{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED109", "name": "[MINED109] Mutable default argument in `http_request` (dict): `def http_request(... = []/{}/set())` \u2014 Python's default v", "shortDescription": {"text": "[MINED109] Mutable default argument in `http_request` (dict): `def http_request(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def http_request(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_normalize_dify_agent_error` has cognitive complexity 9 (SonarSource scal", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_normalize_dify_agent_error` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED076", "name": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message", "shortDescription": {"text": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /setup has no auth: Handler `setup_system` is registered with router/app.post(...) but no Depend", "shortDescription": {"text": "[MINED112] FastAPI POST /setup has no auth: Handler `setup_system` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._convert_user_input_form` used but never assigned in __init__: Method `_get_user_input_form` of class `", "shortDescription": {"text": "[MINED108] `self._convert_user_input_form` used but never assigned in __init__: Method `_get_user_input_form` of class `MCPAppApi` reads `self._convert_user_input_form`, but no assignment to it exists in __init__ (and no class-level fallbac"}, "fullDescription": {"text": "Initialize `self._convert_user_input_form = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC030", "name": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without vali", "shortDescription": {"text": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without validating that the destination is local to the site. Attackers craft phishing URLs that appear to come from your domain but"}, "fullDescription": {"text": "Validate the redirect URL against an allowlist of safe destinations:\n  # Django:\n  from django.utils.http import url_has_allowed_host_and_scheme\n  if not url_has_allowed_host_and_scheme(url, allowed_hosts={request.get_host()}):\n      url = '/'  # safe default\nOr restrict to relative paths only: `if not url.startswith('/'): abort(400)`. Never accept external schemes without verification."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`", "shortDescription": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import email` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/730"}, "properties": {"repository": "langgenius/dify", "repoUrl": "https://github.com/langgenius/dify", "branch": "main"}, "results": [{"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `http_request` (dict): `def http_request(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 59578, "scanner": "repobility-ast-engine", "fingerprint": "8ab0c20dde6a83a335bd113af43d6a06147cefe860b7b839e4f2a45c0a2982f0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ab0c20dde6a83a335bd113af43d6a06147cefe860b7b839e4f2a45c0a2982f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/apollo/python_3x.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59552, "scanner": "repobility-ast-engine", "fingerprint": "0ed60f137bf1c54aa3492d722ac7773fc1deaf52b980484dfce7bb425cf7a6e4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ed60f137bf1c54aa3492d722ac7773fc1deaf52b980484dfce7bb425cf7a6e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/vector.py"}, "region": {"startLine": 319}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59551, "scanner": "repobility-ast-engine", "fingerprint": "685d96e5a07f93606e4776e76db37f53a2ef5afee808ad4db5c6c8a2cf5edd21", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|685d96e5a07f93606e4776e76db37f53a2ef5afee808ad4db5c6c8a2cf5edd21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/vector.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59550, "scanner": "repobility-ast-engine", "fingerprint": "bcc9c04243a46907a35fe73b6a612b8e38d4e368c5eef8976c5cb2110c1ac7f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bcc9c04243a46907a35fe73b6a612b8e38d4e368c5eef8976c5cb2110c1ac7f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/vector.py"}, "region": {"startLine": 391}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59549, "scanner": "repobility-ast-engine", "fingerprint": "a02dfaf5625c359e4209f811386af1be040f4fbf3f94645d9d4b3e47b62c26f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a02dfaf5625c359e4209f811386af1be040f4fbf3f94645d9d4b3e47b62c26f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/plugin.py"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59548, "scanner": "repobility-ast-engine", "fingerprint": "907ebbe8ba915011825ed9423b97dfcd0dabd30dfc33e1f1ff5254c4c06da2d4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|907ebbe8ba915011825ed9423b97dfcd0dabd30dfc33e1f1ff5254c4c06da2d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/plugin.py"}, "region": {"startLine": 314}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59547, "scanner": "repobility-ast-engine", "fingerprint": "e6fc02a5417eef7b7c9766b3958d596e4f336e2d800c419d99d72c9961aded0a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6fc02a5417eef7b7c9766b3958d596e4f336e2d800c419d99d72c9961aded0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/plugin.py"}, "region": {"startLine": 250}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59546, "scanner": "repobility-ast-engine", "fingerprint": "7da86aac235f01185c814d6d08c105ecbb5faef6f798eed9fda25e57cbfc0c10", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7da86aac235f01185c814d6d08c105ecbb5faef6f798eed9fda25e57cbfc0c10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/plugin.py"}, "region": {"startLine": 383}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59545, "scanner": "repobility-ast-engine", "fingerprint": "6e05559396222871d32e04b3a35526e97fa6d9744c4f43bef3d2195b30da38d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e05559396222871d32e04b3a35526e97fa6d9744c4f43bef3d2195b30da38d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/plugin.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59544, "scanner": "repobility-ast-engine", "fingerprint": "63ce534f62639b385d1511c8150135d10cbadcb016dd3b44eb27f80ff83a6b8f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|63ce534f62639b385d1511c8150135d10cbadcb016dd3b44eb27f80ff83a6b8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/plugin.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59543, "scanner": "repobility-ast-engine", "fingerprint": "e2ac6abf783bb41dfa2a4eda472beba7cef4d7fc7bb93892d21680ad5c5760d0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2ac6abf783bb41dfa2a4eda472beba7cef4d7fc7bb93892d21680ad5c5760d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/plugin.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59542, "scanner": "repobility-ast-engine", "fingerprint": "ce9ae9c789bfc7c95c32dc1b3904d62ea001f12a9ace191c514006bc41165813", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce9ae9c789bfc7c95c32dc1b3904d62ea001f12a9ace191c514006bc41165813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 680}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59541, "scanner": "repobility-ast-engine", "fingerprint": "b5992ffd7da46be2e8b7412e4086d0cd3b8ace923f7e500abce5353e62bb6042", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b5992ffd7da46be2e8b7412e4086d0cd3b8ace923f7e500abce5353e62bb6042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 759}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59540, "scanner": "repobility-ast-engine", "fingerprint": "882d8dc3d4961a4cce117da844ba4bc590ad847618f92910ad84beb8e99d6c9d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|882d8dc3d4961a4cce117da844ba4bc590ad847618f92910ad84beb8e99d6c9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 711}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59539, "scanner": "repobility-ast-engine", "fingerprint": "ce1ea58d9d41bdec18fba9543158b3a498b00fc370428cc362e0bede4e1ecbbe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce1ea58d9d41bdec18fba9543158b3a498b00fc370428cc362e0bede4e1ecbbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 701}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59538, "scanner": "repobility-ast-engine", "fingerprint": "71f027eff8ffbba07879c88997b365dcbf04728fafd959043eb1d958e48c6fe0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|71f027eff8ffbba07879c88997b365dcbf04728fafd959043eb1d958e48c6fe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 665}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59537, "scanner": "repobility-ast-engine", "fingerprint": "7ac77f93d8bdb5add8c2033fd923410995c5e3de69d465f77671cc29e4760b5a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ac77f93d8bdb5add8c2033fd923410995c5e3de69d465f77671cc29e4760b5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59536, "scanner": "repobility-ast-engine", "fingerprint": "ab39e8a11d128142d42cf81be150e6a8bff916be3bb14e1652328667eba5bf60", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab39e8a11d128142d42cf81be150e6a8bff916be3bb14e1652328667eba5bf60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 319}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59535, "scanner": "repobility-ast-engine", "fingerprint": "2661e09100ad56834fe315fd6b8fc6079069bce7f3861b397d7e5aca2e1a1ec4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2661e09100ad56834fe315fd6b8fc6079069bce7f3861b397d7e5aca2e1a1ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 645}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59534, "scanner": "repobility-ast-engine", "fingerprint": "f7cac74754fee7d4d0645598e0bdc12c01332f4967190e8a4411e17ea38c2710", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f7cac74754fee7d4d0645598e0bdc12c01332f4967190e8a4411e17ea38c2710"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59533, "scanner": "repobility-ast-engine", "fingerprint": "e272436de7e868cbc95f49141797a8c9b9375ee26e4a444a4e98c06867dbded6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e272436de7e868cbc95f49141797a8c9b9375ee26e4a444a4e98c06867dbded6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59532, "scanner": "repobility-ast-engine", "fingerprint": "d08aa37402c4d7926be1613d135b797abf7ec4ce5addda8bc7ae574bf1de263b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d08aa37402c4d7926be1613d135b797abf7ec4ce5addda8bc7ae574bf1de263b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59531, "scanner": "repobility-ast-engine", "fingerprint": "0c109c0adfeaedd8081d334b92003198a46aebf511bcb55e8e4923f4663573ce", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c109c0adfeaedd8081d334b92003198a46aebf511bcb55e8e4923f4663573ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/storage.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59530, "scanner": "repobility-ast-engine", "fingerprint": "3c69677709ba6e41c918f3c56f5a9433f0f66d54d14197e8e03b75360105d3f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c69677709ba6e41c918f3c56f5a9433f0f66d54d14197e8e03b75360105d3f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/account.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59529, "scanner": "repobility-ast-engine", "fingerprint": "2a1bc92cd3a0ca126ac5d2a1e81910f26b4f676263a69323cca70e573f768b3b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a1bc92cd3a0ca126ac5d2a1e81910f26b4f676263a69323cca70e573f768b3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/account.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 59528, "scanner": "repobility-ast-engine", "fingerprint": "0d748a10282151a76cb6f793a61e149f088dd6c1927b70bbf056f48fbd542241", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0d748a10282151a76cb6f793a61e149f088dd6c1927b70bbf056f48fbd542241"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/account.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 59523, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 59522, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 59517, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 59489, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 59488, "scanner": "repobility-threat-engine", "fingerprint": "06e7c88683915540ed44c441665b7d7f37fd16928cfa421f094f6ca89ce017f0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|06e7c88683915540ed44c441665b7d7f37fd16928cfa421f094f6ca89ce017f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/trigger/webhook.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 59469, "scanner": "repobility-threat-engine", "fingerprint": "2406e946b3add457bd4a9a23dc47777af4949566bff50efa2d9e4b26780e0157", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|14|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/apollo/python_3x.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 59468, "scanner": "repobility-threat-engine", "fingerprint": "903a42fec9d4ac804db9276f2bb03c8558b7c475a9e5a26c969bbb297a3524b8", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|46|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/middleware/cache/redis_config.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 59461, "scanner": "repobility-threat-engine", "fingerprint": "b8e1b9e202062c1e30d9a0f3e8998237e6c7d9137dd391c31483527b8f671c10", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def get_field_value(self, field: FieldInfo, field_name: str) -> tuple[Any, str, bool]:\n        raise", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b8e1b9e202062c1e30d9a0f3e8998237e6c7d9137dd391c31483527b8f671c10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/base.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 59460, "scanner": "repobility-threat-engine", "fingerprint": "0301f70f19a47d8cd395b4311ce51510624a68ee20d5e7e9f3598eab017eb9d2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def get_field_value(self, field: FieldInfo, field_name: str) -> tuple[Any, str, bool]:\n        raise", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0301f70f19a47d8cd395b4311ce51510624a68ee20d5e7e9f3598eab017eb9d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/app_config.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 59521, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 59520, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 59519, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 59518, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59516, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f10b91ed267dac242fe1a3a1c4b0a8a29ceffa8403863f9492ebb96686c8831", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/datasets/datasets_segments.py", "duplicate_line": 283, "correlation_key": "fp|4f10b91ed267dac242fe1a3a1c4b0a8a29ceffa8403863f9492ebb96686c8831"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/dataset/segment.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59515, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3eb0734f31b2ffe6e8c584479dd4555cc4a90731d89658f89fd3a755a72093d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/service_api/app/file.py", "duplicate_line": 36, "correlation_key": "fp|3eb0734f31b2ffe6e8c584479dd4555cc4a90731d89658f89fd3a755a72093d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/dataset/rag_pipeline/rag_pipeline_workflow.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59514, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f4087b14c02bf4f60eb7878191c3500014bb0fb0d83d7f29d6bf4921fe70003", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/datasets/error.py", "duplicate_line": 1, "correlation_key": "fp|7f4087b14c02bf4f60eb7878191c3500014bb0fb0d83d7f29d6bf4921fe70003"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/dataset/error.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59513, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ada5d98df54c6467cc353086785741271160c436723821264fea8b11022d5ad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/service_api/dataset/dataset.py", "duplicate_line": 229, "correlation_key": "fp|4ada5d98df54c6467cc353086785741271160c436723821264fea8b11022d5ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/dataset/document.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59512, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b81c245f1a0fc938dcfe07f3b3b714dcbebde15233571d53bbc7fecb17f05e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/openapi/workflow_events.py", "duplicate_line": 74, "correlation_key": "fp|6b81c245f1a0fc938dcfe07f3b3b714dcbebde15233571d53bbc7fecb17f05e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/workflow_events.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59511, "scanner": "repobility-ai-code-hygiene", "fingerprint": "410a8df1451b0c1e6d1a78ae51489abf999874a6cd5267f499efad264ef45315", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/service_api/app/completion.py", "duplicate_line": 217, "correlation_key": "fp|410a8df1451b0c1e6d1a78ae51489abf999874a6cd5267f499efad264ef45315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/workflow.py"}, "region": {"startLine": 246}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59510, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f58b75e857087eae1709ec3ce4143fabab002b008916a0fe29ef828ee606bdc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/completion.py", "duplicate_line": 179, "correlation_key": "fp|3f58b75e857087eae1709ec3ce4143fabab002b008916a0fe29ef828ee606bdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/workflow.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59509, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d28ea23c2dc6124b93506bf24bff5166d0ab8bac8f03bd831bc7c7a2e290edb4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/files/image_preview.py", "duplicate_line": 97, "correlation_key": "fp|d28ea23c2dc6124b93506bf24bff5166d0ab8bac8f03bd831bc7c7a2e290edb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/file_preview.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59508, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7bbdf68c807fe49284be76730bf10d376841d6f9d2bb7b0e3a77abbcb8f5f15", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/error.py", "duplicate_line": 40, "correlation_key": "fp|a7bbdf68c807fe49284be76730bf10d376841d6f9d2bb7b0e3a77abbcb8f5f15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/error.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59507, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1162b8276ee91a439ead442713bced952fa6df02119f8c58f4d41abdab9f757", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/openapi/app_run.py", "duplicate_line": 54, "correlation_key": "fp|e1162b8276ee91a439ead442713bced952fa6df02119f8c58f4d41abdab9f757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/completion.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59506, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06c905e39dda5bca1dba415963a02b7670522cf589b9ce658f6969013a05e1cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/explore/completion.py", "duplicate_line": 97, "correlation_key": "fp|06c905e39dda5bca1dba415963a02b7670522cf589b9ce658f6969013a05e1cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/completion.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59505, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f34d6349da7714038e5e4954f96d5c9130bffc7cb35bbfe44ce11122b358213", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/completion.py", "duplicate_line": 95, "correlation_key": "fp|3f34d6349da7714038e5e4954f96d5c9130bffc7cb35bbfe44ce11122b358213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/completion.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59504, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5f53fe7c660fc1711658ef1c1d6746cc177fc410330f05b2d67af39d0fcee58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/completion.py", "duplicate_line": 104, "correlation_key": "fp|b5f53fe7c660fc1711658ef1c1d6746cc177fc410330f05b2d67af39d0fcee58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/audio.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59503, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66cb4f123dde70dcd79f3279699f3bbea2ff5b2397df3754d929dc508f045314", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/audio.py", "duplicate_line": 68, "correlation_key": "fp|66cb4f123dde70dcd79f3279699f3bbea2ff5b2397df3754d929dc508f045314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/audio.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59502, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40b1eb9620e784b0c2fe59dbbeab6309501ea7b8953af20348ea1b406095604d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/explore/parameter.py", "duplicate_line": 17, "correlation_key": "fp|40b1eb9620e784b0c2fe59dbbeab6309501ea7b8953af20348ea1b406095604d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/service_api/app/app.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59501, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e8fb59765fc5ea4e926c225f8c21f3f736c70634fb43dc2f5cb478a69175522a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/completion.py", "duplicate_line": 97, "correlation_key": "fp|e8fb59765fc5ea4e926c225f8c21f3f736c70634fb43dc2f5cb478a69175522a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/openapi/app_run.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59500, "scanner": "repobility-ai-code-hygiene", "fingerprint": "686017e7eeb24a495a00fa0508f888b6fa97fad648866401750cc7f36729be12", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/explore/completion.py", "duplicate_line": 163, "correlation_key": "fp|686017e7eeb24a495a00fa0508f888b6fa97fad648866401750cc7f36729be12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/workflow.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59499, "scanner": "repobility-ai-code-hygiene", "fingerprint": "09d4a683170439bddf5c70a395e22ae7dcc33e69af3f8059ed545b3e792d8631", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/explore/trial.py", "duplicate_line": 158, "correlation_key": "fp|09d4a683170439bddf5c70a395e22ae7dcc33e69af3f8059ed545b3e792d8631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/workflow.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59498, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6135d21a51f71fbb85c20a9c57dc5ae4210d629cf994ad64f14658094ead513d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/audio.py", "duplicate_line": 68, "correlation_key": "fp|6135d21a51f71fbb85c20a9c57dc5ae4210d629cf994ad64f14658094ead513d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/trial.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59497, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55abf7bf28f500fefa91c7c6fe18a076eb94877b3be148dc85a7057aded83260", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/explore/message.py", "duplicate_line": 167, "correlation_key": "fp|55abf7bf28f500fefa91c7c6fe18a076eb94877b3be148dc85a7057aded83260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/trial.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59496, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9014a96b81196c3a32ecadbcc02503f38cd7440ff34714a7e52fa7b1fc1eaeb5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/completion.py", "duplicate_line": 96, "correlation_key": "fp|9014a96b81196c3a32ecadbcc02503f38cd7440ff34714a7e52fa7b1fc1eaeb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/trial.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59495, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e85ea23eba643eb55dfea4990879fc47513ce5c4db469844b6ebd72149dfdb4b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/explore/completion.py", "duplicate_line": 163, "correlation_key": "fp|e85ea23eba643eb55dfea4990879fc47513ce5c4db469844b6ebd72149dfdb4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/trial.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59494, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ea9d7f0cca31d8d55ad0a708e76b4391e3087fbe9eb622d1127f9815555e496", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/explore/completion.py", "duplicate_line": 98, "correlation_key": "fp|0ea9d7f0cca31d8d55ad0a708e76b4391e3087fbe9eb622d1127f9815555e496"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/message.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59493, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3837f336c772906ff536cca37fedee8cb70f0d70db6b4717a37ee95bcb05be70", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/completion.py", "duplicate_line": 95, "correlation_key": "fp|3837f336c772906ff536cca37fedee8cb70f0d70db6b4717a37ee95bcb05be70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/completion.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59492, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d674ae9294ef130a187d13126ffbf9498718c1b249292423af2fdd3cd12547a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/completion.py", "duplicate_line": 104, "correlation_key": "fp|d674ae9294ef130a187d13126ffbf9498718c1b249292423af2fdd3cd12547a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/audio.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59491, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa024dc8b97cdb5a7c51e1d4c974069eeea2b2079fe627f4c095138f9bd551aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/audio.py", "duplicate_line": 68, "correlation_key": "fp|aa024dc8b97cdb5a7c51e1d4c974069eeea2b2079fe627f4c095138f9bd551aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/explore/audio.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59490, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be4b4f1b8f9c2acce35eff80fea4f97f9876b2c9c4aa988816c706f45e14d6f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/controllers/console/app/workflow_draft_variable.py", "duplicate_line": 168, "correlation_key": "fp|be4b4f1b8f9c2acce35eff80fea4f97f9876b2c9c4aa988816c706f45e14d6f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/datasets/rag_pipeline/rag_pipeline_draft_variable.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_normalize_dify_agent_error` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: case=7, match=1, or=1."}, "properties": {"repobilityId": 59453, "scanner": "repobility-threat-engine", "fingerprint": "950d04e97804b23141e1887ed488c95c50d231a333b47a326b4e0123b4ea25de", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_normalize_dify_agent_error", "breakdown": {"or": 1, "case": 7, "match": 1}, "complexity": 9, "correlation_key": "fp|950d04e97804b23141e1887ed488c95c50d231a333b47a326b4e0123b4ea25de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/clients/agent_backend/client.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `initialize_extensions` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=1, if=3, nested_bonus=5, ternary=1."}, "properties": {"repobilityId": 59452, "scanner": "repobility-threat-engine", "fingerprint": "e0cc5a3255edd3ac8c492e7b2f9be8514655478da435b653992a773f90ba2bb3", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "initialize_extensions", "breakdown": {"if": 3, "for": 1, "ternary": 1, "continue": 1, "nested_bonus": 5}, "complexity": 11, "correlation_key": "fp|e0cc5a3255edd3ac8c492e7b2f9be8514655478da435b653992a773f90ba2bb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/app_factory.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 59487, "scanner": "repobility-threat-engine", "fingerprint": "4a4270f67de1a7670140f18cd6bc5ca58622dcc4163ce6e81532eb791d837096", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '/(?:healthz?|metrics|robots\\.txt|sitemap\\.xml|webhooks?/)' detected on same line", "evidence": {"match": "@bp.route(\"/webhook/<string:webhook_id>\", methods=[\"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", \"HEAD\",", "reason": "Safe pattern '/(?:healthz?|metrics|robots\\.txt|sitemap\\.xml|webhooks?/)' detected on same line", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|4a4270f67de1a7670140f18cd6bc5ca58622dcc4163ce6e81532eb791d837096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/trigger/webhook.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED076", "level": "none", "message": {"text": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message."}, "properties": {"repobilityId": 59485, "scanner": "repobility-threat-engine", "fingerprint": "2d10fa4d3c5a65591fcc4a66d348e54fe9d100e81362c257315f49c44397ceee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "catch-and-reraise-noop", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348079+00:00", "triaged_in_corpus": 10, "observations_count": 8333, "ai_coder_pattern_id": 45}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d10fa4d3c5a65591fcc4a66d348e54fe9d100e81362c257315f49c44397ceee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/files/tool_files.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 59477, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 59476, "scanner": "repobility-threat-engine", "fingerprint": "f72061134909aa0c34450c0af014b147fab1b0ba064fff2e33907e88445665bc", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.exception(\"[get-access-token] exception occur\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|logger.exception get-access-token exception occur"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/nacos/http_request.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 59475, "scanner": "repobility-threat-engine", "fingerprint": "2c5ecd8b24f550cefd918ffc70e24a837f9cf13d5dd802ec7a73e1c84ba22f04", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.exception(\"[get-access-token] exception occurred\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|logger.exception get-access-token exception occurred"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/nacos/__init__.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 59473, "scanner": "repobility-threat-engine", "fingerprint": "d57f94c2e96069b4a87a7fb2ba46f76103ae7ecd579ffae7064a6551df416baa", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d57f94c2e96069b4a87a7fb2ba46f76103ae7ecd579ffae7064a6551df416baa"}}}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 59467, "scanner": "repobility-threat-engine", "fingerprint": "66ecf1a3d31f6b4afe124682ccde8ef310bdf0a964def9bcab0763ef87afc140", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|66ecf1a3d31f6b4afe124682ccde8ef310bdf0a964def9bcab0763ef87afc140"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/contexts/wrapper.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 59466, "scanner": "repobility-threat-engine", "fingerprint": "764818261dc39933dac7a880c2cdc97523cc95d40e2ca6d521dfb74912f68c10", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|764818261dc39933dac7a880c2cdc97523cc95d40e2ca6d521dfb74912f68c10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/extra/__init__.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 59465, "scanner": "repobility-threat-engine", "fingerprint": "65bcd7f326bc59f8b4437e46d4ab6a55a7a5b15fd03b0952dee24ac035ca5b3d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|65bcd7f326bc59f8b4437e46d4ab6a55a7a5b15fd03b0952dee24ac035ca5b3d", "aggregated_count": 5}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 59464, "scanner": "repobility-threat-engine", "fingerprint": "4c9a53dee0d4c6420e7d38b04be6c5cbe3747192a6b1cf130263efc8f9a129a3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c9a53dee0d4c6420e7d38b04be6c5cbe3747192a6b1cf130263efc8f9a129a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/observability/__init__.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 59463, "scanner": "repobility-threat-engine", "fingerprint": "57e6600ea2e30a1a410a259080245e4bd12787cf0a92050b055fc1c20b26df3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57e6600ea2e30a1a410a259080245e4bd12787cf0a92050b055fc1c20b26df3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/extra/__init__.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 59462, "scanner": "repobility-threat-engine", "fingerprint": "94486698a8a881adb161d2f93bbd95cc8be0cb84c33fd2416630b44ea33a7c95", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94486698a8a881adb161d2f93bbd95cc8be0cb84c33fd2416630b44ea33a7c95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/app_config.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 59459, "scanner": "repobility-threat-engine", "fingerprint": "af2915db584dc5b525278810c851c86045ee30d1b343db2ac86334487b3523c0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af2915db584dc5b525278810c851c86045ee30d1b343db2ac86334487b3523c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/clients/agent_backend/workspace_files_client.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 59458, "scanner": "repobility-threat-engine", "fingerprint": "719f16a1467677730b367baa2144dabfe702dd229dc13e6f3e8747ec0afa970d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|719f16a1467677730b367baa2144dabfe702dd229dc13e6f3e8747ec0afa970d"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "properties": {"repobilityId": 59454, "scanner": "repobility-threat-engine", "fingerprint": "75d4ddfc8ca6eb751539ebe7056fa65e50c16d03d66a5534fd4e353ef77460c4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 62 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "before_request", "breakdown": {"if": 6, "else": 1, "except": 2, "nested_bonus": 17}, "aggregated": true, "complexity": 26, "correlation_key": "fp|75d4ddfc8ca6eb751539ebe7056fa65e50c16d03d66a5534fd4e353ef77460c4", "aggregated_count": 62}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 59450, "scanner": "repobility-threat-engine", "fingerprint": "d492cc3e0e59429a41c2469a957e4a563b39fa366271524490142668432813b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d492cc3e0e59429a41c2469a957e4a563b39fa366271524490142668432813b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/nacos/http_request.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 59449, "scanner": "repobility-threat-engine", "fingerprint": "6162a4ab091dd333786c25dd226d2dfaa86270a439b690ab20ccddfef1408486", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6162a4ab091dd333786c25dd226d2dfaa86270a439b690ab20ccddfef1408486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/middleware/vdb/baidu_vector_config.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 59448, "scanner": "repobility-threat-engine", "fingerprint": "562b9c86f6c7651f8cf1a67306fcc38f503d350920d9c424d43e02863922d3ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|562b9c86f6c7651f8cf1a67306fcc38f503d350920d9c424d43e02863922d3ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/app.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /setup has no auth: Handler `setup_system` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 59580, "scanner": "repobility-route-auth", "fingerprint": "ec1f3acd3a748b294abdd88aaa5b0df3eeb0fcdab55f2a6b02991267406c54e7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ec1f3acd3a748b294abdd88aaa5b0df3eeb0fcdab55f2a6b02991267406c54e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/setup.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /init has no auth: Handler `validate_init_password` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 59579, "scanner": "repobility-route-auth", "fingerprint": "ffe9a62bcfe0dd9620f1782400283d21721ed77c7e210e2eec67317c5ef1a7e1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ffe9a62bcfe0dd9620f1782400283d21721ed77c7e210e2eec67317c5ef1a7e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/init_validate.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._convert_user_input_form` used but never assigned in __init__: Method `_get_user_input_form` of class `MCPAppApi` reads `self._convert_user_input_form`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59574, "scanner": "repobility-ast-engine", "fingerprint": "26044da6e3d78c789c04cd6af3ce21d58ca18ae21325f3a9446daca973aaf1c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|26044da6e3d78c789c04cd6af3ce21d58ca18ae21325f3a9446daca973aaf1c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._handle_mcp_request` used but never assigned in __init__: Method `_handle_request` of class `MCPAppApi` reads `self._handle_mcp_request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59573, "scanner": "repobility-ast-engine", "fingerprint": "fb39db395eaa19aa7277943980348a381c9e0dc1e55c01a570f99933b7155b29", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb39db395eaa19aa7277943980348a381c9e0dc1e55c01a570f99933b7155b29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._handle_request` used but never assigned in __init__: Method `_process_mcp_message` of class `MCPAppApi` reads `self._handle_request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59572, "scanner": "repobility-ast-engine", "fingerprint": "d581d508a4e388f607c9b39143979763ce5859adf5889b4076547009a6cd066e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d581d508a4e388f607c9b39143979763ce5859adf5889b4076547009a6cd066e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._handle_notification` used but never assigned in __init__: Method `_process_mcp_message` of class `MCPAppApi` reads `self._handle_notification`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59571, "scanner": "repobility-ast-engine", "fingerprint": "b3d944292957d24f559a70b8cd5980e36a5350dbe6cd11a3d64f8a15227b78b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b3d944292957d24f559a70b8cd5980e36a5350dbe6cd11a3d64f8a15227b78b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._process_mcp_message` used but never assigned in __init__: Method `post` of class `MCPAppApi` reads `self._process_mcp_message`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59570, "scanner": "repobility-ast-engine", "fingerprint": "b3b6031279b3f9db302a72c60e7e7d6a1a8c8c9fbac3f644c61ae88ce012bc36", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b3b6031279b3f9db302a72c60e7e7d6a1a8c8c9fbac3f644c61ae88ce012bc36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_user_input_form` used but never assigned in __init__: Method `post` of class `MCPAppApi` reads `self._get_user_input_form`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59569, "scanner": "repobility-ast-engine", "fingerprint": "7f35d5c876c51935db2004a0ecc794b8cc51c4b926239d79b0c4b26036eb01b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f35d5c876c51935db2004a0ecc794b8cc51c4b926239d79b0c4b26036eb01b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._validate_server_status` used but never assigned in __init__: Method `post` of class `MCPAppApi` reads `self._validate_server_status`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59568, "scanner": "repobility-ast-engine", "fingerprint": "cb1343bda1fe407b7765b5bab5bf33f7a75a85ff0ec524c7ace2dbef2c6b531b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb1343bda1fe407b7765b5bab5bf33f7a75a85ff0ec524c7ace2dbef2c6b531b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_mcp_server_and_app` used but never assigned in __init__: Method `post` of class `MCPAppApi` reads `self._get_mcp_server_and_app`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59567, "scanner": "repobility-ast-engine", "fingerprint": "5a455ad9676c8022eafea733039e218092ae30ae78fa049dac6aa37b75ef7311", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a455ad9676c8022eafea733039e218092ae30ae78fa049dac6aa37b75ef7311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._parse_mcp_request` used but never assigned in __init__: Method `post` of class `MCPAppApi` reads `self._parse_mcp_request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59566, "scanner": "repobility-ast-engine", "fingerprint": "35f3bc5d3ec95896449f0ba7f01b8b9aaaaeb2e2af3e7e0dd5aaa7ce19fe4e29", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35f3bc5d3ec95896449f0ba7f01b8b9aaaaeb2e2af3e7e0dd5aaa7ce19fe4e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/mcp/mcp.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._delete_api_key` used but never assigned in __init__: Method `delete` of class `DatasetApiKeyResource` reads `self._delete_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59565, "scanner": "repobility-ast-engine", "fingerprint": "d2eb6831230c5ecc50f398b507cc71c601b8dd47c9897e43ee6cac6aa970beab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2eb6831230c5ecc50f398b507cc71c601b8dd47c9897e43ee6cac6aa970beab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_api_key` used but never assigned in __init__: Method `post` of class `DatasetApiKeyListResource` reads `self._create_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59564, "scanner": "repobility-ast-engine", "fingerprint": "ef529c1054eb2592883fe32214864779b03aa9d9d39718291011086577b590d0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef529c1054eb2592883fe32214864779b03aa9d9d39718291011086577b590d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_api_key_list` used but never assigned in __init__: Method `get` of class `DatasetApiKeyListResource` reads `self._get_api_key_list`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59563, "scanner": "repobility-ast-engine", "fingerprint": "d2446645b032402fcae30e4c49069c5db67768d89cffd1efc25a9b9e5b5918ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2446645b032402fcae30e4c49069c5db67768d89cffd1efc25a9b9e5b5918ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._delete_api_key` used but never assigned in __init__: Method `delete` of class `AppApiKeyResource` reads `self._delete_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59562, "scanner": "repobility-ast-engine", "fingerprint": "6d8377e45685ef3ca04804fe98a6042f2c05c381aa887857abea4fb6745d8177", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d8377e45685ef3ca04804fe98a6042f2c05c381aa887857abea4fb6745d8177"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_api_key` used but never assigned in __init__: Method `post` of class `AppApiKeyListResource` reads `self._create_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59561, "scanner": "repobility-ast-engine", "fingerprint": "e0a8b9b2ae86f2ea538952e3a9053249740840dd3f365183777cd29835ba5822", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e0a8b9b2ae86f2ea538952e3a9053249740840dd3f365183777cd29835ba5822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_api_key_list` used but never assigned in __init__: Method `get` of class `AppApiKeyListResource` reads `self._get_api_key_list`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59560, "scanner": "repobility-ast-engine", "fingerprint": "3bd87b835852c787a137b0679eeae4501b05b0004e957536d111d9c5f842417e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3bd87b835852c787a137b0679eeae4501b05b0004e957536d111d9c5f842417e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._delete_api_key` used but never assigned in __init__: Method `delete` of class `BaseApiKeyResource` reads `self._delete_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59559, "scanner": "repobility-ast-engine", "fingerprint": "151e1adf9edc1893d2b6396f80f8c1db8d5f959c42e725d9b08d7c48287979d0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|151e1adf9edc1893d2b6396f80f8c1db8d5f959c42e725d9b08d7c48287979d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._create_api_key` used but never assigned in __init__: Method `post` of class `BaseApiKeyListResource` reads `self._create_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59558, "scanner": "repobility-ast-engine", "fingerprint": "e0fde84d7ee91a95d9758dcc28eb96893623c33398e568f90a485b673e8a00ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e0fde84d7ee91a95d9758dcc28eb96893623c33398e568f90a485b673e8a00ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_api_key_list` used but never assigned in __init__: Method `get` of class `BaseApiKeyListResource` reads `self._get_api_key_list`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59557, "scanner": "repobility-ast-engine", "fingerprint": "32745b6b9498ceaf2987e1a7568ca39fa6f2db36444872ead449884d91116b96", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32745b6b9498ceaf2987e1a7568ca39fa6f2db36444872ead449884d91116b96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/apikey.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_console_recipient_type` used but never assigned in __init__: Method `post` of class `ConsoleHumanInputFormApi` reads `self._ensure_console_recipient_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59556, "scanner": "repobility-ast-engine", "fingerprint": "6c5d988b0aed4fb5e371ca26680ce0cb919756455c8966ebbf93ff8e3bd29793", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c5d988b0aed4fb5e371ca26680ce0cb919756455c8966ebbf93ff8e3bd29793"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/human_input_form.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_console_access` used but never assigned in __init__: Method `post` of class `ConsoleHumanInputFormApi` reads `self._ensure_console_access`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59555, "scanner": "repobility-ast-engine", "fingerprint": "9be760f24fae64cdcd1c4aea07b9ba44f9f79d338fc42dfe88ba050f265e04fa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9be760f24fae64cdcd1c4aea07b9ba44f9f79d338fc42dfe88ba050f265e04fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/human_input_form.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_console_access` used but never assigned in __init__: Method `get` of class `ConsoleHumanInputFormApi` reads `self._ensure_console_access`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59554, "scanner": "repobility-ast-engine", "fingerprint": "c5001d201f9a373f1bbb0fbf6f0863e88f722b185f65fda06c75e99aebce4155", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5001d201f9a373f1bbb0fbf6f0863e88f722b185f65fda06c75e99aebce4155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/human_input_form.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._load` used but never assigned in __init__: Method `get` of class `AppDescribeApi` reads `self._load`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59553, "scanner": "repobility-ast-engine", "fingerprint": "8288660ebfdab375c687c801d2650ea58d7029d3aaaeb0cf358275b65687e145", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8288660ebfdab375c687c801d2650ea58d7029d3aaaeb0cf358275b65687e145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/openapi/apps.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.enter` used but never assigned in __init__: Method `__enter__` of class `ExecutionContext` reads `self.enter`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59526, "scanner": "repobility-ast-engine", "fingerprint": "563d4691b3ee160c612d038aed31c2a3510857f7f78704574f1d363b1ea83074", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|563d4691b3ee160c612d038aed31c2a3510857f7f78704574f1d363b1ea83074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/context/execution_context.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.settings_cls` used but never assigned in __init__: Method `__call__` of class `RemoteSettingsSourceFactory` reads `self.settings_cls`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59525, "scanner": "repobility-ast-engine", "fingerprint": "c6642ed3f46affeb8c0ded20ab7207bea7b9fd578aee0212c494626cb419dc73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6642ed3f46affeb8c0ded20ab7207bea7b9fd578aee0212c494626cb419dc73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/app_config.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.current_state` used but never assigned in __init__: Method `__call__` of class `RemoteSettingsSourceFactory` reads `self.current_state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 59524, "scanner": "repobility-ast-engine", "fingerprint": "258874e58eaa09a420a62ad56220e4646e48b2c43e7370e4fc2c36e69cdfd522", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|258874e58eaa09a420a62ad56220e4646e48b2c43e7370e4fc2c36e69cdfd522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/app_config.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 59486, "scanner": "repobility-threat-engine", "fingerprint": "7f2a740e1787c45bb0c8c809ffbb8b864aa4c10592c0e1b916e5b752b3876f51", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@bp.route(\"/plugin/<string:endpoint_id>\", methods=[\"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", \"HEAD\",", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7f2a740e1787c45bb0c8c809ffbb8b864aa4c10592c0e1b916e5b752b3876f51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/trigger/trigger.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC030", "level": "error", "message": {"text": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without validating that the destination is local to the site. Attackers craft phishing URLs that appear to come from your domain but land on attacker-controlled pages \u2014 common in OAuth callback flows, post-login redirects, and `next=` parameters. CWE-601."}, "properties": {"repobilityId": 59484, "scanner": "repobility-threat-engine", "fingerprint": "1cafe5b9c140797a6413f11810f23ce225098e2e9932e3a8416afb2980732214", "category": "open_redirect", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "redirect(target_url)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC030", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1cafe5b9c140797a6413f11810f23ce225098e2e9932e3a8416afb2980732214"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/auth/oauth.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 59483, "scanner": "repobility-threat-engine", "fingerprint": "dbd2aca1baf9d8d2e79ed970cb8b4a099321b3e3512b00cdaf97b2f36137e4f4", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'filename=\"?(.+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|69|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/common/helpers.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 59482, "scanner": "repobility-threat-engine", "fingerprint": "dfc012a9ad9d06e147df6b569a7b2a47a02a0a4822509ba1b39a895befe4fde3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dfc012a9ad9d06e147df6b569a7b2a47a02a0a4822509ba1b39a895befe4fde3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/secret_key.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 59481, "scanner": "repobility-threat-engine", "fingerprint": "1f69f3466d00c3efc4728d762d89e193492689548c2b65578e86817150897b1b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f69f3466d00c3efc4728d762d89e193492689548c2b65578e86817150897b1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/inner_api/wraps.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 59480, "scanner": "repobility-threat-engine", "fingerprint": "e41930f40740963a5c5e7c7902253382226979604ffc0b619dff67b58dce636a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e41930f40740963a5c5e7c7902253382226979604ffc0b619dff67b58dce636a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/nacos/http_request.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 59479, "scanner": "repobility-threat-engine", "fingerprint": "1f5a885635d6aec04a21aa9417a39099728c53f4dae1695c96b269ea09f06157", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f5a885635d6aec04a21aa9417a39099728c53f4dae1695c96b269ea09f06157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/apollo/utils.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 59478, "scanner": "repobility-threat-engine", "fingerprint": "1b61eb807fca0f8c015c8af5933ecdc3f0f04eb20c2b1d983bfe100676a81106", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|27|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/apollo/python_3x.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 59474, "scanner": "repobility-threat-engine", "fingerprint": "ea7a25089608d2ce7b45239eb9d2487e9e1cb3211ec27b8baf5dd800b55a8576", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.warning(\"http_request error,code is 304, maybe you should check secret\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|3|logger.warning http_request error code is 304 maybe you should check secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/apollo/python_3x.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59472, "scanner": "repobility-threat-engine", "fingerprint": "dd52397e550ec7421d015ebd1288432ee0389108567ff6157a9e235584ecc76c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd52397e550ec7421d015ebd1288432ee0389108567ff6157a9e235584ecc76c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/common/fields.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59471, "scanner": "repobility-threat-engine", "fingerprint": "c7f95a3b89af7efe91d04543801b271da01b5c5f747e037ed638626ebd3a969a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7f95a3b89af7efe91d04543801b271da01b5c5f747e037ed638626ebd3a969a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/apollo/python_3x.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59470, "scanner": "repobility-threat-engine", "fingerprint": "91d5263d1870bb3e79737f501f521c4a26016ce0dda5ce0708160fed48fc74e8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91d5263d1870bb3e79737f501f521c4a26016ce0dda5ce0708160fed48fc74e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/middleware/cache/redis_pubsub_config.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59457, "scanner": "repobility-threat-engine", "fingerprint": "a6659ad37d662b23a44af9ca787a8fc5016b2828a044b4408b4158257bd969cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "converted.update(non_null_schema)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6659ad37d662b23a44af9ca787a8fc5016b2828a044b4408b4158257bd969cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/common/schema.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59456, "scanner": "repobility-threat-engine", "fingerprint": "cce629e026c6823d0628669bb83baa081dbb6cbe4bbf489a3b432b802f7987ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "headers.update({\"User-Agent\": \"Nacos-Http-Client-In-Dify:v0.0.1\"})", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cce629e026c6823d0628669bb83baa081dbb6cbe4bbf489a3b432b802f7987ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/configs/remote_settings_sources/nacos/http_request.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59455, "scanner": "repobility-threat-engine", "fingerprint": "6ed3012622bd213637599971e45bf49b95e227381984ff0a82382921e46bcb56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "celery.conf.update(broker_transport_options=broker_transport_options)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ed3012622bd213637599971e45bf49b95e227381984ff0a82382921e46bcb56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/celery_healthcheck.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `before_request` has cognitive complexity 26 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=2, if=6, nested_bonus=17."}, "properties": {"repobilityId": 59451, "scanner": "repobility-threat-engine", "fingerprint": "2875ab09c9740abb2d4a266e023231f3ff7fd66e81558b64eaa2d544ab26cb4b", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 26 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "before_request", "breakdown": {"if": 6, "else": 1, "except": 2, "nested_bonus": 17}, "complexity": 26, "correlation_key": "fp|2875ab09c9740abb2d4a266e023231f3ff7fd66e81558b64eaa2d544ab26cb4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/app_factory.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 59447, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59577, "scanner": "repobility-ast-engine", "fingerprint": "efb4d9b1ccf570ec58618961e3df55bc8da6bfbd2f5709321904d9af866839ed", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|efb4d9b1ccf570ec58618961e3df55bc8da6bfbd2f5709321904d9af866839ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/auth/login.py"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59576, "scanner": "repobility-ast-engine", "fingerprint": "e73dd9219e2b70c057f2e9731aa00008ba5c1eb9adec721ac398d39793856194", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e73dd9219e2b70c057f2e9731aa00008ba5c1eb9adec721ac398d39793856194"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/auth/email_register.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59575, "scanner": "repobility-ast-engine", "fingerprint": "06c1c08eb7cae988b283459340e1dd80f799fb290a459149611f09eb7696f197", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06c1c08eb7cae988b283459340e1dd80f799fb290a459149611f09eb7696f197"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/controllers/console/workspace/members.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 59527, "scanner": "repobility-ast-engine", "fingerprint": "4155f82269b0d6faa86c46b9213d70682f351c7c9ddd0d981eea626dd46e05ce", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4155f82269b0d6faa86c46b9213d70682f351c7c9ddd0d981eea626dd46e05ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/commands/account.py"}, "region": {"startLine": 28}}}]}]}]}