{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "BINARY_RISK", "name": "[BINARY] scipy: compound risk score 2194 (CVEs: 0, binary findings: 550)", "shortDescription": {"text": "[BINARY] scipy: compound risk score 2194 (CVEs: 0, binary findings: 550)"}, "fullDescription": {"text": "Review binary security profile of scipy \u2014 consider alternatives with lower binary attack surface"}, "properties": {"scanner": "repobility-binary-intel", "category": "dependency", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/317"}, "properties": {"repository": "NVIDIA/garak", "repoUrl": "https://github.com/NVIDIA/garak", "branch": "main"}, "results": [{"ruleId": "SEC011", "level": "warning", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 9982, "scanner": "repobility-threat-engine", "fingerprint": "c8917c75fb024122fe7054e4c0f0a1047c078f40b69306a4ae95cc7bb73b0b04", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "torch.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|142|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/resources/autodan/autodan.py"}, "region": {"startLine": 142}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9981, "scanner": "repobility-threat-engine", "fingerprint": "35725db665bc8aa9c6991d138cf7938721359cdba2fae80fbda09688d8acf40b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|35725db665bc8aa9c6991d138cf7938721359cdba2fae80fbda09688d8acf40b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/evaluators/base.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9980, "scanner": "repobility-threat-engine", "fingerprint": "c6d9bee2519657d87c5c26aad37d95cdd5d8cf1a4d0f5a16d3b4b27b1ad2efcc", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c6d9bee2519657d87c5c26aad37d95cdd5d8cf1a4d0f5a16d3b4b27b1ad2efcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/detectors/exploitation.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 9979, "scanner": "repobility-threat-engine", "fingerprint": "20b48925d1503f0629e7b38da7372470c212330330e0e496ee7b3f0df9e2d800", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|245|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/generators/websocket.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 9978, "scanner": "repobility-threat-engine", "fingerprint": "ee45b88278e17bc328b7d29f9c6923a1adb3f75619615826df9cb25dcd980b2e", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|garak/generators/rest.py|210|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/generators/rest.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9971, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89a4fcfaf81f41c9c998eb5b62c5072e453433ef39be6b802a7ee221d4404654", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "garak/probes/atkgen.py", "duplicate_line": 220, "correlation_key": "fp|89a4fcfaf81f41c9c998eb5b62c5072e453433ef39be6b802a7ee221d4404654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/probes/fitd.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9970, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eefa8e838570c507788e01914e73832070deb6e1bd41ce194aca0e1d6e559633", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "garak/analyze/count_tokens.py", "duplicate_line": 56, "correlation_key": "fp|eefa8e838570c507788e01914e73832070deb6e1bd41ce194aca0e1d6e559633"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/analyze/qual_review.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9969, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6abc6e5b4472cf06eb5610bfeed33308f2025920cd535b98b76ad7786c53d29", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "garak/analyze/count_tokens.py", "duplicate_line": 56, "correlation_key": "fp|b6abc6e5b4472cf06eb5610bfeed33308f2025920cd535b98b76ad7786c53d29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/analyze/get_tree.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9968, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a3527730aff559f00943ab55d856e5078a72a264754fb0302459d2248e57361", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "garak-report/src/types/Module.ts", "duplicate_line": 3, "correlation_key": "fp|6a3527730aff559f00943ab55d856e5078a72a264754fb0302459d2248e57361"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak-report/src/types/ProbesChart.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9976, "scanner": "repobility-threat-engine", "fingerprint": "091b5f6a120d71532d4a7f63b56d67fa249749c541c26a1d63c81f9cb2d3da24", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "print(f\"\ud83d\udcdc reporting to {_config.transient.report_filename}\")", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|garak/cli.py|66|print f reporting to token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/cli.py"}, "region": {"startLine": 662}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 9975, "scanner": "repobility-threat-engine", "fingerprint": "e130211b74a08d1080b6cb546902b3a4312c21821463e53d99ea67f635ba5c2b", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e130211b74a08d1080b6cb546902b3a4312c21821463e53d99ea67f635ba5c2b"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9974, "scanner": "repobility-threat-engine", "fingerprint": "0f58f8467652f5f6b1f0ce70fc5adff6f589ddf5eacc5c4878213c4c4a8728f7", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.Random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|garak/generators/base.py|64|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/generators/base.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9973, "scanner": "repobility-threat-engine", "fingerprint": "bbfd100cc4abfc8a4e7ceba4d701a2600461345ee9c33864768139144a9caf2d", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|249|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/langproviders/remote.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9972, "scanner": "repobility-threat-engine", "fingerprint": "8907b6c59f12f58ba078d3d4fa5f3fd2a1a58c5c7b3f1aaae207eb3f94280cb2", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|garak/command.py|20|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/command.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "BINARY_RISK", "level": "error", "message": {"text": "[BINARY] scipy: compound risk score 2194 (CVEs: 0, binary findings: 550)"}, "properties": {"repobilityId": 9985, "scanner": "repobility-binary-intel", "fingerprint": "66d313940bd23341553e486747b824b1ed1a9dc8e7b4a7c27c61a08d40d81d5b", "category": "dependency", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "BINARY_RISK", "scanner": "repobility-binary-intel", "correlation_key": "fp|66d313940bd23341553e486747b824b1ed1a9dc8e7b4a7c27c61a08d40d81d5b"}}}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 9984, "scanner": "repobility-threat-engine", "fingerprint": "cfb5c2e8b2de2f9c002d171ce9f0577817963a0f64cf34a3ce7210146c09ffbd", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|43|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/packagehallucination/ruby/main.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 9983, "scanner": "repobility-threat-engine", "fingerprint": "d771670069982a26a9928be4d5bf0f94e4754376e897aa612e8b8df01eb23241", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|45|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/packagehallucination/javascript/main.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 9977, "scanner": "repobility-threat-engine", "fingerprint": "708b881fbf807c4dfc1f47341607c6f2a8dbeeb6f017e0c77a38892aa873056a", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "msg = f\"Update", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|garak/cli.py|563|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "garak/cli.py"}, "region": {"startLine": 563}}}]}]}]}