{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN005", "name": "Compliance or security claim is near a placeholder link", "shortDescription": {"text": "Compliance or security claim is near a placeholder link"}, "fullDescription": {"text": "Link trust claims to current evidence, downgrade unverifiable wording, and replace placeholder footer/legal/security links with real destinations."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC107", "name": "[SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (R", "shortDescription": {"text": "[SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (RFC 8996). Most browsers no longer support them. Code requesting these protocols is talking to an attacker-controllable d"}, "fullDescription": {"text": "Use TLSv1.2 minimum, TLSv1.3 preferred. Java: `SSLContext.getInstance(\"TLSv1.2\")`. Python: `ssl.PROTOCOL_TLS_CLIENT` + `MinimumVersion = TLSVersion.TLSv1_2`. Go: `MinVersion: tls.VersionTLS12`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 21 more): Same pattern found in 21 additional files", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers (and 2 more): Same pattern found in 2 additional files. Review ", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 21 more): Same pattern found in 21 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED078", "name": "[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file.", "shortDescription": {"text": "[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 81 more): Same pattern found in 81 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 81 more): Same pattern found in 81 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 69 more): Same pattern found in 69 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 69 more): Same pattern found in 69 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 40 more): Same pattern found in 40 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 142 more): Same pattern found in 142 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 142 more): Same pattern found in 142 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packag", "shortDescription": {"text": "[MINED134] Binary file `packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherw"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workfl", "shortDescription": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise ("}, "fullDescription": {"text": "Replace with: `uses: actions/setup-python@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM node:24-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED039", "name": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path.", "shortDescription": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/921"}, "properties": {"repository": "laurent22/joplin", "repoUrl": "https://github.com/laurent22/joplin", "branch": "dev"}, "results": [{"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 86642, "scanner": "repobility-journey-contract", "fingerprint": "e48a56fe77f32883c5765757c505d45509b1eebfbcc67fd686f4ad6c29274ec6", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|e48a56fe77f32883c5765757c505d45509b1eebfbcc67fd686f4ad6c29274ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx"}, "region": {"startLine": 228}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 86641, "scanner": "repobility-journey-contract", "fingerprint": "be981f03daaf5fd9664baf7ce394e0420f8495f52a94172506f0d1cbbe1f1ee2", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|be981f03daaf5fd9664baf7ce394e0420f8495f52a94172506f0d1cbbe1f1ee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/ConfigScreen/controls/MissingPasswordHelpLink.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 86634, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "packages/server/schema.sqlite", "size_mb": 0.4}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 86617, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b99e328c47bfcad322da762bf695a8beacb0368083f1660f6434e599023c4dc", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "old", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "packages/server/src/models/ChangeModel/ChangeModel.ts", "correlation_key": "fp|9b99e328c47bfcad322da762bf695a8beacb0368083f1660f6434e599023c4dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/models/ChangeModel/ChangeModel.old.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 86616, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65bb86ef0f717494102d4de8c6c0f991447d7c624e38d38b1b873c47f10e72b7", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "new", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "packages/server/src/models/ChangeModel/ChangeModel.ts", "correlation_key": "fp|65bb86ef0f717494102d4de8c6c0f991447d7c624e38d38b1b873c47f10e72b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/models/ChangeModel/ChangeModel.new.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 86612, "scanner": "repobility-threat-engine", "fingerprint": "87b3bb35905c95855c2df443c07362c814fc6a3ae556b0de588f79b68c49cf87", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|62|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tools/website/utils/frontMatter.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 86584, "scanner": "repobility-threat-engine", "fingerprint": "b47ac29e3bf6751a04439491ea7dc068c911d91106418a8265aa65a6bfb14ec4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n\t\treturn null;\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b47ac29e3bf6751a04439491ea7dc068c911d91106418a8265aa65a6bfb14ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/components/screens/onedrive-login.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC107", "level": "warning", "message": {"text": "[SEC107] Weak TLS version requested (TLSv1.0, TLSv1.1, SSLv3, SSLv2): TLS 1.0 and 1.1 were deprecated by IETF in 2021 (RFC 8996). Most browsers no longer support them. Code requesting these protocols is talking to an attacker-controllable downgrade target."}, "properties": {"repobilityId": 86575, "scanner": "repobility-threat-engine", "fingerprint": "a153f00f86688221f1c4b4c5b7e4ff1d23dcec40be32027e5630fb6421f89cfd", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SSLContext.getInstance(\"SSL\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC107", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|31|sec107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/android/app/src/main/java/net/cozic/joplin/ssl/SslUtils.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 86568, "scanner": "repobility-threat-engine", "fingerprint": "7e7116a319e89ec88a9ae10e9910812f173d906ad20224dc5ba0d8d120e443ea", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e7116a319e89ec88a9ae10e9910812f173d906ad20224dc5ba0d8d120e443ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/turndown/src/html-parser.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 86567, "scanner": "repobility-threat-engine", "fingerprint": "af0214f9c75f45066951d33cdf79485524add51c391176e55d0f531315ddfde7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(()=>{})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af0214f9c75f45066951d33cdf79485524add51c391176e55d0f531315ddfde7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/integration-tests/models/NoteEditorScreen.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 86562, "scanner": "repobility-threat-engine", "fingerprint": "f7034191b454fa0315984848fe3d262430311500d036ecadb123a01b1aa5fabc", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "key: (Date.now() + Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|40|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/OneDriveLoginScreen.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 86535, "scanner": "repobility-threat-engine", "fingerprint": "426a52e93486300cf3d1edd094cced744a1f2e43dfb2f7a3b704f8e7a23e2804", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|16|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/commands/util/showResource.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 86534, "scanner": "repobility-threat-engine", "fingerprint": "7e674ef93c8a532527eb780a171689a348dce74f325edfa9685f8b0e0e9a80ef", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open('about:blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|46|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NewWindowOrIFrame.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 86532, "scanner": "repobility-threat-engine", "fingerprint": "c3134e674550fa8e6afccfa6935dc4b45da258105a85e365c91cc39f87f0a473", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "key: (Date.now() + Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c3134e674550fa8e6afccfa6935dc4b45da258105a85e365c91cc39f87f0a473"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/OneDriveLoginScreen.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 86531, "scanner": "repobility-threat-engine", "fingerprint": "4bf66a0459c22b51fdba51e2f29b3b54b0024d1f8af10b03f56fb046e03a9a14", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random())}.${fileExt}`;\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tawait shim.fsDriv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4bf66a0459c22b51fdba51e2f29b3b54b0024d1f8af10b03f56fb046e03a9a14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/utils/resourceHandling.ts"}, "region": {"startLine": 214}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 86530, "scanner": "repobility-threat-engine", "fingerprint": "98a5cb7be11d790074027b91f14bc849164bdfbff2205f8ecde61007f48790ee", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 10000000)}`);\n\tconst globalKeydownHandlersRef = useRef(globalKey", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98a5cb7be11d790074027b91f14bc849164bdfbff2205f8ecde61007f48790ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/DialogButtonRow/useKeyboardHandler.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 86523, "scanner": "repobility-threat-engine", "fingerprint": "e018dca5e2f166afa47aa99a0870a9c89998026d87dfb532e44c846afb2d70ca", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>}\"", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|9|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/sign.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 86522, "scanner": "repobility-threat-engine", "fingerprint": "d448000d8caf7363defa4ef1f212d2d81d41f7d17d2db1cc269c3ff813d5b476", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = '<redacted>'", "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/app.reducer.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 86521, "scanner": "repobility-threat-engine", "fingerprint": "9eeef6f1ba23c51e5803cb82cfeac0bd2c4ff40bec0210ae571f881baac95900", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (-0.0 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = '<redacted>'", "reason": "Low entropy value (-0.0 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/tools/populateDatabase.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 86506, "scanner": "repobility-threat-engine", "fingerprint": "3336c5f52d21fe88b7bfc86a1b2aa0f7d74d21a97561c740d3df6fc5afcc37d1", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = getLocalePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3336c5f52d21fe88b7bfc86a1b2aa0f7d74d21a97561c740d3df6fc5afcc37d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/WebsiteAssets/js/script.js"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86504, "scanner": "repobility-threat-engine", "fingerprint": "bbe3359c59bc44f98d74ec2ccafb2c65d65beb15ffecc656293a015af7262790", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|27|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/CodeMirror/utils/useEditorSearchExtension.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86503, "scanner": "repobility-threat-engine", "fingerprint": "99a83cbc0e4cf19e8e35e74d3516b712f3ee9f202c5cdb39cbea546139ec083c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|110|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/command-testing.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86502, "scanner": "repobility-threat-engine", "fingerprint": "1f022b4dadf293cd392a54807a388ef56a37b967e521bf336c7bddc12d5c0135", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|62|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/JoplinLists/src/main/ts/ui/Buttons.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 86639, "scanner": "repobility-docker", "fingerprint": "735abb0ba2c90555200e577ee5316b4815081cf304ccd53b4557829cae5289d9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|735abb0ba2c90555200e577ee5316b4815081cf304ccd53b4557829cae5289d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.transcribe.gpu"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 86637, "scanner": "repobility-docker", "fingerprint": "3a13e812b5d9bcdaf6ded0335d129ba4a835ea29bc8b4a97976c5ee83e6d1be8", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3a13e812b5d9bcdaf6ded0335d129ba4a835ea29bc8b4a97976c5ee83e6d1be8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.transcribe"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 86636, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 86635, "scanner": "repobility-docker", "fingerprint": "67f6f13cfe8f7423bf57e5788593ed9417641445178180da11a69fbf582818ae", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|67f6f13cfe8f7423bf57e5788593ed9417641445178180da11a69fbf582818ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.server"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 86633, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb0575d0307e8c55023b432d3280ded7cf578bd1753ef8c9e1e1fb73be8dc14c", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "ChangeModel", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "packages/server/src/models/ChangeModel/ChangeModel.old.ts", "correlation_key": "fp|bb0575d0307e8c55023b432d3280ded7cf578bd1753ef8c9e1e1fb73be8dc14c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/models/ChangeModel/ChangeModel.new.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86632, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2f70a0ef8debe9bd6e8ff366fac95a0c6a4125dd90280974b391728d4fc5910", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app-desktop/gui/DropboxLoginScreen.tsx", "duplicate_line": 51, "correlation_key": "fp|e2f70a0ef8debe9bd6e8ff366fac95a0c6a4125dd90280974b391728d4fc5910"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/OneDriveLoginScreen.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86631, "scanner": "repobility-ai-code-hygiene", "fingerprint": "102f89034518ae60b3935b4a21efe978d9986dbbd982c4a4dab0385e53c829b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/app-desktop/gui/NoteEditor/NoteBody/CodeMirror/v5/CodeMirror.tsx", "duplicate_line": 495, "correlation_key": "fp|102f89034518ae60b3935b4a21efe978d9986dbbd982c4a4dab0385e53c829b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/CodeMirror/v6/CodeMirror.tsx"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86630, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ffcf3504e1beabeb772d6be3c7f3a262046089ca725d6cc2b52b5a6b0dc0168", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/tr.js", "duplicate_line": 2, "correlation_key": "fp|8ffcf3504e1beabeb772d6be3c7f3a262046089ca725d6cc2b52b5a6b0dc0168"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/tr_TR.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86629, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7e12782ad4a80d31c131774fa847ef0229d2d1ede2f4737885e0b637c44c7d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/ta.js", "duplicate_line": 2, "correlation_key": "fp|c7e12782ad4a80d31c131774fa847ef0229d2d1ede2f4737885e0b637c44c7d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/ta_IN.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86628, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b13751455701439e6980a07f8ba95d1cf60fa66ff904c9b063970d75972fa31a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/sl.js", "duplicate_line": 2, "correlation_key": "fp|b13751455701439e6980a07f8ba95d1cf60fa66ff904c9b063970d75972fa31a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/sl_SI.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86627, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2590baf1fd92655aa52fce10f488b8480519dc401c89cdd63c5c78e42a200545", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/gl.js", "duplicate_line": 97, "correlation_key": "fp|2590baf1fd92655aa52fce10f488b8480519dc401c89cdd63c5c78e42a200545"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/sk.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86626, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12c31dc7df54809c271e481aad0c966887b607a467ac4b8623cd6be5659bf4bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/ro.js", "duplicate_line": 2, "correlation_key": "fp|12c31dc7df54809c271e481aad0c966887b607a467ac4b8623cd6be5659bf4bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/ro_RO.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86625, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94ae6baf8408e17a09968eafaa314f153b45fbec3752be4a8f2348ad9ff7f2a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/pt_BR.js", "duplicate_line": 30, "correlation_key": "fp|94ae6baf8408e17a09968eafaa314f153b45fbec3752be4a8f2348ad9ff7f2a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/pt_PT.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86624, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fcfc2b0f6edb4213d2191b45908c570ad5e5955718204a5b2987c1e3a1df621d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/da.js", "duplicate_line": 30, "correlation_key": "fp|fcfc2b0f6edb4213d2191b45908c570ad5e5955718204a5b2987c1e3a1df621d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/nb_NO.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86623, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce5ceb5dc4b9b61cb9fd96e2206e810cea50f18bb33497a3a8c2b3fb7a14020a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/it.js", "duplicate_line": 2, "correlation_key": "fp|ce5ceb5dc4b9b61cb9fd96e2206e810cea50f18bb33497a3a8c2b3fb7a14020a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/it_IT.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86622, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7852772be6518cb364788452b078e68b1bbd495271f54cd24f7c8f51c72e880", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/gl.js", "duplicate_line": 97, "correlation_key": "fp|f7852772be6518cb364788452b078e68b1bbd495271f54cd24f7c8f51c72e880"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/hr.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86621, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a68373dbbda9efe3c3f1f2c2c912ab14a830dc2bfe8c04d5de9cd62aaf660fce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/fa.js", "duplicate_line": 129, "correlation_key": "fp|a68373dbbda9efe3c3f1f2c2c912ab14a830dc2bfe8c04d5de9cd62aaf660fce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/gl.js"}, "region": {"startLine": 129}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86620, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4001a735a81724e4c2046136c6f77464dae50a924bc519d4ec877efa0b21430", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/fa.js", "duplicate_line": 2, "correlation_key": "fp|a4001a735a81724e4c2046136c6f77464dae50a924bc519d4ec877efa0b21430"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/fa_IR.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86619, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fea0eacef91da3b689a3d37b6290fbe464a0666081e9d3ef0b5be541156ff61", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/es.js", "duplicate_line": 361, "correlation_key": "fp|6fea0eacef91da3b689a3d37b6290fbe464a0666081e9d3ef0b5be541156ff61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/es_MX.js"}, "region": {"startLine": 361}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86618, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95d4c468452b22318be1d540e72427f6f422448a200446741e9cec94b9474f10", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Assets/TinyMCE/langs/es.js", "duplicate_line": 2, "correlation_key": "fp|95d4c468452b22318be1d540e72427f6f422448a200446741e9cec94b9474f10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/langs/es_ES.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 86580, "scanner": "repobility-threat-engine", "fingerprint": "044904fbfa7074df2d3796eff282dad22c12dc97bd4516db54a4fa474057c4b9", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" INTEGER PRIMARY KEY AUTOINCREMENT, \"\n            + COL_DATA + \" TEXT, \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|044904fbfa7074df2d3796eff282dad22c12dc97bd4516db54a4fa474057c4b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-alarm-notification/android/src/main/java/com/emekalites/react/alarm/notification/AlarmDatabase.java"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 86579, "scanner": "repobility-threat-engine", "fingerprint": "1af77c29ddb1b140b34ba3d659b92f107e8c621bf4495f74b75cc63465f0166c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" in file://\" + source + \", line \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1af77c29ddb1b140b34ba3d659b92f107e8c621bf4495f74b75cc63465f0166c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/components/NoteEditor/RichTextEditor.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 86578, "scanner": "repobility-threat-engine", "fingerprint": "42c366bee473fc63d6e1f6c98532d8fe64e01c81edf880f84d0bcbcd0557b7a8", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" in file://\" + source + \", line \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|42c366bee473fc63d6e1f6c98532d8fe64e01c81edf880f84d0bcbcd0557b7a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/components/NoteEditor/MarkdownEditor.tsx"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 86550, "scanner": "repobility-threat-engine", "fingerprint": "141c7ba0605a14f32b635be15afbcf0400b0de9bd98eea1f8ebf455a3a7bfaed", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = n", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|69|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteListItem/utils/useItemElement.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 86549, "scanner": "repobility-threat-engine", "fingerprint": "b81a3aaf6b5b0c769d2b1488a1ba2697d413c27b4203eea4f500f4c5904f903f", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|56|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/utils/clipboardUtils.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 86548, "scanner": "repobility-threat-engine", "fingerprint": "871f48aaba4dcaf7996df454be81a95d516cd95d3852e1837e4699e07d031106", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|78|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/utils/useEditDialog.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 86610, "scanner": "repobility-threat-engine", "fingerprint": "87a9d3ef4d635a092ba6433919928229ecf97ea50766f6aab1b0f6990bd9b31b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87a9d3ef4d635a092ba6433919928229ecf97ea50766f6aab1b0f6990bd9b31b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tools/release-website.sh"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 86608, "scanner": "repobility-threat-engine", "fingerprint": "515ce8f34190c372bacad0228e354d50ffa84385c6d25d59f60ba89b5f04eae7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|515ce8f34190c372bacad0228e354d50ffa84385c6d25d59f60ba89b5f04eae7"}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 86604, "scanner": "repobility-threat-engine", "fingerprint": "afb345216619516b8956a22f95f94cb6d34563ea8c8bc16dd3e6643f7c033af5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|afb345216619516b8956a22f95f94cb6d34563ea8c8bc16dd3e6643f7c033af5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser/src/local_onestore/objects/global_id_table.rs"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 86602, "scanner": "repobility-threat-engine", "fingerprint": "27821e687fbef96b730708a0d99a3059143f0f1e8da2cdb6a2a5ac5496fb2878", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|27821e687fbef96b730708a0d99a3059143f0f1e8da2cdb6a2a5ac5496fb2878", "aggregated_count": 11}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 86598, "scanner": "repobility-threat-engine", "fingerprint": "3df4dbeb8db9c5515bf21121952f7f4896887500c54df47190eaf62bc529eb73", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3df4dbeb8db9c5515bf21121952f7f4896887500c54df47190eaf62bc529eb73", "aggregated_count": 1}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 86597, "scanner": "repobility-threat-engine", "fingerprint": "a6cf1ab2e7aeb7bf97495b5f7de0195ace4e3275f48c2f581b2386896ef9067f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6cf1ab2e7aeb7bf97495b5f7de0195ace4e3275f48c2f581b2386896ef9067f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser/src/shared/compact_u64.rs"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 86596, "scanner": "repobility-threat-engine", "fingerprint": "809e210741bbdb2cd3a06c981c5953bd09a56a656a84ea1241e70216a65fa4b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|809e210741bbdb2cd3a06c981c5953bd09a56a656a84ea1241e70216a65fa4b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser/src/local_onestore/one_store_file.rs"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 86595, "scanner": "repobility-threat-engine", "fingerprint": "a93772c68824124dd0a857daa682afb51995ac337cbdf828500d7acb3a338061", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a93772c68824124dd0a857daa682afb51995ac337cbdf828500d7acb3a338061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser-macros/src/lib.rs"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 86594, "scanner": "repobility-threat-engine", "fingerprint": "de1cf28d4be567d72467a52ca8f61ae74a513a6bf554777cbd3163722b68f760", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|de1cf28d4be567d72467a52ca8f61ae74a513a6bf554777cbd3163722b68f760", "aggregated_count": 3}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 86593, "scanner": "repobility-threat-engine", "fingerprint": "7df6993f1a7d457bd72b2df2a1d7ceafe1754f3400b6ce54a22a627f0bd83f25", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7df6993f1a7d457bd72b2df2a1d7ceafe1754f3400b6ce54a22a627f0bd83f25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser/src/shared/compact_u64.rs"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 86592, "scanner": "repobility-threat-engine", "fingerprint": "736ef45af04480929e2cf5faa570a49e1d0b972b7fc549cec3a4560512a8ff33", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|736ef45af04480929e2cf5faa570a49e1d0b972b7fc549cec3a4560512a8ff33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser/src/onenote/mod.rs"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 86591, "scanner": "repobility-threat-engine", "fingerprint": "45171b9dcd13ad24ca1db0e91f7d90855444527d89ab4b69c93206ae7dc69654", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45171b9dcd13ad24ca1db0e91f7d90855444527d89ab4b69c93206ae7dc69654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser-macros/src/lib.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 86589, "scanner": "repobility-threat-engine", "fingerprint": "175e39e133566f4f5e137b284217d4fa3787010637fc3960724123d5256a7700", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|175e39e133566f4f5e137b284217d4fa3787010637fc3960724123d5256a7700"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/renderer/stringUtils.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 86588, "scanner": "repobility-threat-engine", "fingerprint": "88dfa46adc4fc20e2a3434062092e88a39e5188e94319bb20d7282880f1e38b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88dfa46adc4fc20e2a3434062092e88a39e5188e94319bb20d7282880f1e38b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/utils/fs-driver/runOnDeviceTests.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 86587, "scanner": "repobility-threat-engine", "fingerprint": "3e171e20899c61a1709490098791e4a17d179952f197d7694bb749cbe993f4dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e171e20899c61a1709490098791e4a17d179952f197d7694bb749cbe993f4dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/ios/ShareExtension/Source/ShareExtension/ShareViewController.m"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 86586, "scanner": "repobility-threat-engine", "fingerprint": "66df92fd85ac83d618c8be4d3d9edc6ab6888c41b2d3eae1e94e9a7b443f7238", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|66df92fd85ac83d618c8be4d3d9edc6ab6888c41b2d3eae1e94e9a7b443f7238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/ios/ShareExtension/Source/RNShareExtension/ShareExtension.m"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 86585, "scanner": "repobility-threat-engine", "fingerprint": "389ca97807366f953472432d52ebcfb672cc15116e44b3f9adebb7a169eef1aa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|389ca97807366f953472432d52ebcfb672cc15116e44b3f9adebb7a169eef1aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/contentScripts/markdownEditorBundle/useWebViewSetup.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 86581, "scanner": "repobility-threat-engine", "fingerprint": "802362717bb8b9596309b60635fbb04d345013c3d2defa44f95ace1b246cb77c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|802362717bb8b9596309b60635fbb04d345013c3d2defa44f95ace1b246cb77c"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 86574, "scanner": "repobility-threat-engine", "fingerprint": "794aef1cc5fcc910c18f4694aa168e2b097f7fb6ba65f1c48225772bc669e8da", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.create('index/password')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|logger.create index/password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/index/password.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 86573, "scanner": "repobility-threat-engine", "fingerprint": "92af53642fbd0dd151683575df9581e9c9b9bf32fc07ff008c46637e1ef15cc2", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.info(`Either not running in CI or not processing a desktop app tag - skipping notarization.", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|2|console.info either not running in ci or not processing a desktop app tag - skipping notarization."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/tools/notarizeMacApp.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 86572, "scanner": "repobility-threat-engine", "fingerprint": "1f1f0cb9bb9ab7a35434597313d091cfb73f68684734a7b6d0ca82ece06b2e8e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1f1f0cb9bb9ab7a35434597313d091cfb73f68684734a7b6d0ca82ece06b2e8e"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 86566, "scanner": "repobility-threat-engine", "fingerprint": "4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4"}}}, {"ruleId": "SEC027", "level": "none", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 86561, "scanner": "repobility-threat-engine", "fingerprint": "5f7987a2e7971da1158aa9d4149d6959382c195d117510a9599009b82ae8aa9c", "category": "xxe", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5f7987a2e7971da1158aa9d4149d6959382c195d117510a9599009b82ae8aa9c"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 86557, "scanner": "repobility-threat-engine", "fingerprint": "6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "aggregated_count": 3}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 86556, "scanner": "repobility-threat-engine", "fingerprint": "b8d6071b779fb98c829aaf0523f171fcfdfce9cdc189b5c973ff280e770f8556", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8d6071b779fb98c829aaf0523f171fcfdfce9cdc189b5c973ff280e770f8556"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/ResourceScreen.tsx"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 86555, "scanner": "repobility-threat-engine", "fingerprint": "e370edd6c58fba3dda6cbed0ba1d8c89f93e56e7b9784c50f631d2b505507ea2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e370edd6c58fba3dda6cbed0ba1d8c89f93e56e7b9784c50f631d2b505507ea2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/ProfileEditor.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 86554, "scanner": "repobility-threat-engine", "fingerprint": "06968a2baa089b943becc67cfbbac4fb1a5807ff61daae4fc45cf57467a063de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06968a2baa089b943becc67cfbbac4fb1a5807ff61daae4fc45cf57467a063de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/WarningBanner/WarningBanner.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 86553, "scanner": "repobility-threat-engine", "fingerprint": "4cd573a3afdf34e9d657db96c1c9335027776b51383b317206d422d4cf7393d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4cd573a3afdf34e9d657db96c1c9335027776b51383b317206d422d4cf7393d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/nodes/TextNode.tsx"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 86552, "scanner": "repobility-threat-engine", "fingerprint": "20927070ef23c2636041dfe1bfa27f694a13e0c1e9008c771be60d8d9c788b8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20927070ef23c2636041dfe1bfa27f694a13e0c1e9008c771be60d8d9c788b8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/nodes/FileNode.tsx"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 86551, "scanner": "repobility-threat-engine", "fingerprint": "8ee200be9cf52fbf51817588dba3eaf54f0d07f928eb29d9f45b55c0c661c51d", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8ee200be9cf52fbf51817588dba3eaf54f0d07f928eb29d9f45b55c0c661c51d"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 86547, "scanner": "repobility-threat-engine", "fingerprint": "cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "aggregated_count": 5}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86546, "scanner": "repobility-threat-engine", "fingerprint": "bcdc54e509c9917a86c72f79c9412d51fed469aa06120a19a53a0e04999d781e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bcdc54e509c9917a86c72f79c9412d51fed469aa06120a19a53a0e04999d781e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/components/ExtendedWebView/index.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86545, "scanner": "repobility-threat-engine", "fingerprint": "3a200e6f7287c44c68564573bf1e5f33cca27f4e4a68774876e46e1c0681298e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a200e6f7287c44c68564573bf1e5f33cca27f4e4a68774876e46e1c0681298e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/runForTesting.sh"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86544, "scanner": "repobility-threat-engine", "fingerprint": "10eeebbe28d20df9a78f73c112f7ae7324e0e822c1fcf95aaaf11980a77aa3b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10eeebbe28d20df9a78f73c112f7ae7324e0e822c1fcf95aaaf11980a77aa3b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/TinyMCE/icons.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 86543, "scanner": "repobility-threat-engine", "fingerprint": "99641ac9328a30a8806e5d6f5d1ddb775940cdf7306811ce227b7b4ebed57f7c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|99641ac9328a30a8806e5d6f5d1ddb775940cdf7306811ce227b7b4ebed57f7c"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 86539, "scanner": "repobility-threat-engine", "fingerprint": "9f5b2a516bc52c0d8a94afd29d523bd05f3bd6054367044673e93db015d82ba3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9f5b2a516bc52c0d8a94afd29d523bd05f3bd6054367044673e93db015d82ba3"}}}, {"ruleId": "SEC087", "level": "none", "message": {"text": "[SEC087] JS: weak Math.random for crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 86533, "scanner": "repobility-threat-engine", "fingerprint": "f9e43c52f854068117e8bde7e90b7e258a8a837f5852a860af38ea90ebef014f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f9e43c52f854068117e8bde7e90b7e258a8a837f5852a860af38ea90ebef014f"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 86529, "scanner": "repobility-threat-engine", "fingerprint": "4c8764b5b26e37415a284cc3a005af3288cf252e855ab51befa2ed42c04aeec8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4c8764b5b26e37415a284cc3a005af3288cf252e855ab51befa2ed42c04aeec8", "aggregated_count": 13}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86528, "scanner": "repobility-threat-engine", "fingerprint": "7753fc522b15e16da017f49f1a87f796031fd2f0308b28e71edf9a03dbac597f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7753fc522b15e16da017f49f1a87f796031fd2f0308b28e71edf9a03dbac597f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/WindowCommandsAndDialogs/commands/showSpellCheckerMenu.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86527, "scanner": "repobility-threat-engine", "fingerprint": "278bb6effda9f1c93ff0bcc431816fbb11170e2bcb2b93a2a70f7f4b6f54f8ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|278bb6effda9f1c93ff0bcc431816fbb11170e2bcb2b93a2a70f7f4b6f54f8ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/EditFolderDialog/IconSelector.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86526, "scanner": "repobility-threat-engine", "fingerprint": "23c1417ab266a5e94d5aeea034610980e932734be5d8c03bc16aa39150a62e14", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23c1417ab266a5e94d5aeea034610980e932734be5d8c03bc16aa39150a62e14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/InteropServiceHelper.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED078", "level": "none", "message": {"text": "[MINED078] Eslint Disable File: /* eslint-disable */ at top disables all lint rules for the file."}, "properties": {"repobilityId": 86525, "scanner": "repobility-threat-engine", "fingerprint": "40f05f12dc1cd676786491a5c9e326bf062675ead5bafb3a008ef48f05dc944c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "eslint-disable-file", "owasp": null, "cwe_ids": [], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348118+00:00", "triaged_in_corpus": 12, "observations_count": 7287, "ai_coder_pattern_id": 101}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40f05f12dc1cd676786491a5c9e326bf062675ead5bafb3a008ef48f05dc944c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-clipper/popup/postinstall.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 86524, "scanner": "repobility-threat-engine", "fingerprint": "82ea2fc1d3decdb32b747a07b3079adfb59f77b8f2f94223231300665b2c2712", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|82ea2fc1d3decdb32b747a07b3079adfb59f77b8f2f94223231300665b2c2712"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 86520, "scanner": "repobility-threat-engine", "fingerprint": "b76aba28877d6ca27729ae20a3127a9d43b836bba1fc2bea6f41c13c71aff5b3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b76aba28877d6ca27729ae20a3127a9d43b836bba1fc2bea6f41c13c71aff5b3", "aggregated_count": 12}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 81 more): Same pattern found in 81 additional files. Review if needed."}, "properties": {"repobilityId": 86516, "scanner": "repobility-threat-engine", "fingerprint": "44f35080c6d4b75b7db038e29e8ee547b332f291bb11cdabdd8d7f78457aad01", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 81 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 81 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|44f35080c6d4b75b7db038e29e8ee547b332f291bb11cdabdd8d7f78457aad01"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 69 more): Same pattern found in 69 additional files. Review if needed."}, "properties": {"repobilityId": 86512, "scanner": "repobility-threat-engine", "fingerprint": "4b9169cbd19b10ea10713ac63aca34925ba060f558d8ba6836e9f83720df2069", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 69 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b9169cbd19b10ea10713ac63aca34925ba060f558d8ba6836e9f83720df2069", "aggregated_count": 69}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86511, "scanner": "repobility-threat-engine", "fingerprint": "fc13341996996e3790c3b5af176a2f15018d6129ee478c0f45dafc1e595bbfcb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fc13341996996e3790c3b5af176a2f15018d6129ee478c0f45dafc1e595bbfcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/command-sync.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86510, "scanner": "repobility-threat-engine", "fingerprint": "be9c18f83e023e3ee0aee864a78a216c8f7bc3d5d5988586c0af9ed6c8b22e38", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be9c18f83e023e3ee0aee864a78a216c8f7bc3d5d5988586c0af9ed6c8b22e38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/command-e2ee.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86509, "scanner": "repobility-threat-engine", "fingerprint": "c69970d5b2f1d325eaa6ccf423e7f0b4556c0ca2994b845fb62cfce6b5ec7e06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c69970d5b2f1d325eaa6ccf423e7f0b4556c0ca2994b845fb62cfce6b5ec7e06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/cli-utils.ts"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 86508, "scanner": "repobility-threat-engine", "fingerprint": "a0f2e8f6bf56948e44e71078ff7e072ec1544293375fca83691066b82547b009", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0f2e8f6bf56948e44e71078ff7e072ec1544293375fca83691066b82547b009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/jest.setup.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 86507, "scanner": "repobility-threat-engine", "fingerprint": "2f2ed80628b8922fe2932c57ad82164ca8f07d94897516e81a726cfc3fda19cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f2ed80628b8922fe2932c57ad82164ca8f07d94897516e81a726cfc3fda19cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/WebsiteAssets/js/script.js"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 86505, "scanner": "repobility-threat-engine", "fingerprint": "ba89edbfbc62838876a8f449dddf3598b0d3fd16d59fb2a0927371c3c661bcd9", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ba89edbfbc62838876a8f449dddf3598b0d3fd16d59fb2a0927371c3c661bcd9"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 86501, "scanner": "repobility-threat-engine", "fingerprint": "aceda8aeddb5ae73d439d467ff01f5522e658b3b9a20f7dea022c10ed6c794b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|aceda8aeddb5ae73d439d467ff01f5522e658b3b9a20f7dea022c10ed6c794b0", "aggregated_count": 40}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86500, "scanner": "repobility-threat-engine", "fingerprint": "f9404300463049142c0bf61ecf3db5146c1dbbd397b52e6f1c3f83ff23151dc9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9404300463049142c0bf61ecf3db5146c1dbbd397b52e6f1c3f83ff23151dc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/base-command.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86499, "scanner": "repobility-threat-engine", "fingerprint": "41b62726a54ca3a4ef0787d490a4441aa677f48cb08dd272aff9b1c8e0754fe9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41b62726a54ca3a4ef0787d490a4441aa677f48cb08dd272aff9b1c8e0754fe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/JoplinLists/src/main/ts/ui/Buttons.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86498, "scanner": "repobility-threat-engine", "fingerprint": "1f70744f9ae466daf30b7a963d420eb13be06aabc62be70a2d0332fffa771264", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f70744f9ae466daf30b7a963d420eb13be06aabc62be70a2d0332fffa771264"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/JoplinLists/src/main/ts/actions/ToggleList.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 142 more): Same pattern found in 142 additional files. Review if needed."}, "properties": {"repobilityId": 86497, "scanner": "repobility-threat-engine", "fingerprint": "1d27ad4daebe9f47ba6c0188b150578307d79a1c29147394078c27060f57542f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 142 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1d27ad4daebe9f47ba6c0188b150578307d79a1c29147394078c27060f57542f", "aggregated_count": 142}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86496, "scanner": "repobility-threat-engine", "fingerprint": "9ad53fe914c9792350be5a714a2e87117b082f19a59fa16286e6beb6e1a26330", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9ad53fe914c9792350be5a714a2e87117b082f19a59fa16286e6beb6e1a26330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/build-doc.js"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86495, "scanner": "repobility-threat-engine", "fingerprint": "c4523fa9ad8712933fba58b4603c2e35ac615202965c0e0f93d4fc8148997524", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c4523fa9ad8712933fba58b4603c2e35ac615202965c0e0f93d4fc8148997524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/WebsiteAssets/js/script.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86494, "scanner": "repobility-threat-engine", "fingerprint": "8c327ecbbdbaca9146968b86d3b2f91c44024161cc2358eb66ac830bfc9f4af5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c327ecbbdbaca9146968b86d3b2f91c44024161cc2358eb66ac830bfc9f4af5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Assets/TinyMCE/IconPack/postinstall.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherwise has 3080 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 86673, "scanner": "repobility-supply-chain", "fingerprint": "41e0ae82c906262135780d7e8be352258b8e569c2f2e7d7405cae0d133dcd6b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41e0ae82c906262135780d7e8be352258b8e569c2f2e7d7405cae0d133dcd6b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/tools/PortableAppsLauncher/JoplinPortable.exe` committed in source repo: `packages/tools/PortableAppsLauncher/JoplinPortable.exe` is a .exe binary (164,948 bytes) committed to a repo that otherwise has 3080 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 86672, "scanner": "repobility-supply-chain", "fingerprint": "d950bbc4e7815c5b4908bdc369604974b1e737f8540ac09a3ab337f4175d1571", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d950bbc4e7815c5b4908bdc369604974b1e737f8540ac09a3ab337f4175d1571"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tools/PortableAppsLauncher/JoplinPortable.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/react-native-saf-x/android/wrapper/gradle-wrapper.jar` committed in source repo: `packages/react-native-saf-x/android/wrapper/gradle-wrapper.jar` is a .jar binary (59,203 bytes) committed to a repo that otherwise has 3080 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 86671, "scanner": "repobility-supply-chain", "fingerprint": "95514abbd50f7ba17c4006ae44f6bf0310606b8a5a2033c4d33224c70edf2892", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|95514abbd50f7ba17c4006ae44f6bf0310606b8a5a2033c4d33224c70edf2892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-native-saf-x/android/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86670, "scanner": "repobility-supply-chain", "fingerprint": "4fd485f0306387e4802b110ec2f39a83f073750e250c9269fd2b94d93f999015", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fd485f0306387e4802b110ec2f39a83f073750e250c9269fd2b94d93f999015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared/setup-build-environment/action.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86669, "scanner": "repobility-supply-chain", "fingerprint": "44c2d196737fcb0fcc20f556c2d0f452bf1a2972d5e4245f50412efb07469434", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44c2d196737fcb0fcc20f556c2d0f452bf1a2972d5e4245f50412efb07469434"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared/setup-build-environment/action.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86668, "scanner": "repobility-supply-chain", "fingerprint": "494e8640e0e2dcd637e546f175e08f9049096fa937dc29616823810e323232b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|494e8640e0e2dcd637e546f175e08f9049096fa937dc29616823810e323232b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared/setup-build-environment/action.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `olegtarasov/get-tag` pinned to mutable ref `@v2.1.4`: `uses: olegtarasov/get-tag@v2.1.4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86667, "scanner": "repobility-supply-chain", "fingerprint": "d974ec25a6ddc4dad595496f92ef6cd215c574fd767d11e7aa046093278ff581", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d974ec25a6ddc4dad595496f92ef6cd215c574fd767d11e7aa046093278ff581"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shared/setup-build-environment/action.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86666, "scanner": "repobility-supply-chain", "fingerprint": "fbcff60785fdfd7dc019b3b8c15e63d697c37d3eddf7d7092d61f7a42686026a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbcff60785fdfd7dc019b3b8c15e63d697c37d3eddf7d7092d61f7a42686026a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-macos-m1.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86665, "scanner": "repobility-supply-chain", "fingerprint": "a43da62c30d43ca77ec7c465dad150c31cd822b0bd3bdc8cfb5ec6afe9163873", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a43da62c30d43ca77ec7c465dad150c31cd822b0bd3bdc8cfb5ec6afe9163873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-macos-m1.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `olegtarasov/get-tag` pinned to mutable ref `@v2.1.4`: `uses: olegtarasov/get-tag@v2.1.4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86664, "scanner": "repobility-supply-chain", "fingerprint": "1935f83d70dd30c35d26ec8edb133f89270d776206cfaf493f2c911db9b01f98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1935f83d70dd30c35d26ec8edb133f89270d776206cfaf493f2c911db9b01f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-macos-m1.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86663, "scanner": "repobility-supply-chain", "fingerprint": "7db44d69956f132d29a1aa746d28f39f8333c18abc6cbd929f8fecc266e4a9ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7db44d69956f132d29a1aa746d28f39f8333c18abc6cbd929f8fecc266e4a9ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-macos-m1.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86662, "scanner": "repobility-supply-chain", "fingerprint": "5f5dc29c2ed9705f3b709c18b4461acb6e6ca455a3c30b19bc6a89319d44a7f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f5dc29c2ed9705f3b709c18b4461acb6e6ca455a3c30b19bc6a89319d44a7f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ui-tests.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86661, "scanner": "repobility-supply-chain", "fingerprint": "96d55049e13e2d9d86b878d8990026098cbefc66c010671e2cb7b16c3047f54f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96d55049e13e2d9d86b878d8990026098cbefc66c010671e2cb7b16c3047f54f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ui-tests.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: actions/create-github-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86660, "scanner": "repobility-supply-chain", "fingerprint": "55c3190274cfd42c2ffc1ec8d26d2aa69b93771c338925eaa5509d5426a16746", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|55c3190274cfd42c2ffc1ec8d26d2aa69b93771c338925eaa5509d5426a16746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/delete-coderabbit-comments.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86659, "scanner": "repobility-supply-chain", "fingerprint": "3c7235af49584ee76bc789348625882d6e5d63aa208b6263ef96de72d1684355", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c7235af49584ee76bc789348625882d6e5d63aa208b6263ef96de72d1684355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-pr-title.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86658, "scanner": "repobility-supply-chain", "fingerprint": "41c6f8f23883050b33c647f7d447478e032b53777e8a48c0d0ba0ba6421395c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41c6f8f23883050b33c647f7d447478e032b53777e8a48c0d0ba0ba6421395c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-pr-title.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `quipper/comment-failure-action` pinned to mutable ref `@v0.1.1`: `uses: quipper/comment-failure-action@v0.1.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86657, "scanner": "repobility-supply-chain", "fingerprint": "5035ded1a5fbbe184393a1ca0e47e5589e9f0b1684f61742addd43c0bf16b4cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5035ded1a5fbbe184393a1ca0e47e5589e9f0b1684f61742addd43c0bf16b4cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/comment-on-failure.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `contributor-assistant/github-action` pinned to mutable ref `@v2.6.1`: `uses: contributor-assistant/github-action@v2.6.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86656, "scanner": "repobility-supply-chain", "fingerprint": "e57660d01681ebe56d9138d9084213b64be991fca53590b250e1047d554e3db2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e57660d01681ebe56d9138d9084213b64be991fca53590b250e1047d554e3db2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cla.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86655, "scanner": "repobility-supply-chain", "fingerprint": "90e973b8367b2f44de725e7e6ad5b240fdea5c7a6cd351ad2cf434ada1911a23", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90e973b8367b2f44de725e7e6ad5b240fdea5c7a6cd351ad2cf434ada1911a23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/github-actions-main.yml"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86654, "scanner": "repobility-supply-chain", "fingerprint": "358d2e066a73689346300040ae69482b44b6e2117400fe5b6ec835120ff65ca1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|358d2e066a73689346300040ae69482b44b6e2117400fe5b6ec835120ff65ca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/github-actions-main.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86653, "scanner": "repobility-supply-chain", "fingerprint": "e4020114bff76dcb622e0b5966addf69a9be871e3653295a47d3a3f77ee81e34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4020114bff76dcb622e0b5966addf69a9be871e3653295a47d3a3f77ee81e34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/github-actions-main.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86652, "scanner": "repobility-supply-chain", "fingerprint": "3736e2a0108bc5200640134ee40c376966c7c5113049ff6af42c0d2cb4f8d0cc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3736e2a0108bc5200640134ee40c376966c7c5113049ff6af42c0d2cb4f8d0cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/close-stale-issues.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86651, "scanner": "repobility-supply-chain", "fingerprint": "3758752328fdab1b221aeb5bfc2c141582e370b70ba3312ff31bc34295628394", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3758752328fdab1b221aeb5bfc2c141582e370b70ba3312ff31bc34295628394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-android.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86650, "scanner": "repobility-supply-chain", "fingerprint": "0d2c8b067f4326081d9c6ec08085791017be0e7aeeae99020257fb64152de02a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d2c8b067f4326081d9c6ec08085791017be0e7aeeae99020257fb64152de02a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-android.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86649, "scanner": "repobility-supply-chain", "fingerprint": "9a288eb8667b4cb4fd0c068d4ca3d3fdfe0322bc98f71cd081ac80651a874111", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a288eb8667b4cb4fd0c068d4ca3d3fdfe0322bc98f71cd081ac80651a874111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-android.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86648, "scanner": "repobility-supply-chain", "fingerprint": "12ec955c620e51f367ba07d9762ad9ce908eb123284f3ed6b955b6e5f74cf864", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12ec955c620e51f367ba07d9762ad9ce908eb123284f3ed6b955b6e5f74cf864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.server"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24` not pinned by digest: `FROM node:24` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86647, "scanner": "repobility-supply-chain", "fingerprint": "beaacf5cc0f76ae1d5205822e883dca9b9703d8d721e33a790471129a9c47e80", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|beaacf5cc0f76ae1d5205822e883dca9b9703d8d721e33a790471129a9c47e80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.server"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86646, "scanner": "repobility-supply-chain", "fingerprint": "d6943d4da3b3e706fb6e6e98b5dbd498eee4845e987fbb0913a707d565166115", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6943d4da3b3e706fb6e6e98b5dbd498eee4845e987fbb0913a707d565166115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.transcribe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nvidia/cuda:13.1.1-cudnn-runtime-ubuntu22.04` not pinned by digest: `FROM nvidia/cuda:13.1.1-cudnn-runtime-ubuntu22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86645, "scanner": "repobility-supply-chain", "fingerprint": "1b54d15f2922a72ff9e2c1abdb5bd96d472ccb3706190c83a5da539b77c9a289", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b54d15f2922a72ff9e2c1abdb5bd96d472ccb3706190c83a5da539b77c9a289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.transcribe.gpu"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ghcr.io/ggml-org/llama.cpp:full-cuda-b5449` not pinned by digest: `FROM ghcr.io/ggml-org/llama.cpp:full-cuda-b5449` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86644, "scanner": "repobility-supply-chain", "fingerprint": "3ef217b751d060ddbe43aff62c15ad6f62c0082e515a591b7dfbfe21b612fe4e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ef217b751d060ddbe43aff62c15ad6f62c0082e515a591b7dfbfe21b612fe4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.transcribe.gpu"}, "region": {"startLine": 23}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 86643, "scanner": "repobility-journey-contract", "fingerprint": "7ab16680d2b6d8dd8f86b0e13d517a49e71888f47a1cb64e8825bd084d17d8e0", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|188|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/EncryptionConfigScreen/EncryptionConfigScreen.tsx"}, "region": {"startLine": 188}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 86640, "scanner": "repobility-journey-contract", "fingerprint": "69c8919cbebed47cb6bd2522f34e6e941955356f6626f7c2d905d8bae02cc67f", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|201|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/utils/fs-driver/fs-driver-rn.web.worker.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 86638, "scanner": "repobility-docker", "fingerprint": "71c7f5470ece78b1ef006df1ea7f86baa72efa789a01a8c2de6cf68077cd2a80", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|71c7f5470ece78b1ef006df1ea7f86baa72efa789a01a8c2de6cf68077cd2a80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.transcribe.gpu"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 86611, "scanner": "repobility-threat-engine", "fingerprint": "389b23b3a223a3cf278586cbe41c1d7389750df4688370d079f8486acfe160e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|389b23b3a223a3cf278586cbe41c1d7389750df4688370d079f8486acfe160e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tools/website/utils/applyTranslations.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 86609, "scanner": "repobility-threat-engine", "fingerprint": "be13c0da671965ffc6d2d8f02ac7ed74c6d2db2abaaf89a24ab3615f8e5ac19b", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(user.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be13c0da671965ffc6d2d8f02ac7ed74c6d2db2abaaf89a24ab3615f8e5ac19b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/utils/strings.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 86607, "scanner": "repobility-threat-engine", "fingerprint": "4f0cd5bfbf5bc767d98154759106fcb71eaec29d970110329aebb15acc13641d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('api/batch', async (_path: SubPath, ctx: AppContext) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4f0cd5bfbf5bc767d98154759106fcb71eaec29d970110329aebb15acc13641d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/api/batch.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 86606, "scanner": "repobility-threat-engine", "fingerprint": "e2c546dc8fe4f6d11cdd44f4d8e964c6dc4dd4027e6ab39bdf7963203be134c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('admin/user_deletions', async (_path: SubPath, ctx: AppContext) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e2c546dc8fe4f6d11cdd44f4d8e964c6dc4dd4027e6ab39bdf7963203be134c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/admin/user_deletions.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 86605, "scanner": "repobility-threat-engine", "fingerprint": "2f36f1fbb3ab3ff23934c4887217327a46252d899d218056cbbe9b84a577498e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('admin/tasks', async (_path: SubPath, ctx: AppContext) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f36f1fbb3ab3ff23934c4887217327a46252d899d218056cbbe9b84a577498e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/admin/tasks.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 86603, "scanner": "repobility-threat-engine", "fingerprint": "3c745e857cff0e5d1dee7472343b0bdd08cfecb8932b466984c36e58176912e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c745e857cff0e5d1dee7472343b0bdd08cfecb8932b466984c36e58176912e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser/src/local_onestore/objects/global_id_table.rs"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 86601, "scanner": "repobility-threat-engine", "fingerprint": "ada257af8bad804c9c48e11983d1f86aad5e0d03a78a46e5cb3a1e09e2c2ec9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ada257af8bad804c9c48e11983d1f86aad5e0d03a78a46e5cb3a1e09e2c2ec9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser-utils/src/log.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 86600, "scanner": "repobility-threat-engine", "fingerprint": "ea994af9e67f92bc26dcdc386e4a99c8f317d4e980d30f5fc06ae2eb9ef6ab56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea994af9e67f92bc26dcdc386e4a99c8f317d4e980d30f5fc06ae2eb9ef6ab56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser-utils/src/file_api/wasm_driver.rs"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 86599, "scanner": "repobility-threat-engine", "fingerprint": "e24daa79d7ec3927e5029e547c47779f26e674bc51c4f07c46fd0b2f6c9fa461", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e24daa79d7ec3927e5029e547c47779f26e674bc51c4f07c46fd0b2f6c9fa461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser-utils/src/file_api/native_driver.rs"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 86590, "scanner": "repobility-threat-engine", "fingerprint": "3fa4ef96b3514c2c58a614fd9f4429f0d0d265bfab811851e7382fa824eb01b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3fa4ef96b3514c2c58a614fd9f4429f0d0d265bfab811851e7382fa824eb01b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/onenote-converter/parser-macros/src/lib.rs"}, "region": {"startLine": 157}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 86583, "scanner": "repobility-threat-engine", "fingerprint": "230c3dc46b95667cf7c189226639f3919d365bee9dc4b49cf0e4e54d735450e3", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((w, i) => ` ${buildDelimiter(w, table.alignments[i])}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|230c3dc46b95667cf7c189226639f3919d365bee9dc4b49cf0e4e54d735450e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/editor/CodeMirror/utils/markdown/tableUtils.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 86582, "scanner": "repobility-threat-engine", "fingerprint": "487404fc1a6528b928c3491b7a2a0ca53d1cdad529cd9509c46bdc329dcc2631", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n\t\t\t\t\t(image, index) => `![${_('Photo %d', index + 1)}](:/${image.id}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|487404fc1a6528b928c3491b7a2a0ca53d1cdad529cd9509c46bdc329dcc2631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/components/screens/DocumentScanner/DocumentScanner.tsx"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86565, "scanner": "repobility-threat-engine", "fingerprint": "e3b05eaefeab3e02361bcb53541e1f82f37fd5dfea7ec401736dc96e3281e887", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "readableFiles.delete(path);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e3b05eaefeab3e02361bcb53541e1f82f37fd5dfea7ec401736dc96e3281e887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/utils/customProtocols/handleCustomProtocols.ts"}, "region": {"startLine": 280}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86564, "scanner": "repobility-threat-engine", "fingerprint": "fe0d424a65a1e039dcfc50edfcec434d6480abfbf61087f6eca72b8bd78a8c16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hashSum.update(fileBuffer);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fe0d424a65a1e039dcfc50edfcec434d6480abfbf61087f6eca72b8bd78a8c16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/tools/generateLatestArm64Yml.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86563, "scanner": "repobility-threat-engine", "fingerprint": "066ad57b3933c29031d2460c97cc2d0bb55ef50e86bde60b3452de1e6a95225e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Resource.delete(resource.id, { sourceDescription: 'ResourceScreen' })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|066ad57b3933c29031d2460c97cc2d0bb55ef50e86bde60b3452de1e6a95225e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/ResourceScreen.tsx"}, "region": {"startLine": 242}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 86560, "scanner": "repobility-threat-engine", "fingerprint": "cc84bc6e337eda200b898e4644e2620b5b2310ccd8549354ed7585ea0b971809", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc84bc6e337eda200b898e4644e2620b5b2310ccd8549354ed7585ea0b971809"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/tools/buildInjectedJs/BundledFile.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 86559, "scanner": "repobility-threat-engine", "fingerprint": "a1fc72358633a46bb276a22d7fa84b05a362291f1773dafd7cd0b2fd881cb9ab", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1fc72358633a46bb276a22d7fa84b05a362291f1773dafd7cd0b2fd881cb9ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/Root.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 86558, "scanner": "repobility-threat-engine", "fingerprint": "8bae229b27cde75915194a0863d10042219bcad17c91a7a13f7cd7805c00ba57", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8bae229b27cde75915194a0863d10042219bcad17c91a7a13f7cd7805c00ba57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/utils/contextMenuUtils.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86542, "scanner": "repobility-threat-engine", "fingerprint": "5fed032aa7ba2f5456177b974d91fbfcda00ca47afb125f07f3565e62db8865c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5fed032aa7ba2f5456177b974d91fbfcda00ca47afb125f07f3565e62db8865c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/useCheckboxToggle.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86541, "scanner": "repobility-threat-engine", "fingerprint": "98203d8bb682d9db9e889f66dca60fc039399cef93f3224efdad5543053116c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(stream", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98203d8bb682d9db9e889f66dca60fc039399cef93f3224efdad5543053116c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/CodeMirror/v5/utils/useJoplinMode.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86540, "scanner": "repobility-threat-engine", "fingerprint": "ef4bc7351a63ec2bc3b0f13cea8a0821872fe7b45135433abf0538fe3c073ace", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(stream", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef4bc7351a63ec2bc3b0f13cea8a0821872fe7b45135433abf0538fe3c073ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/CodeMirror/utils/useEditorSearchExtension.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 86538, "scanner": "repobility-threat-engine", "fingerprint": "fa42ced39a756f2c402808495e6a8d420dba94c12a00d52ff732252c7f44f338", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fa42ced39a756f2c402808495e6a8d420dba94c12a00d52ff732252c7f44f338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/services/voiceTyping/whisper.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 86537, "scanner": "repobility-threat-engine", "fingerprint": "f06b02c921b1e7a74493de131d1724c77a698ba99e83cab19f5d4c010fbd60b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(checkboxRegex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f06b02c921b1e7a74493de131d1724c77a698ba99e83cab19f5d4c010fbd60b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/WhiteboardEditor/useCheckboxToggle.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 86536, "scanner": "repobility-threat-engine", "fingerprint": "eeab58a593361423214687c6fdf108bd02808bba177339653c22bf193b1e5aba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eeab58a593361423214687c6fdf108bd02808bba177339653c22bf193b1e5aba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/NoteBody/CodeMirror/utils/useEditorSearchExtension.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 86519, "scanner": "repobility-threat-engine", "fingerprint": "f39c5b1a7eeaa3f871b470c37907d94514bc6cd2ced01def5649578aed7a41f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f39c5b1a7eeaa3f871b470c37907d94514bc6cd2ced01def5649578aed7a41f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/gui/NoteEditor/utils/resourceHandling.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 86518, "scanner": "repobility-threat-engine", "fingerprint": "9fc3acffe61ea160282dff46357227f72af011d1fc8e3668bc6cc6db7a3a83e4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9fc3acffe61ea160282dff46357227f72af011d1fc8e3668bc6cc6db7a3a83e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-desktop/InteropServiceHelper.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 86517, "scanner": "repobility-threat-engine", "fingerprint": "251685f733cc6b0fe3e1911637497e320e6935e5ee20d66447a2f964b3af2b7a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|251685f733cc6b0fe3e1911637497e320e6935e5ee20d66447a2f964b3af2b7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/command-sync.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86515, "scanner": "repobility-threat-engine", "fingerprint": "129a3d60af9d738c04f761c981c82a27e6ee320da6ec4edce90f95facdb2e621", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|129a3d60af9d738c04f761c981c82a27e6ee320da6ec4edce90f95facdb2e621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/command-sync.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86514, "scanner": "repobility-threat-engine", "fingerprint": "4306a6a3c9c9d98a9ab77ff6fe76212feb63729ba374fbcf288e2ba2a734d645", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4306a6a3c9c9d98a9ab77ff6fe76212feb63729ba374fbcf288e2ba2a734d645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/command-publish.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86513, "scanner": "repobility-threat-engine", "fingerprint": "9479def34b5b99348cc202d4d9cd3a62686ee530b7fe06130f5799bccb5091f4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9479def34b5b99348cc202d4d9cd3a62686ee530b7fe06130f5799bccb5091f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-cli/app/command-geoloc.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 86615, "scanner": "repobility-threat-engine", "fingerprint": "e457804b2c302c1f64795416b42b756ebc9b6598843d360028a9a39ba4905f44", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e457804b2c302c1f64795416b42b756ebc9b6598843d360028a9a39ba4905f44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tools/website/utils/frontMatter.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 86614, "scanner": "repobility-threat-engine", "fingerprint": "589dd0da075822103938bc57f1b673b524d480b503a0ff4217b980783f0d82ed", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|62|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tools/website/utils/frontMatter.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 86613, "scanner": "repobility-threat-engine", "fingerprint": "a19f098e85d4f4d144b976e3251933b7410c0465ecd29f472163ee58c87cc1be", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(headerLines.join('\\n')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a19f098e85d4f4d144b976e3251933b7410c0465ecd29f472163ee58c87cc1be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tools/website/utils/frontMatter.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 86577, "scanner": "repobility-threat-engine", "fingerprint": "daf94bacecc52f90b3e68d519a0c8cca34e336c24263502ed4e4cac00f55eb98", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|daf94bacecc52f90b3e68d519a0c8cca34e336c24263502ed4e4cac00f55eb98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/components/ExtendedWebView/index.web.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 86576, "scanner": "repobility-threat-engine", "fingerprint": "446032a5b5d3bfa90b45bf730cbcf6cbbc460c746c6a6ee1b635293cb8728324", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|446032a5b5d3bfa90b45bf730cbcf6cbbc460c746c6a6ee1b635293cb8728324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/app-mobile/components/ExtendedWebView/index.jest.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 86571, "scanner": "repobility-threat-engine", "fingerprint": "03764d0f724a557e7699046b634d6a5877c507dbe56c35f269b935ef2f4de53d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|03764d0f724a557e7699046b634d6a5877c507dbe56c35f269b935ef2f4de53d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/config.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 86570, "scanner": "repobility-threat-engine", "fingerprint": "036805d7094ff02879d83b329f1ddfea002c53bcfd7bdc7d014eae16bf67e57f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(userConfigFilename", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|036805d7094ff02879d83b329f1ddfea002c53bcfd7bdc7d014eae16bf67e57f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugins/ToggleSidebars/webpack.config.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 86569, "scanner": "repobility-threat-engine", "fingerprint": "854e4f5caa4f178873c9d0ecf46bf4d4a1ddd656bcf84c130b4f163e9fbf7fb9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(library", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|854e4f5caa4f178873c9d0ecf46bf4d4a1ddd656bcf84c130b4f163e9fbf7fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/editor/CodeMirror/pluginApi/codeMirrorRequire.ts"}, "region": {"startLine": 50}}}]}]}]}