{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /r"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /research."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /items."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /items."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 40.0% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 40.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 40.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/342"}, "properties": {"repository": "ZhuLinsen/daily_stock_analysis", "repoUrl": "https://github.com/ZhuLinsen/daily_stock_analysis", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 10848, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10845, "scanner": "repobility-journey-contract", "fingerprint": "7e120e8a0e49b69e7aea4946e7f8c33e5ecb98925f16a9d55ca2a96a1831b43a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/change-password", "correlation_key": "fp|7e120e8a0e49b69e7aea4946e7f8c33e5ecb98925f16a9d55ca2a96a1831b43a", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/auth.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10844, "scanner": "repobility-journey-contract", "fingerprint": "47b3dcecef308441ec634fd143d37e2d644c3967cb06e7e242344c2641782443", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/login", "correlation_key": "fp|47b3dcecef308441ec634fd143d37e2d644c3967cb06e7e242344c2641782443", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/auth.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10843, "scanner": "repobility-journey-contract", "fingerprint": "6619fe61b4d19157b4958d861775b7cd8445b37bff56f78b22329d33a4e45c39", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/settings", "correlation_key": "fp|6619fe61b4d19157b4958d861775b7cd8445b37bff56f78b22329d33a4e45c39", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/auth.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10842, "scanner": "repobility-journey-contract", "fingerprint": "205274bdfaf34e209fc5c0538d8cdb149cda8f96d7de03ddbb2e443cf7a43873", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/status", "correlation_key": "fp|205274bdfaf34e209fc5c0538d8cdb149cda8f96d7de03ddbb2e443cf7a43873", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/auth.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10841, "scanner": "repobility-journey-contract", "fingerprint": "259d680ecdd3191c109aec0be9e41aa899224217386c877b8fc291a149d885eb", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/analysis/tasks", "correlation_key": "fp|259d680ecdd3191c109aec0be9e41aa899224217386c877b8fc291a149d885eb", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/analysis.ts"}, "region": {"startLine": 148}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10840, "scanner": "repobility-journey-contract", "fingerprint": "0b0ff1aed743aa10093fd2d612cbf981bee5032f7c1b72cc84a7dec5187c892e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/analysis/status/{param}", "correlation_key": "fp|0b0ff1aed743aa10093fd2d612cbf981bee5032f7c1b72cc84a7dec5187c892e", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/analysis.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10839, "scanner": "repobility-journey-contract", "fingerprint": "62043993d84ba4123034256a3eb1724e5ab4d7d674513d0e67eb52419ac3df21", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/analysis/market-review", "correlation_key": "fp|62043993d84ba4123034256a3eb1724e5ab4d7d674513d0e67eb52419ac3df21", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/analysis.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10838, "scanner": "repobility-journey-contract", "fingerprint": "72029fe4fb5d3cc62de11ad92a66eba86927db2b8da2a3563de5800a180f20f5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/analysis/analyze", "correlation_key": "fp|72029fe4fb5d3cc62de11ad92a66eba86927db2b8da2a3563de5800a180f20f5", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/analysis.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10837, "scanner": "repobility-journey-contract", "fingerprint": "be3646d3a56b127deda3e700f661f7888f5b50bfad1a616fb6280e0ba9289fc4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/analysis/analyze", "correlation_key": "fp|be3646d3a56b127deda3e700f661f7888f5b50bfad1a616fb6280e0ba9289fc4", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/analysis.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10836, "scanner": "repobility-journey-contract", "fingerprint": "007b12362819c4afb71ed3d06095b5fe4bb64ac40b6ec6a14ccf20fc0ced42f1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/agent/chat/send", "correlation_key": "fp|007b12362819c4afb71ed3d06095b5fe4bb64ac40b6ec6a14ccf20fc0ced42f1", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/agent.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10835, "scanner": "repobility-journey-contract", "fingerprint": "eb4879e6b5a287ccae4bab41b42faf4834feb4f993269d3f1ccdd8ff46a1a40d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/agent/chat/sessions/{param}", "correlation_key": "fp|eb4879e6b5a287ccae4bab41b42faf4834feb4f993269d3f1ccdd8ff46a1a40d", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/agent.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10834, "scanner": "repobility-journey-contract", "fingerprint": "d32e771dfe1c41f8a7b6e35c39fdec025cecf3dcf289874fa2602bc1e46d373a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/agent/chat/sessions/{param}", "correlation_key": "fp|d32e771dfe1c41f8a7b6e35c39fdec025cecf3dcf289874fa2602bc1e46d373a", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/agent.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10833, "scanner": "repobility-journey-contract", "fingerprint": "8f7f2b84680b6e021dc5fb58fe7c05bff8dfd28807510aa97d345393c5e0e4fc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/agent/chat/sessions", "correlation_key": "fp|8f7f2b84680b6e021dc5fb58fe7c05bff8dfd28807510aa97d345393c5e0e4fc", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/agent.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10832, "scanner": "repobility-journey-contract", "fingerprint": "2187b9d327fec9ff153a6c226d9258583a219443d78d024f22cd49b8a29774c7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/agent/skills", "correlation_key": "fp|2187b9d327fec9ff153a6c226d9258583a219443d78d024f22cd49b8a29774c7", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/agent.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 10831, "scanner": "repobility-journey-contract", "fingerprint": "7d5b884b1a5d257bd57d2a13927a9e04302523805d558e734fd54c59fbf11755", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/agent/chat", "correlation_key": "fp|7d5b884b1a5d257bd57d2a13927a9e04302523805d558e734fd54c59fbf11755", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/api/agent.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 10830, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 144, "file_path": "api/app.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 92, "file_path": "tests/test_system_config_api.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /research."}, "properties": {"repobilityId": 10829, "scanner": "repobility-access-control", "fingerprint": "dff33da83b03617ddcbd18e29740a27e8e05dd89c389861f20446a56dea451d5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/research", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|api/v1/endpoints/agent.py|311|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/v1/endpoints/agent.py"}, "region": {"startLine": 311}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /chat/sessions/{session_id}."}, "properties": {"repobilityId": 10828, "scanner": "repobility-access-control", "fingerprint": "71c5970b22107265bc9a1979e7235061629cc3afcd3a2a6b3702fc15df6c6a53", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat/sessions/{session_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|api/v1/endpoints/agent.py|236|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/v1/endpoints/agent.py"}, "region": {"startLine": 236}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /items."}, "properties": {"repobilityId": 10827, "scanner": "repobility-access-control", "fingerprint": "e4c50e7baa3f19daed7aa475a2e5d45020095729685a88663ee44b96876b60d1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/items", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|api/deps.py|33|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/deps.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 40.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 10826, "scanner": "repobility-access-control", "fingerprint": "590150581400d15f2f68c5d5dc2b1a013fcc55de86fe55e7743c6640b3fbf93c", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 15, "correlation_key": "fp|590150581400d15f2f68c5d5dc2b1a013fcc55de86fe55e7743c6640b3fbf93c", "auth_visible_percent": 40.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 10825, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10819, "scanner": "repobility-docker", "fingerprint": "05df82cafeee68e4bd6d7f9d6b1d663188041857121be59d1c7e927e215ed025", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|05df82cafeee68e4bd6d7f9d6b1d663188041857121be59d1c7e927e215ed025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10818, "scanner": "repobility-threat-engine", "fingerprint": "615ac66b5a1bbf8053133966376d43c685e719da312f45895c0d9d5a5a31ad2e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_error) {\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|615ac66b5a1bbf8053133966376d43c685e719da312f45895c0d9d5a5a31ad2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-desktop/main.js"}, "region": {"startLine": 433}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 10816, "scanner": "repobility-threat-engine", "fingerprint": "afbd33470833b6c4024e0c50275360c5ba1f8d6cf5c044bd13741089c195b8e2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|afbd33470833b6c4024e0c50275360c5ba1f8d6cf5c044bd13741089c195b8e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/import_parser.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 10815, "scanner": "repobility-threat-engine", "fingerprint": "7b5310350942e8907436789db72dd4a88e2cc4bf5b6c4414ec21d5f491145869", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b5310350942e8907436789db72dd4a88e2cc4bf5b6c4414ec21d5f491145869"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate_stock_index.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 10814, "scanner": "repobility-threat-engine", "fingerprint": "9a06b988230ac0da584443734be711ae3fd1e4f5bc3a7cd78a79b8d3bb0189f4", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a06b988230ac0da584443734be711ae3fd1e4f5bc3a7cd78a79b8d3bb0189f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data_provider/longbridge_fetcher.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10809, "scanner": "repobility-threat-engine", "fingerprint": "4f8a12663252193c9fb14ec0bb7a33df51fb6ca7cbabd1ed560b25247f915b54", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "random.choice(key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|249|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/image_stock_extractor.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "SEC020", "level": "warning", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10804, "scanner": "repobility-threat-engine", "fingerprint": "4a51f45d9c39a9530778945d9679157b2c70580529dc292f7e2a07545cc510f2", "category": "credential_exposure", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line prints secret length metadata, not the secret value. Review whether length disclosure is acceptable.", "evidence": {"match": "logger.info(f\"\u5df2\u914d\u7f6e SerpAPI \u641c\u7d22\uff0c\u5171 {len(serpapi_keys)", "reason": "Log line prints secret length metadata, not the secret value. Review whether length disclosure is acceptable.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "secret|src/search_service.py|218|logger.info f serpapi len serpapi_keys"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/search_service.py"}, "region": {"startLine": 2185}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 10803, "scanner": "repobility-agent-runtime", "fingerprint": "82959a06ed10ff896f6e50754773869179b7257366ad04ea689872abdb157c1a", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|82959a06ed10ff896f6e50754773869179b7257366ad04ea689872abdb157c1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "main.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10802, "scanner": "repobility-agent-runtime", "fingerprint": "6c0cdfcc49c627294651beeaa0e08dd0eead97b1eb2f0c1ff3bdd4b6f95f0b84", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6c0cdfcc49c627294651beeaa0e08dd0eead97b1eb2f0c1ff3bdd4b6f95f0b84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/DEPLOY.md"}, "region": {"startLine": 24}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 10801, "scanner": "repobility-agent-runtime", "fingerprint": "6d338b652bd7aeefeb9272ab9965b21b00242a8cbd4c3bad15658d9be09cf43c", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6d338b652bd7aeefeb9272ab9965b21b00242a8cbd4c3bad15658d9be09cf43c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data_provider/efinance_fetcher.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 10800, "scanner": "repobility-agent-runtime", "fingerprint": "92714906809f2fbc9da46c06108e635973bff5ec1030a9c27f38320da02d9188", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|92714906809f2fbc9da46c06108e635973bff5ec1030a9c27f38320da02d9188"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data_provider/akshare_fetcher.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10799, "scanner": "repobility-agent-runtime", "fingerprint": "f47b81785237ab377ce03af318f4992cee5170acbb7d84ba3a976708b7c40131", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|f47b81785237ab377ce03af318f4992cee5170acbb7d84ba3a976708b7c40131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/stores/agentChatStore.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10798, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32f4e8e5b3bcecec1488c3e1914b3610d5737855c69fa172b073c7dea9289fb4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/v1/schemas/system_config.py", "duplicate_line": 7, "correlation_key": "fp|32f4e8e5b3bcecec1488c3e1914b3610d5737855c69fa172b073c7dea9289fb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/notification_routing.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10797, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ffae3dd985e9d3e402759ad9382eec016e2d893c6e048421d793f2a9f491cce", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/generate_index_from_csv.py", "duplicate_line": 286, "correlation_key": "fp|3ffae3dd985e9d3e402759ad9382eec016e2d893c6e048421d793f2a9f491cce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate_stock_index.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b14779feb39f140efec9e3540a9f1f4305f6b56bf518fe9631253144f4becde", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/v1/endpoints/agent.py", "duplicate_line": 252, "correlation_key": "fp|0b14779feb39f140efec9e3540a9f1f4305f6b56bf518fe9631253144f4becde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bot/commands/research.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a876a3caefd2cbc9aba1fd3b9d55249bad82bd18daeabd6ff064098fd6f42690", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/v1/endpoints/analysis.py", "duplicate_line": 78, "correlation_key": "fp|a876a3caefd2cbc9aba1fd3b9d55249bad82bd18daeabd6ff064098fd6f42690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bot/commands/market.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10794, "scanner": "repobility-ai-code-hygiene", "fingerprint": "052fd616cb5e3c03d9ff59d97ecc029670bac571e9aba7f251f46759682f4c51", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/dsa-web/src/hooks/useSystemConfig.ts", "duplicate_line": 342, "correlation_key": "fp|052fd616cb5e3c03d9ff59d97ecc029670bac571e9aba7f251f46759682f4c51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/pages/SettingsPage.tsx"}, "region": {"startLine": 208}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 10849, "scanner": "repobility-web-presence", "fingerprint": "e778fa5cabe149194d25a3377bcf409dbfbb8e5d4a13164e6f8748151638b713", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|e778fa5cabe149194d25a3377bcf409dbfbb8e5d4a13164e6f8748151638b713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data_provider/akshare_fetcher.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10824, "scanner": "repobility-docker", "fingerprint": "cfe6e830c6811a3358261227193ed1c7a16bf2acf8f55a550f8162c4dbf5f3ac", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cfe6e830c6811a3358261227193ed1c7a16bf2acf8f55a550f8162c4dbf5f3ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10823, "scanner": "repobility-docker", "fingerprint": "4380b7621c239c330ef8a64aa2a6f2a20527529ba57e0bf94558df8339f05fb5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4380b7621c239c330ef8a64aa2a6f2a20527529ba57e0bf94558df8339f05fb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10822, "scanner": "repobility-docker", "fingerprint": "94091c54a8736fcce56690773802874774c07d260c8b0b87ee248239b7076850", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "analyzer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|94091c54a8736fcce56690773802874774c07d260c8b0b87ee248239b7076850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10821, "scanner": "repobility-docker", "fingerprint": "26870f43887147692baa0252806b02336ed3004f82d9cfad2e4226c19b58d175", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "analyzer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|26870f43887147692baa0252806b02336ed3004f82d9cfad2e4226c19b58d175"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 10820, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 10793, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".github/copilot-instructions.md", "AGENTS.md", "CLAUDE.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/copilot-instructions.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 10817, "scanner": "repobility-threat-engine", "fingerprint": "8a4bd872da419130753367ef5a61efa729f221dd8f26dbedd7003551d50a5f41", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a4bd872da419130753367ef5a61efa729f221dd8f26dbedd7003551d50a5f41"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 10812, "scanner": "repobility-threat-engine", "fingerprint": "f78b05f3525efdc18a5d1983ba1263e47eaa8a772967c623a7aa23730bd5139a", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f78b05f3525efdc18a5d1983ba1263e47eaa8a772967c623a7aa23730bd5139a"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10811, "scanner": "repobility-threat-engine", "fingerprint": "a2d784d47e9f9c819fbeadebfc422cd961eef860525d343fb61159f93d0a59ef", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|11|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/utils/uuid.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10810, "scanner": "repobility-threat-engine", "fingerprint": "63baab61343a0295c08a583d0eefe3ba5d57635250aba77c2017887ce7313b2b", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|src/stock_analyzer.py|842|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/stock_analyzer.py"}, "region": {"startLine": 842}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 10807, "scanner": "repobility-threat-engine", "fingerprint": "bb1317609c611da67332255eaf2b48f6672536205075bd2f15bfc8371e3028f9", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bb1317609c611da67332255eaf2b48f6672536205075bd2f15bfc8371e3028f9"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10806, "scanner": "repobility-threat-engine", "fingerprint": "e76f505da5e03e038ce8a7b6ae5a460c97ca2a198888a34dc3074264fab301a7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warning(\"\u98de\u4e66 APP_ID \u6216 APP_SECRET \u672a\u914d\u7f6e\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/notification.py|55|logger.warning app_id app_secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/notification.py"}, "region": {"startLine": 555}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10805, "scanner": "repobility-threat-engine", "fingerprint": "f28b691d810adcdf9c818f7de6735f7914b78875407668abdcc80f49452884a3", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"Enter new admin password (will not echo)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/auth.py|46|print enter new admin password will not echo"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/auth.py"}, "region": {"startLine": 469}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 10847, "scanner": "repobility-journey-contract", "fingerprint": "c0be9a6a7a4c37fa1d1225ff238af24cf95fba399ac379ba32168c9fba044b77", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|175|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/pages/LoginPage.tsx"}, "region": {"startLine": 175}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 10846, "scanner": "repobility-journey-contract", "fingerprint": "9f642e52251a029f95fea78de83318068cde00cce6dbce67590d126ee45a49dd", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|150|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dsa-web/src/components/settings/AuthSettingsCard.tsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 10813, "scanner": "repobility-threat-engine", "fingerprint": "c211bd34092813f2455f04f460b8fbc11191759a71f49ad48acc8cf203e833e2", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|436|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "data_provider/yfinance_fetcher.py"}, "region": {"startLine": 436}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 10808, "scanner": "repobility-threat-engine", "fingerprint": "3d367157a798c49e0fa5f93eb7cdc122f2e19eace717591632761caa846f88eb", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "cursor.execute(f\"", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|src/storage.py|743|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/storage.py"}, "region": {"startLine": 743}}}]}]}]}