41ac926", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-links.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65077, "scanner": "repobility-dependency-currency", "fingerprint": "ad765a8b62a3accb06758fd37a0273a4c0e7ad0a689ad10745f9d92bee8f7006", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|ad765a8b62a3accb06758fd37a0273a4c0e7ad0a689ad10745f9d92bee8f7006", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-linux-uv.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65076, "scanner": "repobility-dependency-currency", "fingerprint": "748358d53592ca0ab2bc2b96ed058e8d468d63c46c75a256132995d2664f8fc8", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|748358d53592ca0ab2bc2b96ed058e8d468d63c46c75a256132995d2664f8fc8", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pixi.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65074, "scanner": "repobility-dependency-currency", "fingerprint": "2272b1e16753f1b4ec48b7fcb960ba50ffb9e1e6b2c4428f95a8d4b7af0b0935", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|2272b1e16753f1b4ec48b7fcb960ba50ffb9e1e6b2c4428f95a8d4b7af0b0935", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-latest-python.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `actions/checkout@v6` is patch version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 65072, "scanner": "repobility-dependency-currency", "fingerprint": "2bc96bd821e687255de499d55746c0f71759b87639d6e6de4a80dc1196c07e42", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|2bc96bd821e687255de499d55746c0f71759b87639d6e6de4a80dc1196c07e42", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-old-pytorch.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "PYSEC-2026-139", "level": "error", "message": {"text": "torch: PYSEC-2026-139"}, "properties": {"repobilityId": 65225, "scanner": "osv-scanner", "fingerprint": "dd04c0ad63c2478c2f5bf965b08351817fd11582f15e756d7eaa4049b12b9b37", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2026-4538", "CVE-2026-4538"], "package": "torch", "rule_id": "PYSEC-2026-139", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2026-4538|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-209", "level": "error", "message": {"text": "torch: PYSEC-2025-209"}, "properties": {"repobilityId": 65223, "scanner": "osv-scanner", "fingerprint": "42dc64d7e946fcd4f6c5e1db1f508e2ad0c7ec675053124bc6fff8c89bf4c50d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55560", "CVE-2025-55560"], "package": "torch", "rule_id": "PYSEC-2025-209", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55560|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-208", "level": "error", "message": {"text": "torch: PYSEC-2025-208"}, "properties": {"repobilityId": 65222, "scanner": "osv-scanner", "fingerprint": "42d2fe6c091afc2d566f725ca0e7d1d47ae80d9d80fbbbf2e9fbf80c659d1e25", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55558", "CVE-2025-55558"], "package": "torch", "rule_id": "PYSEC-2025-208", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55558|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-207", "level": "error", "message": {"text": "torch: PYSEC-2025-207"}, "properties": {"repobilityId": 65221, "scanner": "osv-scanner", "fingerprint": "a13711f1a25054bab2d82002695e5bd578039bd1e7fbdc18325fd78cf2d65bd4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55557", "CVE-2025-55557"], "package": "torch", "rule_id": "PYSEC-2025-207", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55557|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-206", "level": "error", "message": {"text": "torch: PYSEC-2025-206"}, "properties": {"repobilityId": 65220, "scanner": "osv-scanner", "fingerprint": "8288c00698e4f0892ed7b4833bd3b85b41bf549f0a8ff7dc7effef4c13cac8bb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55554", "CVE-2025-55554"], "package": "torch", "rule_id": "PYSEC-2025-206", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55554|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-205", "level": "error", "message": {"text": "torch: PYSEC-2025-205"}, "properties": {"repobilityId": 65219, "scanner": "osv-scanner", "fingerprint": "e2f0e9323a6d6947382c5e7f6647d17e5b23df5113c8a42dd992fcf8b739a6f8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55553", "CVE-2025-55553"], "package": "torch", "rule_id": "PYSEC-2025-205", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55553|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-204", "level": "error", "message": {"text": "torch: PYSEC-2025-204"}, "properties": {"repobilityId": 65218, "scanner": "osv-scanner", "fingerprint": "f5f02114125d5df4d2b8f08f2a38f89f6013b40fb45d2ae71e53288ecc9629d4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55552", "CVE-2025-55552"], "package": "torch", "rule_id": "PYSEC-2025-204", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55552|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-203", "level": "error", "message": {"text": "torch: PYSEC-2025-203"}, "properties": {"repobilityId": 65217, "scanner": "osv-scanner", "fingerprint": "6d76e1f0602b84e5d6dcbd8bf77c316b96e80c8ca066aa399591e113b69e9434", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-55551", "CVE-2025-55551"], "package": "torch", "rule_id": "PYSEC-2025-203", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-55551|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-198", "level": "error", "message": {"text": "torch: PYSEC-2025-198"}, "properties": {"repobilityId": 65216, "scanner": "osv-scanner", "fingerprint": "a59b95d58cf638832ab597ccc6f9837276ead07c755d84fe289e8a1a4beac792", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-46148", "CVE-2025-46148"], "package": "torch", "rule_id": "PYSEC-2025-198", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-46148|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-191", "level": "error", "message": {"text": "torch: PYSEC-2025-191"}, "properties": {"repobilityId": 65215, "scanner": "osv-scanner", "fingerprint": "63e8713b990c785ec72715ef0f1e0b754d8f3c626fc497e0a3d76d1326d24588", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-2953", "CVE-2025-2953", "GHSA-3749-ghw9-m3mg"], "package": "torch", "rule_id": "PYSEC-2025-191", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-2953|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-3749-ghw9-m3mg", "PYSEC-2025-191"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["492066a5fc96408ca6ee982145de4989417144422d28bbd29091d96e590a5635", "63e8713b990c785ec72715ef0f1e0b754d8f3c626fc497e0a3d76d1326d24588"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-259", "level": "error", "message": {"text": "torch: PYSEC-2024-259"}, "properties": {"repobilityId": 65214, "scanner": "osv-scanner", "fingerprint": "17708c09eb52601bc52934f5ca22a58eeaaa42cb21622f2fc8f38ee826387573", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-pytorch-2024-48063", "CVE-2024-48063"], "package": "torch", "rule_id": "PYSEC-2024-259", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2024-48063|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rch3-82jr-f9w9", "level": "error", "message": {"text": "jupyterlab: GHSA-rch3-82jr-f9w9"}, "properties": {"repobilityId": 65212, "scanner": "osv-scanner", "fingerprint": "6786c76957c01ee68c324928a543d425fdddbd7933fe0c632ba66496f45384a3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-jupyter-base-notebook-2026-40171", "BIT-jupyter-notebook-2026-40171", "BIT-jupyterlab-2026-40171", "CVE-2026-40171"], "package": "jupyterlab", "rule_id": "GHSA-rch3-82jr-f9w9", "scanner": "osv-scanner", "correlation_key": "vuln|jupyterlab|CVE-2026-40171|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mqcg-5x36-vfcg", "level": "error", "message": {"text": "jupyterlab: GHSA-mqcg-5x36-vfcg"}, "properties": {"repobilityId": 65211, "scanner": "osv-scanner", "fingerprint": "b054a9a9a60dfc60034f3c3adb4eed7f9eae87634b6526336139fe01b8834a95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-jupyter-base-notebook-2026-42557", "BIT-jupyter-notebook-2026-42557", "BIT-jupyterlab-2026-42557", "CVE-2026-42557"], "package": "jupyterlab", "rule_id": "GHSA-mqcg-5x36-vfcg", "scanner": "osv-scanner", "correlation_key": "vuln|jupyterlab|CVE-2026-42557|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9q39-rmj3-p4r2", "level": "error", "message": {"text": "jupyterlab: GHSA-9q39-rmj3-p4r2"}, "properties": {"repobilityId": 65210, "scanner": "osv-scanner", "fingerprint": "10ca4b80a74b188b683f801f62b41f33256c33d000a99a97ac1a4a717f937f4d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-jupyter-base-notebook-2024-43805", "BIT-jupyter-notebook-2024-43805", "BIT-jupyterlab-2024-43805", "CVE-2024-43805"], "package": "jupyterlab", "rule_id": "GHSA-9q39-rmj3-p4r2", "scanner": "osv-scanner", "correlation_key": "vuln|jupyterlab|CVE-2024-43805|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-44cc-43rp-5947", "level": "error", "message": {"text": "jupyterlab: GHSA-44cc-43rp-5947"}, "properties": {"repobilityId": 65208, "scanner": "osv-scanner", "fingerprint": "17a61f0b9e741aafe77f7e41ad4a9c5ed2ec296bfe32eb623fa7add6394fe553", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-jupyter-base-notebook-2024-22421", "BIT-jupyter-notebook-2024-22421", "BIT-jupyterlab-2024-22421", "CVE-2024-22421"], "package": "jupyterlab", "rule_id": "GHSA-44cc-43rp-5947", "scanner": "osv-scanner", "correlation_key": "vuln|jupyterlab|CVE-2024-22421|requirements.txt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-164", "level": "error", "message": {"text": "jupyterlab: PYSEC-2026-164"}, "properties": {"repobilityId": 65207, "scanner": "osv-scanner", "fingerprint": "1df6dcb50280b496f6da7e7d1d4316cacc35110732570147f3b1a3d8c4c01ad8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-jupyterlab-2026-42266", "CVE-2026-42266", "GHSA-37w4-hwhx-4rc4"], "package": "jupyterlab", "rule_id": "PYSEC-2026-164", "scanner": "osv-scanner", "correlation_key": "vuln|jupyterlab|CVE-2026-42266|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-37w4-hwhx-4rc4", "PYSEC-2026-164"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1df6dcb50280b496f6da7e7d1d4316cacc35110732570147f3b1a3d8c4c01ad8", "c8629bc2cb65d5a34f7ccca2915f93238f400a0f6c0a28ab1c83883129eb8eed"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-110", "level": "error", "message": {"text": "scikit-learn: PYSEC-2024-110"}, "properties": {"repobilityId": 65205, "scanner": "osv-scanner", "fingerprint": "a52930d88b264152ee38c5f8f42af5e2a7c1dcb7c01d4b18fe8b132f5ed2df4a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-5206", "GHSA-jw8x-6495-233v"], "package": "scikit-learn", "rule_id": "PYSEC-2024-110", "scanner": "osv-scanner", "correlation_key": "vuln|scikit-learn|CVE-2024-5206|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-jw8x-6495-233v", "PYSEC-2024-110"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["05cff0f0c6fd2550bc1aa9789f799bfea5cbdfb04d5014ac14489df1f1546256", "6f0aeb24e667471cc42b96f5ab956c0f89fe9ddd6ead92b9f02ebbd636b218cd", "81999cbe77826963f3391ee26e6e2ef69271a250b6beda3e82ceebff97e2fa81", "a52930d88b264152ee38c5f8f42af5e2a7c1dcb7c01d4b18fe8b132f5ed2df4a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/03_bonus_imdb-classification/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-38vq-g6vr-w8wf", "level": "error", "message": {"text": "sentencepiece: GHSA-38vq-g6vr-w8wf"}, "properties": {"repobilityId": 65203, "scanner": "osv-scanner", "fingerprint": "d7db2dad6534a2196844a2d51684a7d6ff334590b022ef9977f104471194b7e9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1260"], "package": "sentencepiece", "rule_id": "GHSA-38vq-g6vr-w8wf", "scanner": "osv-scanner", "correlation_key": "vuln|sentencepiece|CVE-2026-1260|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/07_gpt_to_llama/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g59-m95p-pgfq", "level": "error", "message": {"text": "chainlit: GHSA-2g59-m95p-pgfq"}, "properties": {"repobilityId": 65201, "scanner": "osv-scanner", "fingerprint": "bf204ce162e8103e342a92f2cc4088f2fe3df90f1a4d094754172aa8e8083476", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-22219"], "package": "chainlit", "rule_id": "GHSA-2g59-m95p-pgfq", "scanner": "osv-scanner", "correlation_key": "vuln|chainlit|CVE-2026-22219|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-2g59-m95p-pgfq"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["49c40d278a872edf8984a26e72243d8d40d721effec4af4e107641b114128d41", "bf204ce162e8103e342a92f2cc4088f2fe3df90f1a4d094754172aa8e8083476", "c473b986cef87e9295c7a13238f02c48e0b2d13957cbc9c981ca037857b44456", "f07cd87424812381b85eef535ce113a725235cd69a3bed2bb948d26b7c24ed3c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/06_user_interface/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-40", "level": "error", "message": {"text": "transformers: PYSEC-2025-40"}, "properties": {"repobilityId": 65188, "scanner": "osv-scanner", "fingerprint": "a04a96ffed9a3989e14b983a1b844f84104a2862e7d26dd37b2a5a7710d551c2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-2099", "GHSA-qq3j-4f4f-9583"], "package": "transformers", "rule_id": "PYSEC-2025-40", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-2099|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-qq3j-4f4f-9583", "PYSEC-2025-40"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["577751148357ec8766d423f477912e6f1dadb40455f540f6c69f3cc0fa1c2bf1", "795de493d2a0954dd78abae56452677c013e72f879519a7826e0935095eb795c", "a04a96ffed9a3989e14b983a1b844f84104a2862e7d26dd37b2a5a7710d551c2", "b6c22113d39a10ab2758c6653bd66fbfba6ae908d4edbd40eb7fd0562a44d28f", "be448447688411e1371d2979275216a63b7a48fe5270c3ffacf07e66433d24fe", "d067158b9a2f96a9ad7428b2aff087cb5462b4939cadf9c2d874327c85d8e014"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-218", "level": "error", "message": {"text": "transformers: PYSEC-2025-218"}, "properties": {"repobilityId": 65187, "scanner": "osv-scanner", "fingerprint": "7ce3b605891071c50ddb4fbee1fd7a681c3784077431ea51b6095257d69a61a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-14930"], "package": "transformers", "rule_id": "PYSEC-2025-218", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-14930|token", "duplicate_count": 2, "duplicate_rule_ids": ["PYSEC-2025-218"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["505efdb4e432284a9eca1fa90ce997357e0ab66c00a8e20d1823bbb5ba9dbae6", "7ce3b605891071c50ddb4fbee1fd7a681c3784077431ea51b6095257d69a61a2", "7dfb541d22bd9dd5c9718ac217c596b27cd65c0e01676ce01eb9dcff4985386b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-217", "level": "error", "message": {"text": "transformers: PYSEC-2025-217"}, "properties": {"repobilityId": 65186, "scanner": "osv-scanner", "fingerprint": "bb0e6832fac8cd419faf155500f86426ca0cb8f20987ffb795b1188fdbddd61b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-14929"], "package": "transformers", "rule_id": "PYSEC-2025-217", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-14929|token", "duplicate_count": 2, "duplicate_rule_ids": ["PYSEC-2025-217"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["a25e24b6fe4dae0037fe6c6afded790166ee6568d022d11fc2b905efac16e5cc", "bb0e6832fac8cd419faf155500f86426ca0cb8f20987ffb795b1188fdbddd61b", "fe8b90d9c02cc001b5a1c3ba9911ff847e29447735d3fdf7a43e85bde76c4e7a"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-216", "level": "error", "message": {"text": "transformers: PYSEC-2025-216"}, "properties": {"repobilityId": 65185, "scanner": "osv-scanner", "fingerprint": "0e18eaf9820d00f8b2e640458823a16a404686ca7275677aff6cb16e0f8586e9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-14928"], "package": "transformers", "rule_id": "PYSEC-2025-216", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-14928|token", "duplicate_count": 2, "duplicate_rule_ids": ["PYSEC-2025-216"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0e18eaf9820d00f8b2e640458823a16a404686ca7275677aff6cb16e0f8586e9", "2ecb3d948fae3deec8bf754068703380b46951b47721c6e74193fdc2df8f9195", "8981f3d4e8beae6a327c74a632e4e87e8844159e3be33939c67c43a820d89187"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-215", "level": "error", "message": {"text": "transformers: PYSEC-2025-215"}, "properties": {"repobilityId": 65184, "scanner": "osv-scanner", "fingerprint": "35a1b53eb912742baaab10363169e696c07ecd2278429daf8e6162777579a7a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-14927"], "package": "transformers", "rule_id": "PYSEC-2025-215", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-14927|token", "duplicate_count": 2, "duplicate_rule_ids": ["PYSEC-2025-215"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["35a1b53eb912742baaab10363169e696c07ecd2278429daf8e6162777579a7a6", "46802c7d42be8f8e8cd21900e56c095f056e914af998fbbdff8ce7b6b7376a06", "79c81195b3f8050025ee4cd470bd743941272c85c5fa77efa4042295f756d58c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-214", "level": "error", "message": {"text": "transformers: PYSEC-2025-214"}, "properties": {"repobilityId": 65183, "scanner": "osv-scanner", "fingerprint": "30fa2e9995fd730c649a2d15b043d9ab2cf4bee2deab222363d1ae3ffa2233da", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-14926"], "package": "transformers", "rule_id": "PYSEC-2025-214", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-14926|token", "duplicate_count": 2, "duplicate_rule_ids": ["PYSEC-2025-214"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["30fa2e9995fd730c649a2d15b043d9ab2cf4bee2deab222363d1ae3ffa2233da", "8da6f7abe80b61def29efe9c188582729038db3dc1aef0f5fdc9f47bdaec85b3", "c4fede49674d1dd26dc3a911713122ec029de2d3a3592f80675a2b6bb3e0046c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-213", "level": "error", "message": {"text": "transformers: PYSEC-2025-213"}, "properties": {"repobilityId": 65182, "scanner": "osv-scanner", "fingerprint": "4be6f403f9e194c7beda0c706df707a21bd682148a729cd06c1198af03eb8e77", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-14924"], "package": "transformers", "rule_id": "PYSEC-2025-213", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-14924|token", "duplicate_count": 2, "duplicate_rule_ids": ["PYSEC-2025-213"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["22e8c389fe28225d0872761ca61910500f460a9bd12bd3035666bbb96fa0f27f", "4be6f403f9e194c7beda0c706df707a21bd682148a729cd06c1198af03eb8e77", "d9f1eec43062c4d26b02c2b764bbab1d6eae5111507928ea5031992a69a899e1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-212", "level": "error", "message": {"text": "transformers: PYSEC-2025-212"}, "properties": {"repobilityId": 65181, "scanner": "osv-scanner", "fingerprint": "b092896d3c4198de47094c31a504cfbee1b4d10fafcc90da6cf589f8d076e123", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-14921"], "package": "transformers", "rule_id": "PYSEC-2025-212", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-14921|token", "duplicate_count": 2, "duplicate_rule_ids": ["PYSEC-2025-212"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["9af65844de298f98b40644737b32436b4a7086177cb6cfaf09e9882ac6b9dd97", "b092896d3c4198de47094c31a504cfbee1b4d10fafcc90da6cf589f8d076e123", "d5a81ffd282bc737d87777e7dbf82b684aa5bc8d9c5d6f7e013d6825383d2b58"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2025-211", "level": "error", "message": {"text": "transformers: PYSEC-2025-211"}, "properties": {"repobilityId": 65180, "scanner": "osv-scanner", "fingerprint": "cc1ec42d088cc975ae4a9cce0ed9d78c256808935b6226fee5d0a7be9a30a3eb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2025-14920"], "package": "transformers", "rule_id": "PYSEC-2025-211", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2025-14920|token", "duplicate_count": 2, "duplicate_rule_ids": ["PYSEC-2025-211"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["588f3c0491ce7e9d47391aedc667ddc81927d14a8646189e3407ac3f67081b90", "7baf972c152212bee612d6ce98131a44570c7e2d198f27a11741cb55f740b40d", "cc1ec42d088cc975ae4a9cce0ed9d78c256808935b6226fee5d0a7be9a30a3eb"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-229", "level": "error", "message": {"text": "transformers: PYSEC-2024-229"}, "properties": {"repobilityId": 65179, "scanner": "osv-scanner", "fingerprint": "7ac5014b5d3d5261b151dfed58127103e9181c11075aff166fac94fc87711cf7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-11394", "GHSA-hxxf-235m-72v3"], "package": "transformers", "rule_id": "PYSEC-2024-229", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2024-11394|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-hxxf-235m-72v3", "PYSEC-2024-229"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1156dc2168d41aa32e3b85b3467ad19146b5de3d1b375ff7e76a3ebe3c1dcf27", "2e52fab96ff45e8213c76d8911043ae8a09cc1ed4608b45d007bce0437edfb0e", "7ac5014b5d3d5261b151dfed58127103e9181c11075aff166fac94fc87711cf7", "bd9b213ae4d18b44e924a335eb0ef40358b015a1c5d4b034e9e1782f8a2ec3a7", "f365f4449fbcbbec2c7e55d33b38542110e44d5637defeb2bb005197ac17435b", "f89fe1d211f2827104ab5d08212bb0ae7a2175d6a887d2624cb07b4f4d93ac00"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-228", "level": "error", "message": {"text": "transformers: PYSEC-2024-228"}, "properties": {"repobilityId": 65178, "scanner": "osv-scanner", "fingerprint": "022a0998e09124e1e6561270566f46721408774965320c8d06950f3add451022", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-11393", "GHSA-wrfc-pvp9-mr9g"], "package": "transformers", "rule_id": "PYSEC-2024-228", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2024-11393|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-wrfc-pvp9-mr9g", "PYSEC-2024-228"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["022a0998e09124e1e6561270566f46721408774965320c8d06950f3add451022", "2e3e600214fd830a7d8aee1fcea0d669f4055881ac259c31c1e681a5f6d174a7", "684397b9692aaf4b28c9fdfc5f68b0403cd201a0648bbf5b95b105a13828bf5d", "c4e47abdcd1f20f3e27f5361ef841acf095f0ad6631f267987395df1e93d038c", "d8abe8cb44aa36f6fc2c3f9ebdd2b09084c704ffcc5c01577782bf3bddf5f3e0", "f6e85760371bdc8a1bbe0333ac5e2427169d526adb3aba78756bd26d21681dd4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2024-227", "level": "error", "message": {"text": "transformers: PYSEC-2024-227"}, "properties": {"repobilityId": 65177, "scanner": "osv-scanner", "fingerprint": "fa9093cb812d6630b9fb3b855664a36d644a1ceed6bbc8ee15fe4ae9227dbbd2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2024-11392", "GHSA-qxrp-vhvm-j765"], "package": "transformers", "rule_id": "PYSEC-2024-227", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2024-11392|token", "duplicate_count": 5, "duplicate_rule_ids": ["GHSA-qxrp-vhvm-j765", "PYSEC-2024-227"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1831ace5e7edf57a3c612e575edb32713ed7f3575ae0d6cffecf49d7db624d94", "36fc48ae48cdd9a6fa028937fc623696ce4f0d6daf4b67ea19f6a54659d5c8f6", "4362826cacc25fa9e155786fa85d94487dee87b32d15f572a934c6c18516d0bd", "52a409bb6aabda19b6bc529d0382fc82326b2c32a60794091857caadadffc854", "dfec655d5410e72839be4d2deb661da50b56791dedc96317df432313ac23f813", "fa9093cb812d6630b9fb3b855664a36d644a1ceed6bbc8ee15fe4ae9227dbbd2"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2023-301", "level": "error", "message": {"text": "transformers: PYSEC-2023-301"}, "properties": {"repobilityId": 65176, "scanner": "osv-scanner", "fingerprint": "4fb5cdb7253605a005f505bf582adcab7a55bc3540ccc370a1fcdb22778ff4e7", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-7018", "GHSA-v68g-wm8c-6x7j"], "package": "transformers", "rule_id": "PYSEC-2023-301", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2023-7018|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-v68g-wm8c-6x7j", "PYSEC-2023-301"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["4fb5cdb7253605a005f505bf582adcab7a55bc3540ccc370a1fcdb22778ff4e7", "5024532235f80d4c26333e89c32e7b0dbfd98d210dc2b36903e1e174c4e9aec1", "c17c9cf6e09410e39c7944ca92ed3c310d66201da197de52341d230e40417ac6", "dbdddf3209836dc2b77119707bdede64e5b71cf95a6cbf49d5b86bb1804c70ef"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 65167, "scanner": "repobility-threat-engine", "fingerprint": "681f1cfbdfeb754e16b13670f697afe6b860bd4bbf6925f6eab44acaedc0525b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tar.extractall()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|681f1cfbdfeb754e16b13670f697afe6b860bd4bbf6925f6eab44acaedc0525b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/03_bonus_imdb-classification/download_prepare_dataset.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 65166, "scanner": "repobility-threat-engine", "fingerprint": "13dfddf9e41dde7d33e233c3fe0afb68316d6a43e1c549890d1916d1c4aca1ad", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|13dfddf9e41dde7d33e233c3fe0afb68316d6a43e1c549890d1916d1c4aca1ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/03_bonus_imdb-classification/download_prepare_dataset.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 65163, "scanner": "repobility-threat-engine", "fingerprint": "78c597ad072709f93f5f25b47a856b1ad294a742e9c4bf9a3e4431745aef9b87", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78c597ad072709f93f5f25b47a856b1ad294a742e9c4bf9a3e4431745aef9b87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/05_bonus_hparam_tuning/hparam_search.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 65162, "scanner": "repobility-threat-engine", "fingerprint": "15baa4e2d6a92e4fbca9c8fb5f7a96cd27e69285685961ea869a1eda85083163", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15baa4e2d6a92e4fbca9c8fb5f7a96cd27e69285685961ea869a1eda85083163"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/03_bonus_pretraining_on_gutenberg/pretraining_simple.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65149, "scanner": "repobility-threat-engine", "fingerprint": "48201dc31b7b08d24715d816cf4ee432cc1923c5b93cd4ef829cc52d42946185", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(src", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48201dc31b7b08d24715d816cf4ee432cc1923c5b93cd4ef829cc52d42946185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/utils.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65148, "scanner": "repobility-threat-engine", "fingerprint": "1d39c604da0b9bcb7f318ad1aa07362bed045c06369305e9a9081f7cca73a70c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cell", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d39c604da0b9bcb7f318ad1aa07362bed045c06369305e9a9081f7cca73a70c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/05_bpe-from-scratch/tests.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 65144, "scanner": "repobility-threat-engine", "fingerprint": "09960e4e712325ffe488799f9cb61bd3962250246369b7b379df954cbd232863", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(f\"Expected Tokens: {expected_tokens}\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|14|print f expected tokens: expected_tokens"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/05_bpe-from-scratch/tests.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65142, "scanner": "repobility-threat-engine", "fingerprint": "11f141800b53b16d025ed5c60326464ac8cf7574338dd2ebf28f043eb57f2400", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "BASE_CONFIG.update(model_configs[CHOOSE_MODEL])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11f141800b53b16d025ed5c60326464ac8cf7574338dd2ebf28f043eb57f2400"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_generate.py"}, "region": {"startLine": 296}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65141, "scanner": "repobility-threat-engine", "fingerprint": "6de399d3139f4fa4ef340c1cf7138f594bf8b6169cbb786da115e198f95f6161", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "plt.rcParams.update({\"font.size\": 9})", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6de399d3139f4fa4ef340c1cf7138f594bf8b6169cbb786da115e198f95f6161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/plot_memory_estimates_kv_sharing.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65140, "scanner": "repobility-threat-engine", "fingerprint": "22f3aadba0d4119a10fa1f18ec243f224c9934327c182c4a20d3025d5908e8d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pbar.update(chunk_size)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22f3aadba0d4119a10fa1f18ec243f224c9934327c182c4a20d3025d5908e8d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/bpe_openai_gpt2.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 65130, "scanner": "repobility-threat-engine", "fingerprint": "de684682f5fd7a4c3d01b85e24a880ca3784e412b179f5ae84c9c22e6500327d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de684682f5fd7a4c3d01b85e24a880ca3784e412b179f5ae84c9c22e6500327d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 65129, "scanner": "repobility-threat-engine", "fingerprint": "a62797815440163a0c460996765de3f242983eb5140fa557f5f958c1c4e52152", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a62797815440163a0c460996765de3f242983eb5140fa557f5f958c1c4e52152"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 65128, "scanner": "repobility-threat-engine", "fingerprint": "9b4e7409751ba6c6f740c9035c0a6217a9172ac502f258566315e90539709ba8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b4e7409751ba6c6f740c9035c0a6217a9172ac502f258566315e90539709ba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 65126, "scanner": "repobility-threat-engine", "fingerprint": "50bf87144db93619bf07a6c3128da0f30a3cc1160e47c6f0c2e51631af274399", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(model_dir, \"hparams", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|56|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_generate.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 65125, "scanner": "repobility-threat-engine", "fingerprint": "84484461e44bd332a652c303c3120ec59c5953d6d61b677664540eb3cc8e4d22", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(model_dir, \"hparams", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|42|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 65124, "scanner": "repobility-threat-engine", "fingerprint": "5bcf1687aa76e5ad592f5e0ca497b77884c24c34c30ce8f24f03ddbc15d1fee9", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(model_dir, \"hparams", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|41|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 65120, "scanner": "repobility-threat-engine", "fingerprint": "13e50975ad263fce51c66f33e4b934d719789d91a51400ac59597ab265a387ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|13e50975ad263fce51c66f33e4b934d719789d91a51400ac59597ab265a387ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/bpe_openai_gpt2.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65118, "scanner": "repobility-threat-engine", "fingerprint": "17dd3c675c4c0675c36ec2a1ad9b894b585453ec09dbdc2f7d8298fbf7b6f3ec", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(download_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17dd3c675c4c0675c36ec2a1ad9b894b585453ec09dbdc2f7d8298fbf7b6f3ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65117, "scanner": "repobility-threat-engine", "fingerprint": "ff23bf88773d8b26c67437518d869f7bbca093c89ac8aeedade66b9d5bc24e07", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(download_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff23bf88773d8b26c67437518d869f7bbca093c89ac8aeedade66b9d5bc24e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65116, "scanner": "repobility-threat-engine", "fingerprint": "c3d382e6369b80f4199738e17e9a698d493b81ceba5654230e0285179e3bfb96", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(download_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c3d382e6369b80f4199738e17e9a698d493b81ceba5654230e0285179e3bfb96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 65114, "scanner": "repobility-threat-engine", "fingerprint": "c07c07cad469274fe1ac19c75776ddfe26a4771d9940317de2193087980a5ea9", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(model_dir, \"hparams", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|56|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_generate.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 65113, "scanner": "repobility-threat-engine", "fingerprint": "dc87e64ac2508feda13fa758d0efc79f17c9f560c466e24d3d59daf4438d732e", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(model_dir, \"hparams", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|42|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 65112, "scanner": "repobility-threat-engine", "fingerprint": "038e8e468bde5db024f877a391478406d9731d621f61cdb649c3b4b4dc5c35ee", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "os.path.join(model_dir, \"hparams", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|41|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "appendix-E/01_main-chapter-code/gpt_download.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65069, "scanner": "repobility-supply-chain", "fingerprint": "b5133f8523efa6497a2c47c9f7c671e9110a409fc5dab860098412aec5ac23d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5133f8523efa6497a2c47c9f7c671e9110a409fc5dab860098412aec5ac23d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pytorch-rc.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65068, "scanner": "repobility-supply-chain", "fingerprint": "e8e08ab8ad2c83e269e27abf344e25ca74c578e0798c040a5642255aa899b8ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8e08ab8ad2c83e269e27abf344e25ca74c578e0798c040a5642255aa899b8ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pytorch-rc.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65067, "scanner": "repobility-supply-chain", "fingerprint": "e0b3f3e7f781057686b16e3035eecc4722360872737238ea3bf5aeed6847082c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0b3f3e7f781057686b16e3035eecc4722360872737238ea3bf5aeed6847082c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-macos-uv.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65066, "scanner": "repobility-supply-chain", "fingerprint": "8d934876f70d3666dc14df37e3ee8d7ba20496cc3f2963fe450d023124dbd4bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d934876f70d3666dc14df37e3ee8d7ba20496cc3f2963fe450d023124dbd4bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-macos-uv.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 65065, "scanner": "repobility-supply-chain", "fingerprint": "a21c0fbc14564e4d8fba2e1fa01ee7ecd1e9c44ff3045b2069e2d911eede19ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a21c0fbc14564e4d8fba2e1fa01ee7ecd1e9c44ff3045b2069e2d911eede19ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/required-checks.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65064, "scanner": "repobility-supply-chain", "fingerprint": "70a7deda171d3fbabb907b6500e2c0d5f1a93da3f34b75c15f20b7e2a0740267", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70a7deda171d3fbabb907b6500e2c0d5f1a93da3f34b75c15f20b7e2a0740267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pip.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65063, "scanner": "repobility-supply-chain", "fingerprint": "6809db49a7a3d7724f8689865f5d8ce393f0e151de5ea0e03232a688b8c6b346", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6809db49a7a3d7724f8689865f5d8ce393f0e151de5ea0e03232a688b8c6b346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pip.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65062, "scanner": "repobility-supply-chain", "fingerprint": "b8003a81381e95b376bb07b4c338a049b1e399933d03b9bd610c953a3c9fa296", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8003a81381e95b376bb07b4c338a049b1e399933d03b9bd610c953a3c9fa296"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-windows-uv-pip.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65061, "scanner": "repobility-supply-chain", "fingerprint": "480a78b29280f371c014be0eb531d692627dcedde71249e215c641f4171d6f9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|480a78b29280f371c014be0eb531d692627dcedde71249e215c641f4171d6f9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-windows-uv-pip.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65060, "scanner": "repobility-supply-chain", "fingerprint": "5f6db02deec4c181b22741bbaff85967a8706fc16a664e8c4e8f9440a263c662", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f6db02deec4c181b22741bbaff85967a8706fc16a664e8c4e8f9440a263c662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-spelling-errors.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65059, "scanner": "repobility-supply-chain", "fingerprint": "ca4bfedb31294f54ce07e2c66a49419f81aaac4f6fa6787ed2ca3d3c83366a0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca4bfedb31294f54ce07e2c66a49419f81aaac4f6fa6787ed2ca3d3c83366a0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-spelling-errors.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65058, "scanner": "repobility-supply-chain", "fingerprint": "276fee25613c2249da6f7bb3f3c81b488473c13d0bce36f6a23515a7a4ee0715", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|276fee25613c2249da6f7bb3f3c81b488473c13d0bce36f6a23515a7a4ee0715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pep8-linter.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65057, "scanner": "repobility-supply-chain", "fingerprint": "af13023b5461791fa4a16f49f71a8ff9e5aea10f0e6f478ba6f9495ce8f64cbc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af13023b5461791fa4a16f49f71a8ff9e5aea10f0e6f478ba6f9495ce8f64cbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pep8-linter.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65056, "scanner": "repobility-supply-chain", "fingerprint": "4d4f0f7e5adae92226f43c25509e86ac5fa4d9ae12a6c2e413f469db38c5deb6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d4f0f7e5adae92226f43c25509e86ac5fa4d9ae12a6c2e413f469db38c5deb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-links.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65055, "scanner": "repobility-supply-chain", "fingerprint": "ff8f74c234fb96761ebbd93a50f8adc438b6645c54bb1e60ac62dbb0b358e744", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff8f74c234fb96761ebbd93a50f8adc438b6645c54bb1e60ac62dbb0b358e744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-links.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65054, "scanner": "repobility-supply-chain", "fingerprint": "e2da3fae83b94580824c779f9a1f95278f660f40432f21e9413a4b4957f46841", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2da3fae83b94580824c779f9a1f95278f660f40432f21e9413a4b4957f46841"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-linux-uv.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65053, "scanner": "repobility-supply-chain", "fingerprint": "8f70283261fa1b8bd5424a9e95e95ea9f2defa08367c0ad3f92d9d0424c12ec8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f70283261fa1b8bd5424a9e95e95ea9f2defa08367c0ad3f92d9d0424c12ec8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-linux-uv.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65052, "scanner": "repobility-supply-chain", "fingerprint": "9ed70072c454c7b94f00f95e5dea23499fbd805f1caba393522b10c7d8b17931", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ed70072c454c7b94f00f95e5dea23499fbd805f1caba393522b10c7d8b17931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-pixi.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65051, "scanner": "repobility-supply-chain", "fingerprint": "7dd0d4e388120fdb2bd07bf954f2f09c993818d18ead5f8f73fbc2a8a05d2573", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7dd0d4e388120fdb2bd07bf954f2f09c993818d18ead5f8f73fbc2a8a05d2573"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-latest-python.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65050, "scanner": "repobility-supply-chain", "fingerprint": "9b98043cdca14c3ccf18cf33c965276ae36641d7ef8299914ce4e4eaf0b76f16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b98043cdca14c3ccf18cf33c965276ae36641d7ef8299914ce4e4eaf0b76f16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-latest-python.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65049, "scanner": "repobility-supply-chain", "fingerprint": "bccc2a02585f956c64f321483626fcbbd2dfb5febe53d77f8c595c132fc8bf55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bccc2a02585f956c64f321483626fcbbd2dfb5febe53d77f8c595c132fc8bf55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-old-pytorch.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 65048, "scanner": "repobility-supply-chain", "fingerprint": "41801e23ebc092bb84afade94d701aafdd2dff4352743e4e6bdb2a023ff04558", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41801e23ebc092bb84afade94d701aafdd2dff4352743e4e6bdb2a023ff04558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/basic-tests-old-pytorch.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "Dockerfile `ADD https://astral.sh/uv/install.sh`"}, "properties": {"repobilityId": 65047, "scanner": "repobility-supply-chain", "fingerprint": "d15e5c9641bfb26621d108d087e74677b90a072498fc2f639809c6abf3ddd4b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d15e5c9641bfb26621d108d087e74677b90a072498fc2f639809c6abf3ddd4b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/03_optional-docker-environment/.devcontainer/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `pytorch/pytorch:2.5.0-cuda12.4-cudnn9-runtime` not pinned by digest"}, "properties": {"repobilityId": 65046, "scanner": "repobility-supply-chain", "fingerprint": "468b90b5bf34d74e47e760f6fdfb8a25695ae9b09ae277903ecfaef197f1db55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|468b90b5bf34d74e47e760f6fdfb8a25695ae9b09ae277903ecfaef197f1db55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup/03_optional-docker-environment/.devcontainer/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_dataloader"}, "properties": {"repobilityId": 65043, "scanner": "repobility-ast-engine", "fingerprint": "a872f173b572b3c1113b92fa95a23c3e899ca0537926597448f253eccf99263c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a872f173b572b3c1113b92fa95a23c3e899ca0537926597448f253eccf99263c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_generate.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_llama3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65042, "scanner": "repobility-ast-engine", "fingerprint": "fba451aff0133ba303967d3af59ee3751abd0867100f656cdd6ece8c0211ba81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fba451aff0133ba303967d3af59ee3751abd0867100f656cdd6ece8c0211ba81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_llama3.py"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_rmsnorm_equivalence"}, "properties": {"repobilityId": 65041, "scanner": "repobility-ast-engine", "fingerprint": "b19c41dfb22a6c1856c72cb2bd1ffccaaa43f15670e818b343dd742f42029b6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b19c41dfb22a6c1856c72cb2bd1ffccaaa43f15670e818b343dd742f42029b6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_llama3.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_rope"}, "properties": {"repobilityId": 65040, "scanner": "repobility-ast-engine", "fingerprint": "95f8f1a45ce537e29b2834edd41b585ac4e344d2d7bf3bc9813bdf6d4e26aa99", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95f8f1a45ce537e29b2834edd41b585ac4e344d2d7bf3bc9813bdf6d4e26aa99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_llama3.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_mha"}, "properties": {"repobilityId": 65039, "scanner": "repobility-ast-engine", "fingerprint": "a4e5c8b5525b8a13dbfaea4dcc9bd1fad27ffea6f3d4b754ab74f3f40ebe45eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4e5c8b5525b8a13dbfaea4dcc9bd1fad27ffea6f3d4b754ab74f3f40ebe45eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_ch03.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_qwen3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65037, "scanner": "repobility-ast-engine", "fingerprint": "f7a0c4430c124970a4f99ee2f6b2602c03bc96e39321a43592d6f3b7b1fa0a8d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f7a0c4430c124970a4f99ee2f6b2602c03bc96e39321a43592d6f3b7b1fa0a8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_qwen3.py"}, "region": {"startLine": 764}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_rmsnorm_equivalence"}, "properties": {"repobilityId": 65036, "scanner": "repobility-ast-engine", "fingerprint": "95f3a9ea64f151b6cb398b46c802bd66c8cdd6b7e6c2150c2a938413ebf89ff8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95f3a9ea64f151b6cb398b46c802bd66c8cdd6b7e6c2150c2a938413ebf89ff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_qwen3.py"}, "region": {"startLine": 444}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_moe_forward_matches_reference"}, "properties": {"repobilityId": 65035, "scanner": "repobility-ast-engine", "fingerprint": "55b182a49dba36ac89cf48c50d2be9b570b69079de53bdba93e1eb69ff42182d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|55b182a49dba36ac89cf48c50d2be9b570b69079de53bdba93e1eb69ff42182d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/llms_from_scratch/tests/test_qwen3.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_tiny_aya_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65031, "scanner": "repobility-ast-engine", "fingerprint": "82c3ac69d49e41af2f44fd65c9216f53bdd36acb2279e230461e98aa637e05d1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|82c3ac69d49e41af2f44fd65c9216f53bdd36acb2279e230461e98aa637e05d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/15_tiny-aya/tests/test_tiny_aya_nb.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_tiny_aya_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65030, "scanner": "repobility-ast-engine", "fingerprint": "92fe5010b638d3c96382e14db5ccae72db5e475baf562fc1b9c7b106ca907a77", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|92fe5010b638d3c96382e14db5ccae72db5e475baf562fc1b9c7b106ca907a77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/15_tiny-aya/tests/test_tiny_aya_kvcache_nb.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gemma4_equivalence_with_transformers"}, "properties": {"repobilityId": 65025, "scanner": "repobility-ast-engine", "fingerprint": "a961677f66d2c4255678527e7d9b1ec03d4bbd603deaf77502da259bdde0047a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a961677f66d2c4255678527e7d9b1ec03d4bbd603deaf77502da259bdde0047a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/17_gemma4/tests/test_gemma4_nb.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gemma3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65024, "scanner": "repobility-ast-engine", "fingerprint": "11bd07bc3524f2b87b6bf338c3e73eb1e5915e2af21fa503599bba95942c6b31", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11bd07bc3524f2b87b6bf338c3e73eb1e5915e2af21fa503599bba95942c6b31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/12_gemma3/tests/test_gemma3_nb.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_gemma3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65023, "scanner": "repobility-ast-engine", "fingerprint": "2a02af46fbdbc80996da613a1ad4959bd94d620a27c54cedf479c03cca260f06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a02af46fbdbc80996da613a1ad4959bd94d620a27c54cedf479c03cca260f06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/12_gemma3/tests/test_gemma3_kv_nb.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_qwen3_5_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65020, "scanner": "repobility-ast-engine", "fingerprint": "ca9153ca5bf4fa5a330b8d40a96005bbdab0104f3c68497f012e84fe568c472a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ca9153ca5bf4fa5a330b8d40a96005bbdab0104f3c68497f012e84fe568c472a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/16_qwen3.5/tests/test_qwen3_5_nb.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_qwen3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65017, "scanner": "repobility-ast-engine", "fingerprint": "780e3c6a6e96672ac31ef491174c30246228c1f3360c9b15dd59e132c65bb72a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|780e3c6a6e96672ac31ef491174c30246228c1f3360c9b15dd59e132c65bb72a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/11_qwen3/tests/test_qwen3_nb.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_qwen3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65016, "scanner": "repobility-ast-engine", "fingerprint": "e2c275c9a202cc84e16c206c1c2828912b32f2f7ad2c083fb1ed9e4b237493c0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2c275c9a202cc84e16c206c1c2828912b32f2f7ad2c083fb1ed9e4b237493c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/11_qwen3/tests/test_qwen3_kvcache_nb.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_olmo3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65015, "scanner": "repobility-ast-engine", "fingerprint": "71d3621273cbcc63e857376b7318eb0059759244a7e93a2076ee8745d1304286", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|71d3621273cbcc63e857376b7318eb0059759244a7e93a2076ee8745d1304286"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/13_olmo3/tests/test_olmo3_kvcache_nb.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_olmo3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65014, "scanner": "repobility-ast-engine", "fingerprint": "ab89a461727b989c3fb828427154f554e74d8dc59207cf62b1badfed0f734e08", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab89a461727b989c3fb828427154f554e74d8dc59207cf62b1badfed0f734e08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/13_olmo3/tests/test_olmo3_nb.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_rope_llama3_12"}, "properties": {"repobilityId": 65013, "scanner": "repobility-ast-engine", "fingerprint": "03018fc9900ca8ddc8203ad72c89f2a6ced3cde327c10dc7977caa5a9557e89f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|03018fc9900ca8ddc8203ad72c89f2a6ced3cde327c10dc7977caa5a9557e89f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/07_gpt_to_llama/tests/tests_rope_and_parts.py"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_rope_llama3"}, "properties": {"repobilityId": 65012, "scanner": "repobility-ast-engine", "fingerprint": "4c4ff038fdfddaa68a7a4cf1e30d41af176508220ae313776016ab57309eb348", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c4ff038fdfddaa68a7a4cf1e30d41af176508220ae313776016ab57309eb348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/07_gpt_to_llama/tests/tests_rope_and_parts.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_rope_llama2"}, "properties": {"repobilityId": 65011, "scanner": "repobility-ast-engine", "fingerprint": "9d1d99b61fdf43f82b02486f89ea928d71c9ed1193efe6e21ed50ad19b150bef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d1d99b61fdf43f82b02486f89ea928d71c9ed1193efe6e21ed50ad19b150bef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/07_gpt_to_llama/tests/tests_rope_and_parts.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_llama3_base_equivalence_with_transformers"}, "properties": {"repobilityId": 65010, "scanner": "repobility-ast-engine", "fingerprint": "c9f69da673f3f2a37c23d5f616c2ecc6c3a430aa08446430014bab211b534848", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9f69da673f3f2a37c23d5f616c2ecc6c3a430aa08446430014bab211b534848"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/07_gpt_to_llama/tests/test_llama32_nb.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_topk_full_equals_dense"}, "properties": {"repobilityId": 65007, "scanner": "repobility-ast-engine", "fingerprint": "39b2869bb2e1999a79e01493c83a0d73f5fd6e2941ea41b21592e84b8327c150", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|39b2869bb2e1999a79e01493c83a0d73f5fd6e2941ea41b21592e84b8327c150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/09_dsa/test_dsa.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_causal_property"}, "properties": {"repobilityId": 65006, "scanner": "repobility-ast-engine", "fingerprint": "913bf50ecbe6e89b2920cdeb3f98029511c6dc49227df2874c9a2afd5673ad1c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|913bf50ecbe6e89b2920cdeb3f98029511c6dc49227df2874c9a2afd5673ad1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/09_dsa/test_dsa.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_context_overflow_bug"}, "properties": {"repobilityId": 65005, "scanner": "repobility-ast-engine", "fingerprint": "bedacaa0b538d17c1a70db2014e04de10e54e5fa410d32b7f8d841f47cf0885e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bedacaa0b538d17c1a70db2014e04de10e54e5fa410d32b7f8d841f47cf0885e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/tests.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 65004, "scanner": "repobility-ast-engine", "fingerprint": "75bfc626d0b99c63b8c75a1cdaa705d4681c49f751939f6598194fe6600e4f2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75bfc626d0b99c63b8c75a1cdaa705d4681c49f751939f6598194fe6600e4f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/03_kv-cache/gpt_with_kv_cache.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 65003, "scanner": "repobility-ast-engine", "fingerprint": "7e0f6a98368e3b6c1072e84c75f9a1b613112915c282ad8691bd151eb2bdc659", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e0f6a98368e3b6c1072e84c75f9a1b613112915c282ad8691bd151eb2bdc659"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 65002, "scanner": "repobility-ast-engine", "fingerprint": "62814edfb6a59a5e2f9ada21ce91275a0c96eb0611c7c63b56619a6195ffaece", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62814edfb6a59a5e2f9ada21ce91275a0c96eb0611c7c63b56619a6195ffaece"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.reset_cache` used but never assigned in __init__"}, "properties": {"repobilityId": 65001, "scanner": "repobility-ast-engine", "fingerprint": "2084700b15df6b2391dc84c5ce8ae5eae0c2d215ade176f04fd62fc51b4c1cc5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2084700b15df6b2391dc84c5ce8ae5eae0c2d215ade176f04fd62fc51b4c1cc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 65000, "scanner": "repobility-ast-engine", "fingerprint": "d127433935cf7ed072aa6647b463eaefda159b5d491292a19f7f73e15d8cb702", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d127433935cf7ed072aa6647b463eaefda159b5d491292a19f7f73e15d8cb702"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64999, "scanner": "repobility-ast-engine", "fingerprint": "b38e0edaeb5e87ac64b2dd4647bacaee7ec3321a966842cc9a19ba894c86effc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b38e0edaeb5e87ac64b2dd4647bacaee7ec3321a966842cc9a19ba894c86effc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 64998, "scanner": "repobility-ast-engine", "fingerprint": "fb93dde66e8da936535e4d19477c3ff0ae977d7eaa619c93cd267a304af962fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb93dde66e8da936535e4d19477c3ff0ae977d7eaa619c93cd267a304af962fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64997, "scanner": "repobility-ast-engine", "fingerprint": "2ead059275c0885a2b17cb8e81b2e3be84f625f664fc21d14e8d4b3235f003c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ead059275c0885a2b17cb8e81b2e3be84f625f664fc21d14e8d4b3235f003c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 64996, "scanner": "repobility-ast-engine", "fingerprint": "9981eb60958c5c6c136288426904cc5e7cef1caa39aa8aa0611bc9edb7c2a139", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9981eb60958c5c6c136288426904cc5e7cef1caa39aa8aa0611bc9edb7c2a139"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64995, "scanner": "repobility-ast-engine", "fingerprint": "5de6cec5b081974251d92966f6758b77d5b2fba75e63e8339946315da12286ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5de6cec5b081974251d92966f6758b77d5b2fba75e63e8339946315da12286ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 64994, "scanner": "repobility-ast-engine", "fingerprint": "211bd126658562dc89860f6622c5ae4e53cafb77b61898924d988bb51b612b56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|211bd126658562dc89860f6622c5ae4e53cafb77b61898924d988bb51b612b56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64993, "scanner": "repobility-ast-engine", "fingerprint": "11bfeb3ac19c6c2886ac65cebab444b2b408a4ae422083da4830a839d939e32c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11bfeb3ac19c6c2886ac65cebab444b2b408a4ae422083da4830a839d939e32c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64992, "scanner": "repobility-ast-engine", "fingerprint": "3830ef513b5306d1cc04b783496e2193540dadbcd078e929cd6d8e1207cab8eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3830ef513b5306d1cc04b783496e2193540dadbcd078e929cd6d8e1207cab8eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_sharing.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 64991, "scanner": "repobility-ast-engine", "fingerprint": "d4c970b2e76d06efadaecf57f97c0960486c6fd9f5f3ed725891552abec03930", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4c970b2e76d06efadaecf57f97c0960486c6fd9f5f3ed725891552abec03930"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64990, "scanner": "repobility-ast-engine", "fingerprint": "a46a5b3e704fe25cb9dc04ac312c2537f5c6bf321363576071a9084adde83c3e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a46a5b3e704fe25cb9dc04ac312c2537f5c6bf321363576071a9084adde83c3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 64989, "scanner": "repobility-ast-engine", "fingerprint": "176f86ed043a244ac1980a99c11841551e8de8662a966175690e99952743d5f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|176f86ed043a244ac1980a99c11841551e8de8662a966175690e99952743d5f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64988, "scanner": "repobility-ast-engine", "fingerprint": "b3c6c76affc025a0ca05d10ac9b3bd250bf3ea4e06a69536f4c3c924937b7a02", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b3c6c76affc025a0ca05d10ac9b3bd250bf3ea4e06a69536f4c3c924937b7a02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 64987, "scanner": "repobility-ast-engine", "fingerprint": "f8a9da676f0a5d0f49c848cd6ed0bf6e439c7d7a8a11737a7ee46043d719f706", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f8a9da676f0a5d0f49c848cd6ed0bf6e439c7d7a8a11737a7ee46043d719f706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64986, "scanner": "repobility-ast-engine", "fingerprint": "415fe5d4f9540b8dd101e60c819f4642654498b8316501cae275bd89aefc027a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|415fe5d4f9540b8dd101e60c819f4642654498b8316501cae275bd89aefc027a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_v` used but never assigned in __init__"}, "properties": {"repobilityId": 64985, "scanner": "repobility-ast-engine", "fingerprint": "fcb0a377fb168bfcc1075a17b2403afb018e3d93e0507eda58cd520b9e5119cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fcb0a377fb168bfcc1075a17b2403afb018e3d93e0507eda58cd520b9e5119cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64984, "scanner": "repobility-ast-engine", "fingerprint": "767c86f385a6008bafc65558fe76d55f8c6408eaa8cd254705cd1ffbc6d0c11b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|767c86f385a6008bafc65558fe76d55f8c6408eaa8cd254705cd1ffbc6d0c11b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cache_k` used but never assigned in __init__"}, "properties": {"repobilityId": 64983, "scanner": "repobility-ast-engine", "fingerprint": "5e85d70c4740e64adb33b184e5a53c2c43d4e36a85c29b91c0a60aa62a42672f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e85d70c4740e64adb33b184e5a53c2c43d4e36a85c29b91c0a60aa62a42672f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch04/10_kv-sharing/gpt_with_kv_mha.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.mask` used but never assigned in __init__"}, "properties": {"repobilityId": 64982, "scanner": "repobility-ast-engine", "fingerprint": "4bb47e81f49f41dff30fba75244099251bf15814e4c87a8576ff90caa3c9d05a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4bb47e81f49f41dff30fba75244099251bf15814e4c87a8576ff90caa3c9d05a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/03_bonus_imdb-classification/previous_chapters.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.mask` used but never assigned in __init__"}, "properties": {"repobilityId": 64979, "scanner": "repobility-ast-engine", "fingerprint": "4fc8f18fe87f24845a57f6af621c254902940f1ecde80b9e660b76176a0193f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4fc8f18fe87f24845a57f6af621c254902940f1ecde80b9e660b76176a0193f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/01_main-chapter-code/previous_chapters.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.mask` used but never assigned in __init__"}, "properties": {"repobilityId": 64977, "scanner": "repobility-ast-engine", "fingerprint": "1da118af609271853763a09d684233e27e3a1db5cff5be641c59f7c048c35617", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1da118af609271853763a09d684233e27e3a1db5cff5be641c59f7c048c35617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch06/02_bonus_additional-experiments/previous_chapters.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "GHSA-53q9-r3pm-6pq6", "level": "error", "message": {"text": "torch: GHSA-53q9-r3pm-6pq6"}, "properties": {"repobilityId": 65224, "scanner": "osv-scanner", "fingerprint": "cb163eabe6e98659ffce79dfb3881c9ec1fe645b8efd9f6920204fd4cc2a6d9c", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["BIT-pytorch-2025-32434", "CVE-2025-32434", "PYSEC-2025-41"], "package": "torch", "rule_id": "GHSA-53q9-r3pm-6pq6", "scanner": "osv-scanner", "correlation_key": "vuln|torch|CVE-2025-32434|requirements.txt", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-53q9-r3pm-6pq6", "PYSEC-2025-41"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["b4d68872de2f1e9e465cf9cff0cd126ed1b47e6daeff655e5c62251a55d18f75", "cb163eabe6e98659ffce79dfb3881c9ec1fe645b8efd9f6920204fd4cc2a6d9c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3863-2447-669p", "level": "error", "message": {"text": "transformers: GHSA-3863-2447-669p"}, "properties": {"repobilityId": 65175, "scanner": "osv-scanner", "fingerprint": "25e7ea9e95f8498de77f0e247c6c165e4d78b1b50cd6a4c38bcf5a28b297e873", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2023-6730", "PYSEC-2023-300"], "package": "transformers", "rule_id": "GHSA-3863-2447-669p", "scanner": "osv-scanner", "correlation_key": "vuln|transformers|CVE-2023-6730|token", "duplicate_count": 3, "duplicate_rule_ids": ["GHSA-3863-2447-669p", "PYSEC-2023-300"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["18edbf8108bfb58c439682d82a4b02dee7cccfaee5804631f295b74b799c9769", "25e7ea9e95f8498de77f0e247c6c165e4d78b1b50cd6a4c38bcf5a28b297e873", "78991badda5563f53714a9e85d083943d0d870e4efe4fc2091c1d8dc73d66f8b", "ab7a4608e25cb30fc09e842771b53d39bac6b228cbfdda5fa8d01362d1e68f8c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch02/02_bonus_bytepair-encoder/requirements-extra.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 65174, "scanner": "gitleaks", "fingerprint": "5eb373d8c74bad295eabf35e2d0bfe9c4ea0f93a7a4d608fe2a3e315b2f86b20", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "tokens is a 50,REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|30|tokens is a 50 redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ch05/01_main-chapter-code/ch05.ipynb"}, "region": {"startLine": 305}}}]}]}]}