{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /_e"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /_e2e/restore-sqlite-snapshot."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 41.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 41.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 41.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g9mf-h72j-4rw9", "name": "undici: GHSA-g9mf-h72j-4rw9", "shortDescription": {"text": "undici: GHSA-g9mf-h72j-4rw9"}, "fullDescription": {"text": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4992-7rv2-5pvq", "name": "undici: GHSA-4992-7rv2-5pvq", "shortDescription": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "fullDescription": {"text": "Undici has CRLF Injection in undici via `upgrade` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2mjp-6q6p-2qxm", "name": "undici: GHSA-2mjp-6q6p-2qxm", "shortDescription": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "fullDescription": {"text": "Undici has an HTTP Request/Response Smuggling issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q6x5-8v7m-xcrf", "name": "protobufjs: GHSA-q6x5-8v7m-xcrf", "shortDescription": {"text": "protobufjs: GHSA-q6x5-8v7m-xcrf"}, "fullDescription": {"text": "protobufjs has overlong UTF-8 decoding"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jggg-4jg4-v7c6", "name": "protobufjs: GHSA-jggg-4jg4-v7c6", "shortDescription": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "fullDescription": {"text": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fx83-v9x8-x52w", "name": "protobufjs: GHSA-fx83-v9x8-x52w", "shortDescription": {"text": "protobufjs: GHSA-fx83-v9x8-x52w"}, "fullDescription": {"text": "protobuf.js: Prototype injection in generated message constructors"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2pr8-phx7-x9h3", "name": "protobufjs: GHSA-2pr8-phx7-x9h3", "shortDescription": {"text": "protobufjs: GHSA-2pr8-phx7-x9h3"}, "fullDescription": {"text": "protobuf.js: Denial of service from crafted field names in generated code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vvjj-xcjg-gr5g", "name": "nodemailer: GHSA-vvjj-xcjg-gr5g", "shortDescription": {"text": "nodemailer: GHSA-vvjj-xcjg-gr5g"}, "fullDescription": {"text": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `redis` image uses the latest tag", "shortDescription": {"text": "Compose service `redis` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR004", "name": "Docker build secret exposed through ARG", "shortDescription": {"text": "Docker build secret exposed through ARG"}, "fullDescription": {"text": "Build arguments can appear in image history or provenance. Secret material should be passed with BuildKit secret mounts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `marked` is 4 major version(s) behind (14.1.4 -> 18.0.5)", "shortDescription": {"text": "npm package `marked` is 4 major version(s) behind (14.1.4 -> 18.0.5)"}, "fullDescription": {"text": "`marked` is pinned/resolved at 14.1.4 but the latest stable release on the npm registry is 18.0.5 (4 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-c7w3-x93f-qmm8", "name": "nodemailer: GHSA-c7w3-x93f-qmm8", "shortDescription": {"text": "nodemailer: GHSA-c7w3-x93f-qmm8"}, "fullDescription": {"text": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-vpq2-c234-7xj6", "name": "@tootallnate/once: GHSA-vpq2-c234-7xj6", "shortDescription": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "fullDescription": {"text": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 21 more): Same pattern found in 21 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/badge/:id/response."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/badge/:id/response."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "GHSA-vrm6-8vpv-qv8q", "name": "undici: GHSA-vrm6-8vpv-qv8q", "shortDescription": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "fullDescription": {"text": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9p9-hfj2-hcw8", "name": "undici: GHSA-v9p9-hfj2-hcw8", "shortDescription": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "fullDescription": {"text": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6q2-hw4h-h46w", "name": "tar: GHSA-r6q2-hw4h-h46w", "shortDescription": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "fullDescription": {"text": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qq5-rm4j-mr97", "name": "tar: GHSA-8qq5-rm4j-mr97", "shortDescription": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "fullDescription": {"text": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34x7-hfp2-rc4v", "name": "tar: GHSA-34x7-hfp2-rc4v", "shortDescription": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "fullDescription": {"text": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jvwf-75h9-cwgg", "name": "protobufjs: GHSA-jvwf-75h9-cwgg", "shortDescription": {"text": "protobufjs: GHSA-jvwf-75h9-cwgg"}, "fullDescription": {"text": "protobuf.js: Process-wide denial of service through unsafe option paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-75px-5xx7-5xc7", "name": "protobufjs: GHSA-75px-5xx7-5xc7", "shortDescription": {"text": "protobufjs: GHSA-75px-5xx7-5xc7"}, "fullDescription": {"text": "protobuf.js: Code generation gadget after prototype pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-685m-2w69-288q", "name": "protobufjs: GHSA-685m-2w69-288q", "shortDescription": {"text": "protobufjs: GHSA-685m-2w69-288q"}, "fullDescription": {"text": "protobuf.js: Denial of service through unbounded protobuf recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-66ff-xgx4-vchm", "name": "protobufjs: GHSA-66ff-xgx4-vchm", "shortDescription": {"text": "protobufjs: GHSA-66ff-xgx4-vchm"}, "fullDescription": {"text": "protobuf.js: Code injection through bytes field defaults in generated toObject code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7mvr-c777-76hp", "name": "playwright: GHSA-7mvr-c777-76hp", "shortDescription": {"text": "playwright: GHSA-7mvr-c777-76hp"}, "fullDescription": {"text": "Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.", "shortDescription": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC088", "name": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM r", "shortDescription": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "fullDescription": {"text": "Remove the option. If self-signed certs are required, pin via RootCAs."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /test-x-www-form-urlencoded has no auth", "shortDescription": {"text": "Express POST /test-x-www-form-urlencoded has no auth"}, "fullDescription": {"text": "Express route POST /test-x-www-form-urlencoded declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "GHSA-xq3m-2v4x-88gg", "name": "protobufjs: GHSA-xq3m-2v4x-88gg", "shortDescription": {"text": "protobufjs: GHSA-xq3m-2v4x-88gg"}, "fullDescription": {"text": "Arbitrary code execution in protobufjs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.JUST_FOR_TEST` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.JUST_FOR_TEST` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.JUST_FOR_TEST }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/790"}, "properties": {"repository": "louislam/uptime-kuma", "repoUrl": "https://github.com/louislam/uptime-kuma", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 67137, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 67136, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67132, "scanner": "repobility-journey-contract", "fingerprint": "acce6cc54d9fd9c4e7a44b576f0d9ddfe922f257d5d6e3a7b3518fa70fff8de2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/test", "correlation_key": "fp|acce6cc54d9fd9c4e7a44b576f0d9ddfe922f257d5d6e3a7b3518fa70fff8de2", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/backend-test/test-globalping.js"}, "region": {"startLine": 689}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67131, "scanner": "repobility-journey-contract", "fingerprint": "93832371866afb8a83933f0df4ae1c78653e7f3c65916fb562ba65da9ede4bec", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/test", "correlation_key": "fp|93832371866afb8a83933f0df4ae1c78653e7f3c65916fb562ba65da9ede4bec", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/backend-test/test-globalping.js"}, "region": {"startLine": 272}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67130, "scanner": "repobility-journey-contract", "fingerprint": "0b2fdc169425189e9f915dd389fb240c8656313334ec09cbeabd35af39920310", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/status-page/heartbeat", "correlation_key": "fp|0b2fdc169425189e9f915dd389fb240c8656313334ec09cbeabd35af39920310", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/StatusPage.vue"}, "region": {"startLine": 1077}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67129, "scanner": "repobility-journey-contract", "fingerprint": "c2c0aacf3d862a5f01d5e9b4f03c3927a0c8ae10cf021da4a66b497527218157", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/status-page/upload-logo", "correlation_key": "fp|c2c0aacf3d862a5f01d5e9b4f03c3927a0c8ae10cf021da4a66b497527218157", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/StatusPage.vue"}, "region": {"startLine": 257}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67128, "scanner": "repobility-journey-contract", "fingerprint": "03b0ae17a436311c662253c2a28fde14ad63ebea7448c17f108b45982b9ff7c0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push", "correlation_key": "fp|03b0ae17a436311c662253c2a28fde14ad63ebea7448c17f108b45982b9ff7c0", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/EditMonitor.vue"}, "region": {"startLine": 3341}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67127, "scanner": "repobility-journey-contract", "fingerprint": "36fbe17535ab525c6d89c88282e8b659a2b1369744b5dc84c53220af07539c30", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push", "correlation_key": "fp|36fbe17535ab525c6d89c88282e8b659a2b1369744b5dc84c53220af07539c30", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/Details.vue"}, "region": {"startLine": 584}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67126, "scanner": "repobility-journey-contract", "fingerprint": "b7b875580e072f6ff8d373d3a4e43a9c3fa7e7eaa545f86265d6a07dfe31851d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/badge", "correlation_key": "fp|b7b875580e072f6ff8d373d3a4e43a9c3fa7e7eaa545f86265d6a07dfe31851d", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/BadgeLinkGeneratorDialog.vue"}, "region": {"startLine": 291}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67125, "scanner": "repobility-journey-contract", "fingerprint": "9ff82046fed1466a0d78401f7be5f33c634f71850ae44c28f66704c68905153f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/push/{param}", "correlation_key": "fp|9ff82046fed1466a0d78401f7be5f33c634f71850ae44c28f66704c68905153f", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routers/api-router.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67124, "scanner": "repobility-journey-contract", "fingerprint": "5fa85f8b6aa76ff4936e024a5434e5de303eb01154ddf8d83c5e40576e12d4a1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sendtext", "correlation_key": "fp|5fa85f8b6aa76ff4936e024a5434e5de303eb01154ddf8d83c5e40576e12d4a1", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/waha.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67123, "scanner": "repobility-journey-contract", "fingerprint": "48e4c52135ec328ea1a5c228e17bdbd20487108707f055011826c5073fca779b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/messages/actions/send", "correlation_key": "fp|48e4c52135ec328ea1a5c228e17bdbd20487108707f055011826c5073fca779b", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/teltonika.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67122, "scanner": "repobility-journey-contract", "fingerprint": "85045280f91714261c398d179927be3761b7979dc2c8459fa6995684085d2869", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/login", "correlation_key": "fp|85045280f91714261c398d179927be3761b7979dc2c8459fa6995684085d2869", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/teltonika.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 67121, "scanner": "repobility-journey-contract", "fingerprint": "e952e300459fe217e4d38c676178b131e1d9f6c5729ea9041e300f5abfb23fad", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v2", "correlation_key": "fp|e952e300459fe217e4d38c676178b131e1d9f6c5729ea9041e300f5abfb23fad", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/smseagle.js"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /_e2e/restore-sqlite-snapshot."}, "properties": {"repobilityId": 67119, "scanner": "repobility-access-control", "fingerprint": "f88bd9a0bbe1d97fced990e64e7659525570fa7d7768168c181d2fc354c955ff", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/_e2e/restore-sqlite-snapshot", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/server.js|306|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/server.js"}, "region": {"startLine": 306}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 67118, "scanner": "repobility-access-control", "fingerprint": "1e4d0e9f03d183c4087ae9683f7900d9ef105c704d9f6c8f4ffc57bcf8b92e07", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/setup-database.js|148|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/setup-database.js"}, "region": {"startLine": 148}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 41.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 67112, "scanner": "repobility-access-control", "fingerprint": "ad33fecb26c37a137d74a74fa6bef8bd02c3d2d1fc93cc97181bc7b46d4f385c", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 34, "correlation_key": "fp|ad33fecb26c37a137d74a74fa6bef8bd02c3d2d1fc93cc97181bc7b46d4f385c", "auth_visible_percent": 41.2}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 67111, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 67110, "scanner": "osv-scanner", "fingerprint": "1b788fa8525382946c739270c1849aaa868327cf2c4216daf211eef3de5db45b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 67109, "scanner": "osv-scanner", "fingerprint": "b9493abcfc150bfe6cb302cb6e27e4bbb1e650942ccb7c4de386ac3ae1c5f54d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 67108, "scanner": "osv-scanner", "fingerprint": "2f6e44d3056f0549be14ae43b720d756ca97d735468761433ea29a9ddf340eaa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g9mf-h72j-4rw9", "level": "warning", "message": {"text": "undici: GHSA-g9mf-h72j-4rw9"}, "properties": {"repobilityId": 67105, "scanner": "osv-scanner", "fingerprint": "e113ac113992264008b34dca9e8cc39683a8abce0bc61d7e5d7ee80f27c67813", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-22036"], "package": "undici", "rule_id": "GHSA-g9mf-h72j-4rw9", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-22036|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4992-7rv2-5pvq", "level": "warning", "message": {"text": "undici: GHSA-4992-7rv2-5pvq"}, "properties": {"repobilityId": 67104, "scanner": "osv-scanner", "fingerprint": "131544c17ffd46670670645285c84aa0dec7b4985717b09db666e4085c9fab3e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1527"], "package": "undici", "rule_id": "GHSA-4992-7rv2-5pvq", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1527|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2mjp-6q6p-2qxm", "level": "warning", "message": {"text": "undici: GHSA-2mjp-6q6p-2qxm"}, "properties": {"repobilityId": 67103, "scanner": "osv-scanner", "fingerprint": "7c1ac2c34476c84f99821fd8a3945374550c1f5f98d292889be5c157840c78af", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1525"], "package": "undici", "rule_id": "GHSA-2mjp-6q6p-2qxm", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1525|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 67096, "scanner": "osv-scanner", "fingerprint": "47af66b2941511910bef679f7fdc36232d020247a0f6ed279e094f6f5cfdf3b5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q6x5-8v7m-xcrf", "level": "warning", "message": {"text": "protobufjs: GHSA-q6x5-8v7m-xcrf"}, "properties": {"repobilityId": 67094, "scanner": "osv-scanner", "fingerprint": "27f7a0436bfdd56e38b55e2d9b7e81f52e161ecaa5e9489e210a988279ca119a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44288"], "package": "protobufjs", "rule_id": "GHSA-q6x5-8v7m-xcrf", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44288|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jggg-4jg4-v7c6", "level": "warning", "message": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "properties": {"repobilityId": 67092, "scanner": "osv-scanner", "fingerprint": "02de88b1ef531db4b8828b73a9628eb4051ab34e810b86d3f6bfc8f94d7481c5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45740"], "package": "protobufjs", "rule_id": "GHSA-jggg-4jg4-v7c6", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-45740|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fx83-v9x8-x52w", "level": "warning", "message": {"text": "protobufjs: GHSA-fx83-v9x8-x52w"}, "properties": {"repobilityId": 67091, "scanner": "osv-scanner", "fingerprint": "afeabe4d538188a6e6742090dd92a6f4525fe5de48df3520e2c80c8ba92ce18a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44292"], "package": "protobufjs", "rule_id": "GHSA-fx83-v9x8-x52w", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44292|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2pr8-phx7-x9h3", "level": "warning", "message": {"text": "protobufjs: GHSA-2pr8-phx7-x9h3"}, "properties": {"repobilityId": 67087, "scanner": "osv-scanner", "fingerprint": "b988c4250921e1f462824b3660ae2c14ead91576558f0d089ba6232ac48ea833", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44294"], "package": "protobufjs", "rule_id": "GHSA-2pr8-phx7-x9h3", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44294|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vvjj-xcjg-gr5g", "level": "warning", "message": {"text": "nodemailer: GHSA-vvjj-xcjg-gr5g"}, "properties": {"repobilityId": 67085, "scanner": "osv-scanner", "fingerprint": "541e7852cb4d702a8a3e8f865ccc8b8455310acf73a7e5d5386a541a26944d23", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "nodemailer", "rule_id": "GHSA-vvjj-xcjg-gr5g", "scanner": "osv-scanner", "correlation_key": "vuln|nodemailer|GHSA-VVJJ-XCJG-GR5G|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 67079, "scanner": "osv-scanner", "fingerprint": "de986ead824c9cd2225230d6fcc7a484a3f62fc4668bd948eb33bf3de3e73e26", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 67077, "scanner": "osv-scanner", "fingerprint": "a5366f8592ea792611dbd54230e9a360d84cfa4deab68e1cdb4eca522a676bc6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 67073, "scanner": "repobility-docker", "fingerprint": "00415cdb4906a6001f4ed74cfa3080c366aa9780ad230e3a91db874a8542dd51", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|00415cdb4906a6001f4ed74cfa3080c366aa9780ad230e3a91db874a8542dd51", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius-tls/compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `redis` image uses the latest tag"}, "properties": {"repobilityId": 67071, "scanner": "repobility-docker", "fingerprint": "4102a2e5412a3fe11697f0e5d1bd4597bc68514f8f19119f5b952037687a7954", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "redis:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4102a2e5412a3fe11697f0e5d1bd4597bc68514f8f19119f5b952037687a7954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius-tls/compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 67069, "scanner": "repobility-docker", "fingerprint": "2183b93b26871e952626dfdfa78e95956dcd882d146b176b0919a022eedd508c", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|2183b93b26871e952626dfdfa78e95956dcd882d146b176b0919a022eedd508c", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius/compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `redis` image uses the latest tag"}, "properties": {"repobilityId": 67067, "scanner": "repobility-docker", "fingerprint": "023236f426d84b09e99b22dc53649c5c4ef07cd31c309ab864d1bb96f9061388", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "redis:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|023236f426d84b09e99b22dc53649c5c4ef07cd31c309ab864d1bb96f9061388"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius/compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67063, "scanner": "repobility-docker", "fingerprint": "719a17e4b2c323e25001815be6bd2268c65d064704c5a90465779e0172d0af30", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "louislam/uptime-kuma:base2", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|719a17e4b2c323e25001815be6bd2268c65d064704c5a90465779e0172d0af30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 95}}}]}, {"ruleId": "DKR004", "level": "warning", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 67062, "scanner": "repobility-docker", "fingerprint": "213010e8cf7cbe4dcf723eccccd12fd25b11a18ff3efa4cfe776b7e64bbff2a3", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "GITHUB_TOKEN", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|213010e8cf7cbe4dcf723eccccd12fd25b11a18ff3efa4cfe776b7e64bbff2a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 67061, "scanner": "repobility-docker", "fingerprint": "484a7a95d5a204d4fd72110caa102b6049e422c2f8198595a9e8601a6974f839", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|484a7a95d5a204d4fd72110caa102b6049e422c2f8198595a9e8601a6974f839"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 97}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 67060, "scanner": "repobility-docker", "fingerprint": "c08be296a3731014f25244b00f7c9dba90e82d78e5df41679eec0e2714693bdf", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c08be296a3731014f25244b00f7c9dba90e82d78e5df41679eec0e2714693bdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 67}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 67058, "scanner": "repobility-docker", "fingerprint": "5e2842d6c744821bbf4514786cf09ce07aac244dfd15e01e14a47b4382613544", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5e2842d6c744821bbf4514786cf09ce07aac244dfd15e01e14a47b4382613544", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 67057, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "db/kuma.db", "size_mb": 0.1}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 67056, "scanner": "repobility-threat-engine", "fingerprint": "e72706b55ebca32804c937641520f532ce884dc0bb1de18b5135875735796784", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "(.*)*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e72706b55ebca32804c937641520f532ce884dc0bb1de18b5135875735796784"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/router.js"}, "region": {"startLine": 189}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 67054, "scanner": "repobility-threat-engine", "fingerprint": "3967d828ee339cdf0687b5cb1718af260a6d06a8b8828aa79724aae89f638f4a", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"/migrate-status\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|48|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/utils/simple-migration-server.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 67053, "scanner": "repobility-threat-engine", "fingerprint": "9c07e7d15dd7555c5679abb67509cec3f929249e7d8bb3b0704cba56cef20bd2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c07e7d15dd7555c5679abb67509cec3f929249e7d8bb3b0704cba56cef20bd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/socket-handlers/general-socket-handler.js"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 67050, "scanner": "repobility-threat-engine", "fingerprint": "52a52e3e4b3509133da01115f54bb7d4b65d031c4b6812976dd8d6fc60d0f7ce", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "key: monitorInfo.id ? String(monitorInfo.id) : Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|52a52e3e4b3509133da01115f54bb7d4b65d031c4b6812976dd8d6fc60d0f7ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/flashduty.js"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 67049, "scanner": "repobility-threat-engine", "fingerprint": "4dcf2f5d0309b975ac9112cede235889f7d08c1fa04d9d23e810a165eb00f406", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Nonce: Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4dcf2f5d0309b975ac9112cede235889f7d08c1fa04d9d23e810a165eb00f406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/aliyun-sms.js"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 67048, "scanner": "repobility-threat-engine", "fingerprint": "49a7d2ce987b140c39c58628fcc6c12a841e4db060fe63b847060d02b1fa1408", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "password,\n                clientId: \"uptime-kuma_\" + Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|49a7d2ce987b140c39c58628fcc6c12a841e4db060fe63b847060d02b1fa1408"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/monitor-types/mqtt.js"}, "region": {"startLine": 169}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 67045, "scanner": "repobility-threat-engine", "fingerprint": "99f16d225fa5d07d2f325ce7283b34400a378dd771ba889c1fe5114b24c3b600", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = \"<redacted>\"", "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|extra/simple-mqtt-server.js|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/simple-mqtt-server.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67037, "scanner": "repobility-threat-engine", "fingerprint": "d9d565fa0eb5df451d42816d345bf81813e6b342eedb3c5a93fe08d8694518d8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|server/auth.js|25|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67036, "scanner": "repobility-threat-engine", "fingerprint": "4effcdba2e2d51d283185492774a679216e2f5484de9a30b13f97c4919ccff3a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|server/2fa.js|10|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/2fa.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67035, "scanner": "repobility-threat-engine", "fingerprint": "2950379c5358fbfac0516c77591695e57b0a7a306814cac4b8f9e6444ab1d334", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|12|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/reset-migrate-aggregate-table-state.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 67026, "scanner": "repobility-threat-engine", "fingerprint": "943dd587b197ec936d39e27a1f19cab992c88f7a65f357d769af6439797a8bfa", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL = \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|943dd587b197ec936d39e27a1f19cab992c88f7a65f357d769af6439797a8bfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/push-examples/go/index.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 67025, "scanner": "repobility-threat-engine", "fingerprint": "720b94e958ea7deb1d7c6fca85c3bf204cd635bb0c551acfdc56ac31a224ba30", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL  = \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|720b94e958ea7deb1d7c6fca85c3bf204cd635bb0c551acfdc56ac31a224ba30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/push-examples/csharp/index.cs"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 67024, "scanner": "repobility-threat-engine", "fingerprint": "caeca5e95abdb37d57d82641a66ddb83c4e80f3ad4fd7c9cf43c02b296e46f46", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL=\"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|caeca5e95abdb37d57d82641a66ddb83c4e80f3ad4fd7c9cf43c02b296e46f46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/push-examples/bash-curl/index.sh"}, "region": {"startLine": 3}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 67006, "scanner": "repobility-agent-runtime", "fingerprint": "b542c3fed2a40b6d7b7500bb9a32531c8255f7d461be2794ca1d53e4d392c7b1", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|b542c3fed2a40b6d7b7500bb9a32531c8255f7d461be2794ca1d53e4d392c7b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MonitorListItem.vue"}, "region": {"startLine": 218}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `marked` is 4 major version(s) behind (14.1.4 -> 18.0.5)"}, "properties": {"repobilityId": 67005, "scanner": "repobility-dependency-currency", "fingerprint": "3a8ed4cec11b8989824b7eacab5b915c185788a04025624d8a5d18bf30a540ea", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.5", "correlation_key": "fp|3a8ed4cec11b8989824b7eacab5b915c185788a04025624d8a5d18bf30a540ea", "current_version": "14.1.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `limiter` is 1 major version(s) behind (2.1.0 -> 3.0.0)"}, "properties": {"repobilityId": 67003, "scanner": "repobility-dependency-currency", "fingerprint": "b83a8e99a3e39faaa9bdec457babd6330e3918ac76640a90f44b9c841e32dc54", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "limiter", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.0", "correlation_key": "fp|b83a8e99a3e39faaa9bdec457babd6330e3918ac76640a90f44b9c841e32dc54", "current_version": "2.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jwt-decode` is 1 major version(s) behind (3.1.2 -> 4.0.0)"}, "properties": {"repobilityId": 67001, "scanner": "repobility-dependency-currency", "fingerprint": "70670999c6b3b6aaa5d4c9062528b4794fa4bc56cb32c23bceb35bf2c242bd66", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jwt-decode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.0", "correlation_key": "fp|70670999c6b3b6aaa5d4c9062528b4794fa4bc56cb32c23bceb35bf2c242bd66", "current_version": "3.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `https-proxy-agent` is 4 major version(s) behind (5.0.1 -> 9.0.0)"}, "properties": {"repobilityId": 66997, "scanner": "repobility-dependency-currency", "fingerprint": "ffe24e0aba1ea32b2d6b17a520b3b87137019faa1321eec202bc3a13135fc2e6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "4 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "https-proxy-agent", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.0", "correlation_key": "fp|ffe24e0aba1ea32b2d6b17a520b3b87137019faa1321eec202bc3a13135fc2e6", "current_version": "5.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `http-proxy-agent` is 2 major version(s) behind (7.0.2 -> 9.0.0)"}, "properties": {"repobilityId": 66996, "scanner": "repobility-dependency-currency", "fingerprint": "dfa1fcc0c3753316f964cf148ee5a3dd7cd42fbb7157608ef1d8363f1a2dbc08", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "http-proxy-agent", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.0", "correlation_key": "fp|dfa1fcc0c3753316f964cf148ee5a3dd7cd42fbb7157608ef1d8363f1a2dbc08", "current_version": "7.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `http-cookie-agent` is 3 major version(s) behind (5.0.4 -> 8.0.0)"}, "properties": {"repobilityId": 66995, "scanner": "repobility-dependency-currency", "fingerprint": "9815c8df8aa9a3bae917f5c0609a54578c25009e0ec7df7f81bd6fa9f4ccc5a7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "http-cookie-agent", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.0.0", "correlation_key": "fp|9815c8df8aa9a3bae917f5c0609a54578c25009e0ec7df7f81bd6fa9f4ccc5a7", "current_version": "5.0.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `feed` is 1 major version(s) behind (4.2.2 -> 5.2.1)"}, "properties": {"repobilityId": 66994, "scanner": "repobility-dependency-currency", "fingerprint": "2c858e0b476e1f09b55b740652578e30f9bbe81b531ae72b5f7c14f02bed9425", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "feed", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.2.1", "correlation_key": "fp|2c858e0b476e1f09b55b740652578e30f9bbe81b531ae72b5f7c14f02bed9425", "current_version": "4.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `express-static-gzip` is 1 major version(s) behind (2.1.8 -> 3.0.1)"}, "properties": {"repobilityId": 66993, "scanner": "repobility-dependency-currency", "fingerprint": "a6f63f5a9ed8dda4626eb80de01450ecfd134460d0f31d8f83814e6edc51e64a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express-static-gzip", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.1", "correlation_key": "fp|a6f63f5a9ed8dda4626eb80de01450ecfd134460d0f31d8f83814e6edc51e64a", "current_version": "2.1.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `express` is 1 major version(s) behind (4.22.2 -> 5.2.1)"}, "properties": {"repobilityId": 66992, "scanner": "repobility-dependency-currency", "fingerprint": "361688de7f39258295d448771ccc65274263bba6dacef48f3b76d9f2c23d7410", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.2.1", "correlation_key": "fp|361688de7f39258295d448771ccc65274263bba6dacef48f3b76d9f2c23d7410", "current_version": "4.22.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `dotenv` is 1 major version(s) behind (16.0.3 -> 17.4.2)"}, "properties": {"repobilityId": 66991, "scanner": "repobility-dependency-currency", "fingerprint": "7d2f4e05251c77259d6b52f9764647fb569df3f175da66e6c908998598e6f75e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|7d2f4e05251c77259d6b52f9764647fb569df3f175da66e6c908998598e6f75e", "current_version": "16.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `croner` is 2 major version(s) behind (8.1.2 -> 10.0.1)"}, "properties": {"repobilityId": 66990, "scanner": "repobility-dependency-currency", "fingerprint": "0afc57d0e90eae7be64982335eb48cbd565686e5827e84b80cb7894ce098d928", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "croner", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|0afc57d0e90eae7be64982335eb48cbd565686e5827e84b80cb7894ce098d928", "current_version": "8.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `compare-versions` is 3 major version(s) behind (3.6.0 -> 6.1.1)"}, "properties": {"repobilityId": 66989, "scanner": "repobility-dependency-currency", "fingerprint": "21eaa1494a36f9581481a0e8ca50a2878475048c18855ed6b1bc2dbe92566a60", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "compare-versions", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.1.1", "correlation_key": "fp|21eaa1494a36f9581481a0e8ca50a2878475048c18855ed6b1bc2dbe92566a60", "current_version": "3.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chroma-js` is 1 major version(s) behind (2.4.2 -> 3.2.0)"}, "properties": {"repobilityId": 66988, "scanner": "repobility-dependency-currency", "fingerprint": "018aa55e8252ecab8bd509cd28fa9b8b5faf961d64fe229aa1b8858187e00ba9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chroma-js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.2.0", "correlation_key": "fp|018aa55e8252ecab8bd509cd28fa9b8b5faf961d64fe229aa1b8858187e00ba9", "current_version": "2.4.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `check-password-strength` is 1 major version(s) behind (2.0.10 -> 3.0.0)"}, "properties": {"repobilityId": 66986, "scanner": "repobility-dependency-currency", "fingerprint": "eefb371956a9306fb343ecc274af62efe582d53539fe54ce63d02e77f401d48e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "check-password-strength", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.0", "correlation_key": "fp|eefb371956a9306fb343ecc274af62efe582d53539fe54ce63d02e77f401d48e", "current_version": "2.0.10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `chardet` is 1 major version(s) behind (1.4.0 -> 2.1.1)"}, "properties": {"repobilityId": 66985, "scanner": "repobility-dependency-currency", "fingerprint": "96ef9cb503b4a618fec8c196a94af24ab03640f3ae5b53b99835ffb2263438d8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chardet", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.1.1", "correlation_key": "fp|96ef9cb503b4a618fec8c196a94af24ab03640f3ae5b53b99835ffb2263438d8", "current_version": "1.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `bcryptjs` is 1 major version(s) behind (2.4.3 -> 3.0.3)"}, "properties": {"repobilityId": 66984, "scanner": "repobility-dependency-currency", "fingerprint": "3a20029755be739e7349488b700c1872b3b499d7c7bc43e14011f91af8fafab4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "bcryptjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.3", "correlation_key": "fp|3a20029755be739e7349488b700c1872b3b499d7c7bc43e14011f91af8fafab4", "current_version": "2.4.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `badge-maker` is 2 major version(s) behind (3.3.1 -> 5.0.2)"}, "properties": {"repobilityId": 66983, "scanner": "repobility-dependency-currency", "fingerprint": "9d751ccb8e5aeabdfd9694c1f67a88a9cd7055240bf5055185243c54bb04021f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "badge-maker", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.2", "correlation_key": "fp|9d751ccb8e5aeabdfd9694c1f67a88a9cd7055240bf5055185243c54bb04021f", "current_version": "3.3.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `axios` is 1 major version(s) behind (0.32.0 -> 1.17.0)"}, "properties": {"repobilityId": 66982, "scanner": "repobility-dependency-currency", "fingerprint": "63298d0799fc8b268e04b7e7d050bb29d1b50f954f45e9ae98fa461cb09bae95", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "axios", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.17.0", "correlation_key": "fp|63298d0799fc8b268e04b7e7d050bb29d1b50f954f45e9ae98fa461cb09bae95", "current_version": "0.32.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 66935, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78b7f1b33b08800abc9ca3301d5e1af078a3f14ea9ab2691a4a9895860749c8e", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "fix", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|78b7f1b33b08800abc9ca3301d5e1af078a3f14ea9ab2691a4a9895860749c8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "db/knex_migrations/2025-10-15-0000-stat-table-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 67138, "scanner": "repobility-web-presence", "fingerprint": "bd03968917e64b772252d5bb0990c13ad6847ebbde46b4be221b0e3c5e3fd77d", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|bd03968917e64b772252d5bb0990c13ad6847ebbde46b4be221b0e3c5e3fd77d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/server.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 67135, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 67134, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 67133, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 67120, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "GHSA-c7w3-x93f-qmm8", "level": "note", "message": {"text": "nodemailer: GHSA-c7w3-x93f-qmm8"}, "properties": {"repobilityId": 67084, "scanner": "osv-scanner", "fingerprint": "0219e6d4aafd2db77b2e7946ecaf81ed64d16be8a5f6aea819a01fff66a74e96", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "nodemailer", "rule_id": "GHSA-c7w3-x93f-qmm8", "scanner": "osv-scanner", "correlation_key": "vuln|nodemailer|GHSA-C7W3-X93F-QMM8|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-vpq2-c234-7xj6", "level": "note", "message": {"text": "@tootallnate/once: GHSA-vpq2-c234-7xj6"}, "properties": {"repobilityId": 67076, "scanner": "osv-scanner", "fingerprint": "b94d4faf3f807316e62a27fde64604e4453cde679a07570857443686cccdd76d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-3449"], "package": "@tootallnate/once", "rule_id": "GHSA-vpq2-c234-7xj6", "scanner": "osv-scanner", "correlation_key": "vuln|tootallnate/once|CVE-2026-3449|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 67074, "scanner": "repobility-docker", "fingerprint": "0bcd27e26147777547148be9f451cce8b1f10bd27d32d1fc7a1f9f84c69173af", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|0bcd27e26147777547148be9f451cce8b1f10bd27d32d1fc7a1f9f84c69173af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius-tls/compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 67070, "scanner": "repobility-docker", "fingerprint": "1bf97f215ddc04b8b3c9dc211a4794eb9cef2ebb81fcf775b04a10c5c424ab97", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|1bf97f215ddc04b8b3c9dc211a4794eb9cef2ebb81fcf775b04a10c5c424ab97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius/compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 67066, "scanner": "repobility-docker", "fingerprint": "b364c4856ec2ad42233f8e78053ceebc1f370c021e246e54af3469ffd1bf91a5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "uptime-kuma", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b364c4856ec2ad42233f8e78053ceebc1f370c021e246e54af3469ffd1bf91a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 67065, "scanner": "repobility-docker", "fingerprint": "9ec06894f14b29a3d09ad6c91b109f3133d09adb22f82aaf4886507a64043fc2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "uptime-kuma", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9ec06894f14b29a3d09ad6c91b109f3133d09adb22f82aaf4886507a64043fc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 67064, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 67042, "scanner": "repobility-threat-engine", "fingerprint": "4fb996815c9ed0492d92e80c4623053e7a0b2dc65fd0b1d53395b2b43119a766", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"../lang/\" + lang + \".json\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4fb996815c9ed0492d92e80c4623053e7a0b2dc65fd0b1d53395b2b43119a766"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mixins/lang.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 67041, "scanner": "repobility-threat-engine", "fingerprint": "ab28e67acf508a218ecd7135b498ce95fe1e9d0d9e270e1e6f771132c184f906", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Connecting to \" + localWebSocketURL + \" to disconnect all other socket clients\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab28e67acf508a218ecd7135b498ce95fe1e9d0d9e270e1e6f771132c184f906"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/reset-password.js"}, "region": {"startLine": 109}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `liquidjs` is minor version(s) behind (10.26.0 -> 10.27.0)"}, "properties": {"repobilityId": 67004, "scanner": "repobility-dependency-currency", "fingerprint": "b9acaf7d587d5fdc9e52946c89e88221173e458aa20271268a39e4c2ac1bc873", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "liquidjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.27.0", "correlation_key": "fp|b9acaf7d587d5fdc9e52946c89e88221173e458aa20271268a39e4c2ac1bc873", "current_version": "10.26.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `knex` is minor version(s) behind (3.1.0 -> 3.2.10)"}, "properties": {"repobilityId": 67002, "scanner": "repobility-dependency-currency", "fingerprint": "36e431a14a7a1800183e72584a4dce2bb8bb3bab9d9b9d95a73ce17628e4dc9a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "knex", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.2.10", "correlation_key": "fp|36e431a14a7a1800183e72584a4dce2bb8bb3bab9d9b9d95a73ce17628e4dc9a", "current_version": "3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `jsonata` is minor version(s) behind (2.1.1 -> 2.2.1)"}, "properties": {"repobilityId": 67000, "scanner": "repobility-dependency-currency", "fingerprint": "10b35b3f7998c3333295b732afda43be55eeb93f4971134f9e5fee7d403ca857", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsonata", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.2.1", "correlation_key": "fp|10b35b3f7998c3333295b732afda43be55eeb93f4971134f9e5fee7d403ca857", "current_version": "2.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `jsesc` is minor version(s) behind (3.0.2 -> 3.1.0)"}, "properties": {"repobilityId": 66999, "scanner": "repobility-dependency-currency", "fingerprint": "50fc25e7e907e1e1b443fbcde8135494804e9087d3d3dc2c277bc34c1c100af7", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsesc", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.0", "correlation_key": "fp|50fc25e7e907e1e1b443fbcde8135494804e9087d3d3dc2c277bc34c1c100af7", "current_version": "3.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `iconv-lite` is minor version(s) behind (0.4.24 -> 0.7.2)"}, "properties": {"repobilityId": 66998, "scanner": "repobility-dependency-currency", "fingerprint": "ed0938be7385ec5ea73973441b1b74fb0854f667cf2c9181e8b45937d5b0aec8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "iconv-lite", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.7.2", "correlation_key": "fp|ed0938be7385ec5ea73973441b1b74fb0854f667cf2c9181e8b45937d5b0aec8", "current_version": "0.4.24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `cheerio` is minor version(s) behind (1.0.0 -> 1.2.0)"}, "properties": {"repobilityId": 66987, "scanner": "repobility-dependency-currency", "fingerprint": "59bfd65aff4e8a2a403443b6b7108c27af788397df60aeceab9ba1cb8975b6c2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cheerio", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.0", "correlation_key": "fp|59bfd65aff4e8a2a403443b6b7108c27af788397df60aeceab9ba1cb8975b6c2", "current_version": "1.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@grpc/grpc-js` is minor version(s) behind (1.8.22 -> 1.14.4)"}, "properties": {"repobilityId": 66981, "scanner": "repobility-dependency-currency", "fingerprint": "09ef159eb2959ddcf15b4ae84bcba7581afd4099ea8d342643abb82196460824", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@grpc/grpc-js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.14.4", "correlation_key": "fp|09ef159eb2959ddcf15b4ae84bcba7581afd4099ea8d342643abb82196460824", "current_version": "1.8.22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66965, "scanner": "repobility-ai-code-hygiene", "fingerprint": "851dafee93d90ac51bc8e2a66db1b3d040b0242d1c863623e590f01712169862", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/APIKeyDialog.vue", "duplicate_line": 144, "correlation_key": "fp|851dafee93d90ac51bc8e2a66db1b3d040b0242d1c863623e590f01712169862"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/RemoteBrowserDialog.vue"}, "region": {"startLine": 149}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66964, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edeb929ec7f4e28b7e06b8630bb5461b30bbb0104c6d90ac4d6ab0e21efbc1ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/DockerHostDialog.vue", "duplicate_line": 46, "correlation_key": "fp|edeb929ec7f4e28b7e06b8630bb5461b30bbb0104c6d90ac4d6ab0e21efbc1ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/RemoteBrowserDialog.vue"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66963, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e06f7e253c66cebb94260db991af5f6dd92f470baf6062644738722d2f311ffd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/BadgeLinkGeneratorDialog.vue", "duplicate_line": 304, "correlation_key": "fp|e06f7e253c66cebb94260db991af5f6dd92f470baf6062644738722d2f311ffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ProxyDialog.vue"}, "region": {"startLine": 256}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66962, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65ff8f66c56db38f262ad35f8046f9117faa2b0aadf07515778bda0f6f474e98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/APIKeyDialog.vue", "duplicate_line": 144, "correlation_key": "fp|65ff8f66c56db38f262ad35f8046f9117faa2b0aadf07515778bda0f6f474e98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ProxyDialog.vue"}, "region": {"startLine": 255}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66961, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9fe1212b6c5e46b3b1d56120342d84defb498bc2f93b2153c5687e84e784e68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/CreateGroupDialog.vue", "duplicate_line": 59, "correlation_key": "fp|b9fe1212b6c5e46b3b1d56120342d84defb498bc2f93b2153c5687e84e784e68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ProxyDialog.vue"}, "region": {"startLine": 246}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66960, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f90ec9af0f87d4eb7afb2ab2b4832f1b86e4681d9f52eacbcfd0ef05acec1689", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/DockerHostDialog.vue", "duplicate_line": 47, "correlation_key": "fp|f90ec9af0f87d4eb7afb2ab2b4832f1b86e4681d9f52eacbcfd0ef05acec1689"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ProxyDialog.vue"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66959, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5fe4d897b0dc4b581b225820893e0d820035003e9c356120bc691a1a6d424d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/NotificationDialog.vue", "duplicate_line": 124, "correlation_key": "fp|c5fe4d897b0dc4b581b225820893e0d820035003e9c356120bc691a1a6d424d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ProxyDialog.vue"}, "region": {"startLine": 113}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66958, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e23167711b2c7b7f8d7a537ab614b474c72397e1977169f0032a4127a54b408", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/BadgeLinkGeneratorDialog.vue", "duplicate_line": 304, "correlation_key": "fp|5e23167711b2c7b7f8d7a537ab614b474c72397e1977169f0032a4127a54b408"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/NotificationDialog.vue"}, "region": {"startLine": 437}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66957, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b765b11c8d33fcb0eeb9cf520e1fdd2859823ab7a06ddaf7a4cc99eb5a0b21d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/APIKeyDialog.vue", "duplicate_line": 144, "correlation_key": "fp|b765b11c8d33fcb0eeb9cf520e1fdd2859823ab7a06ddaf7a4cc99eb5a0b21d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/NotificationDialog.vue"}, "region": {"startLine": 436}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66956, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82f88d1d3c743c67c11a0f592205a7cf14d28d4c4d382ea7fb0d543e0a1c0413", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/CreateGroupDialog.vue", "duplicate_line": 59, "correlation_key": "fp|82f88d1d3c743c67c11a0f592205a7cf14d28d4c4d382ea7fb0d543e0a1c0413"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/NotificationDialog.vue"}, "region": {"startLine": 427}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66955, "scanner": "repobility-ai-code-hygiene", "fingerprint": "387aac2621afa15333316649a44954559b4da017c61c07761615d2d2ca1a603f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/DockerHostDialog.vue", "duplicate_line": 47, "correlation_key": "fp|387aac2621afa15333316649a44954559b4da017c61c07761615d2d2ca1a603f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/NotificationDialog.vue"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66954, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f01beebbe13f54e689110e7bf3a6d9371a8a0fee730380cded9783d487e3104", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/BadgeLinkGeneratorDialog.vue", "duplicate_line": 304, "correlation_key": "fp|4f01beebbe13f54e689110e7bf3a6d9371a8a0fee730380cded9783d487e3104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MonitorSettingDialog.vue"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66953, "scanner": "repobility-ai-code-hygiene", "fingerprint": "57d95964bd47d5eb91c7fda23b7d263ee63d5276f960d03abe7e96812f28fe18", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/APIKeyDialog.vue", "duplicate_line": 144, "correlation_key": "fp|57d95964bd47d5eb91c7fda23b7d263ee63d5276f960d03abe7e96812f28fe18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/MonitorSettingDialog.vue"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66952, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a24161c2314e32f4d28d366684138a60b66fb566095f0aa63c172f7a805bf74", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/CopyableInput.vue", "duplicate_line": 63, "correlation_key": "fp|7a24161c2314e32f4d28d366684138a60b66fb566095f0aa63c172f7a805bf74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/HiddenInput.vue"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66951, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00f95b4ecf7060f072eb548f3eead195aadd18ee59f7eec9e571e9fa8df68c2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ActionInput.vue", "duplicate_line": 45, "correlation_key": "fp|00f95b4ecf7060f072eb548f3eead195aadd18ee59f7eec9e571e9fa8df68c2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/EditMonitorConditions.vue"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66950, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b97c59788423dad20b3e4cf496f29da19456c090e404fc5c1d99952285461e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/EditMonitorConditionGroup.vue", "duplicate_line": 39, "correlation_key": "fp|0b97c59788423dad20b3e4cf496f29da19456c090e404fc5c1d99952285461e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/EditMonitorConditions.vue"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1dcf18118ab1b0a2fdf237c7f48ac6d07e217f378d870129c91ce12e60ca4832", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/EditMonitorCondition.vue", "duplicate_line": 57, "correlation_key": "fp|1dcf18118ab1b0a2fdf237c7f48ac6d07e217f378d870129c91ce12e60ca4832"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/EditMonitorConditionGroup.vue"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93fca107d7d4205acee2c746a5434437268b22467ad250f01c24891afe71cbe6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/BadgeLinkGeneratorDialog.vue", "duplicate_line": 304, "correlation_key": "fp|93fca107d7d4205acee2c746a5434437268b22467ad250f01c24891afe71cbe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/DockerHostDialog.vue"}, "region": {"startLine": 166}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66947, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a15caacc54747f234a7f91a1266b24fe53b4bb7e193dcc4b1a177ff4dafa95ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/APIKeyDialog.vue", "duplicate_line": 144, "correlation_key": "fp|a15caacc54747f234a7f91a1266b24fe53b4bb7e193dcc4b1a177ff4dafa95ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/DockerHostDialog.vue"}, "region": {"startLine": 165}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ebba71dc487e3ad5eda17b8f6c77dfb86b53040331a9d90342feea9c61c5d078", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/APIKeyDialog.vue", "duplicate_line": 144, "correlation_key": "fp|ebba71dc487e3ad5eda17b8f6c77dfb86b53040331a9d90342feea9c61c5d078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/BadgeLinkGeneratorDialog.vue"}, "region": {"startLine": 303}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b458aa551a0d82bd4703250536ebee4aa828ab3833191ebffd56bcfdbb34d14", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/ActionInput.vue", "duplicate_line": 46, "correlation_key": "fp|5b458aa551a0d82bd4703250536ebee4aa828ab3833191ebffd56bcfdbb34d14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ActionSelect.vue"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "429420eac6a070f82650477c0165cbbb676e5f5038f73b63b48fc540097a99b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/socket-handlers/docker-socket-handler.js", "duplicate_line": 29, "correlation_key": "fp|429420eac6a070f82650477c0165cbbb676e5f5038f73b63b48fc540097a99b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/socket-handlers/remote-browser-socket-handler.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "33c7ebcedaba405a0dac3cde5c0cd502849ffdf070fbe7e2cb13bc36c879b2b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/socket-handlers/docker-socket-handler.js", "duplicate_line": 29, "correlation_key": "fp|33c7ebcedaba405a0dac3cde5c0cd502849ffdf070fbe7e2cb13bc36c879b2b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/socket-handlers/proxy-socket-handler.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66942, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac870d479c1e50482a14fbc78a881ded29b6cd10bc37866700259ccd32951d31", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/notification-providers/pushplus.js", "duplicate_line": 23, "correlation_key": "fp|ac870d479c1e50482a14fbc78a881ded29b6cd10bc37866700259ccd32951d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/wpush.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66941, "scanner": "repobility-ai-code-hygiene", "fingerprint": "433665ddbc8c3a68127c848afc8fb9cc23bed50531de9b388090c4e1d5b631c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/notification-providers/pagerduty.js", "duplicate_line": 36, "correlation_key": "fp|433665ddbc8c3a68127c848afc8fb9cc23bed50531de9b388090c4e1d5b631c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/splunk.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66940, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9541f9cd2e0072417a1310063913216495ecaf5cd533f7e7e6706fc657795807", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/notification-providers/pushplus.js", "duplicate_line": 23, "correlation_key": "fp|9541f9cd2e0072417a1310063913216495ecaf5cd533f7e7e6706fc657795807"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/serverchan.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66939, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f35703d99e70b61b37354b24df3666e6329bb4fd88e919e768c2b78904b8aefc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/notification-providers/discord.js", "duplicate_line": 107, "correlation_key": "fp|f35703d99e70b61b37354b24df3666e6329bb4fd88e919e768c2b78904b8aefc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/fluxer.js"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66938, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a51e0814082413b018720c76a224a0d5150797bd991676bae6964c30c1d3de60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/monitor-types/mssql.js", "duplicate_line": 33, "correlation_key": "fp|a51e0814082413b018720c76a224a0d5150797bd991676bae6964c30c1d3de60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/monitor-types/oracledb.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66937, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3904524aa3b0fa81ea7cc0921b4de60f9bd16c91759c89315977e420227ddb55", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/monitor-types/mssql.js", "duplicate_line": 33, "correlation_key": "fp|3904524aa3b0fa81ea7cc0921b4de60f9bd16c91759c89315977e420227ddb55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/monitor-types/mysql.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66936, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0555c260ad81bfcd1b8192c8bae4253572250edad09e84a6b103fb97ec031751", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extra/remove-2fa.js", "duplicate_line": 27, "correlation_key": "fp|0555c260ad81bfcd1b8192c8bae4253572250edad09e84a6b103fb97ec031751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/reset-password.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 66934, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9c754e77919b07d77410a80c140d0b20c6ffb7d234ebbaa4b34720df2e773737", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9c754e77919b07d77410a80c140d0b20c6ffb7d234ebbaa4b34720df2e773737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "db/knex_migrations/2025-10-15-0000-stat-table-fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 67059, "scanner": "repobility-docker", "fingerprint": "a366c3d451a055c6d08ded05c5ee0908bf0fa7ff8b24899a7aa6a34b041f6cbd", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a366c3d451a055c6d08ded05c5ee0908bf0fa7ff8b24899a7aa6a34b041f6cbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 67055, "scanner": "repobility-threat-engine", "fingerprint": "8afbb862d011875f6d68fc4c16eba6c80ec5a1b30168d3a33c136ff45a451fcc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8afbb862d011875f6d68fc4c16eba6c80ec5a1b30168d3a33c136ff45a451fcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/i18n.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 67044, "scanner": "repobility-threat-engine", "fingerprint": "a88bd8e719041669e7177db2f995cab89eff5ba0f9ccea767c0effbf97a2b309", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a88bd8e719041669e7177db2f995cab89eff5ba0f9ccea767c0effbf97a2b309"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/simple-mqtt-server.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 67043, "scanner": "repobility-threat-engine", "fingerprint": "d3986a9b54f3368ab41aeeba5c58a5a3ed02534b232ee3e94b2d862d90a22aa8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3986a9b54f3368ab41aeeba5c58a5a3ed02534b232ee3e94b2d862d90a22aa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/reset-password.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 67040, "scanner": "repobility-threat-engine", "fingerprint": "6a0dc864d551236f2f3ec58e097d65ca6e2d002e901e1170e83d2d3316a26540", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(password.toString(\"utf-8\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|extra/simple-mqtt-server.js|3|console.log password.tostring utf-8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/simple-mqtt-server.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 67039, "scanner": "repobility-threat-engine", "fingerprint": "494508cf973f8da84e7c761a1daeb1949cb9fee054f3df7f794387532227f3f1", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(\"== Uptime Kuma Reset Password Tool ==\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|extra/reset-password.js|1|console.log uptime kuma reset password tool"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/reset-password.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 67038, "scanner": "repobility-threat-engine", "fingerprint": "4888a7f2d95e1334850750ba0611e2c2a23c368ce50109969c246a2c925d3677", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4888a7f2d95e1334850750ba0611e2c2a23c368ce50109969c246a2c925d3677"}}}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 67032, "scanner": "repobility-threat-engine", "fingerprint": "d4b1df0247457e174b6341722153d8d6c0b4bf98eece3746e72f0fd9f1cf1699", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d4b1df0247457e174b6341722153d8d6c0b4bf98eece3746e72f0fd9f1cf1699"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/push-examples/java/index.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 67031, "scanner": "repobility-threat-engine", "fingerprint": "21f9b19bf145e822b0c5c5789b2278cc43f3990a124eca4b75955feb3ebfffc3", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|21f9b19bf145e822b0c5c5789b2278cc43f3990a124eca4b75955feb3ebfffc3"}}}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 67027, "scanner": "repobility-threat-engine", "fingerprint": "c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 67014, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67013, "scanner": "repobility-threat-engine", "fingerprint": "d78712de32ccfd80b82de5666c828c79a2b16a2966163211679d736370b159e1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d78712de32ccfd80b82de5666c828c79a2b16a2966163211679d736370b159e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/aliyun-sms.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67012, "scanner": "repobility-threat-engine", "fingerprint": "b19f5a50290b54e7bb2f90922e00ea1bba69b077026c81ff8e6c587c91013127", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b19f5a50290b54e7bb2f90922e00ea1bba69b077026c81ff8e6c587c91013127"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/docker.js"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67011, "scanner": "repobility-threat-engine", "fingerprint": "6a49414ca8a37d1c85951e913f9b5a4cae4a3fb342c28d0210455d799c7ea99d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a49414ca8a37d1c85951e913f9b5a4cae4a3fb342c28d0210455d799c7ea99d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/download-apprise.mjs"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 67010, "scanner": "repobility-threat-engine", "fingerprint": "0544e6fe05f555556705d7f64dbdc12942be0f7ce56998ffde430121732b8770", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0544e6fe05f555556705d7f64dbdc12942be0f7ce56998ffde430121732b8770", "aggregated_count": 29}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67009, "scanner": "repobility-threat-engine", "fingerprint": "31182005ca9e6c5e2282a49e87dd493053fc2b042137db44177680c3d91e0c6c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|31182005ca9e6c5e2282a49e87dd493053fc2b042137db44177680c3d91e0c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/check-knex-filenames.mjs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67008, "scanner": "repobility-threat-engine", "fingerprint": "9283a9aa5b8c9f694245fab1f38792019e127ca604c6da8933fd975a4222b7ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9283a9aa5b8c9f694245fab1f38792019e127ca604c6da8933fd975a4222b7ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/build-healthcheck.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67007, "scanner": "repobility-threat-engine", "fingerprint": "62902fb887c45a4d0b24649cbe547dfd99fa1b2444ed6b7d427d02574943e695", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62902fb887c45a4d0b24649cbe547dfd99fa1b2444ed6b7d427d02574943e695"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/beta/update-version.mjs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/badge/:id/response."}, "properties": {"repobilityId": 67117, "scanner": "repobility-access-control", "fingerprint": "04de4760e275033a795e6e33d80eb78542aefc4830b83ce877e35ac8180a7b8a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/badge/:id/response", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|507|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routers/api-router.js"}, "region": {"startLine": 507}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/badge/:id/cert-exp."}, "properties": {"repobilityId": 67116, "scanner": "repobility-access-control", "fingerprint": "ef46d6e16a34ee0a5491fb6c42ce4b2764e910c25ce855616aed38e453d322e4", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/badge/:id/cert-exp", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|424|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routers/api-router.js"}, "region": {"startLine": 424}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/badge/:id/avg-response/:duration?."}, "properties": {"repobilityId": 67115, "scanner": "repobility-access-control", "fingerprint": "d4a074bc6640f57e50516b1ce93d26abc60efdb6f118d64d7230db0760a9e0e0", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/badge/:id/avg-response/:duration?", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|351|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routers/api-router.js"}, "region": {"startLine": 351}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/badge/:id/ping/:duration?."}, "properties": {"repobilityId": 67114, "scanner": "repobility-access-control", "fingerprint": "823ef478f94090c0a1d211b69721c45f72570dabbfc84a3e7a96db20f8178622", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/badge/:id/ping/:duration?", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|285|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routers/api-router.js"}, "region": {"startLine": 285}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/badge/:id/uptime/:duration?."}, "properties": {"repobilityId": 67113, "scanner": "repobility-access-control", "fingerprint": "597281748c30ac10d036d8d146ad2381cc9b2f56114e57783144d529d3415186", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/badge/:id/uptime/:duration?", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|221|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routers/api-router.js"}, "region": {"startLine": 221}}}]}, {"ruleId": "GHSA-vrm6-8vpv-qv8q", "level": "error", "message": {"text": "undici: GHSA-vrm6-8vpv-qv8q"}, "properties": {"repobilityId": 67107, "scanner": "osv-scanner", "fingerprint": "e45d13b5e2f69241b22bb1fc1ff82cbed971cdf04af69369865003df1ea23afe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-1526"], "package": "undici", "rule_id": "GHSA-vrm6-8vpv-qv8q", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-1526|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9p9-hfj2-hcw8", "level": "error", "message": {"text": "undici: GHSA-v9p9-hfj2-hcw8"}, "properties": {"repobilityId": 67106, "scanner": "osv-scanner", "fingerprint": "82040bd5665fce641fcaa19acfed7b887235c7fba67abcc71d7634c0d7442f02", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2229"], "package": "undici", "rule_id": "GHSA-v9p9-hfj2-hcw8", "scanner": "osv-scanner", "correlation_key": "vuln|undici|CVE-2026-2229|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6q2-hw4h-h46w", "level": "error", "message": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "properties": {"repobilityId": 67102, "scanner": "osv-scanner", "fingerprint": "7db5bbfb918ed38d76af37cf80e02b458b9801396cf65c517393e3e27f2027ff", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23950"], "package": "tar", "rule_id": "GHSA-r6q2-hw4h-h46w", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23950|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 67101, "scanner": "osv-scanner", "fingerprint": "0cadc968d5f09288d0f7e175f9e57c30558d40af97a63675a0cdc5aac733c050", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 67100, "scanner": "osv-scanner", "fingerprint": "be8780a0a337b6985f59beb6a9f4e6b68128dc76f9275db9e1b8b2c403e73a5f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qq5-rm4j-mr97", "level": "error", "message": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "properties": {"repobilityId": 67099, "scanner": "osv-scanner", "fingerprint": "2abe8462acdc01bfb64182b348b938234ee8eb1feef4654aa599072f3d832a43", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23745"], "package": "tar", "rule_id": "GHSA-8qq5-rm4j-mr97", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23745|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 67098, "scanner": "osv-scanner", "fingerprint": "8871680d469755dbb1f4b307b09f46b798a88f8175f3caace198cbfab90a9031", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34x7-hfp2-rc4v", "level": "error", "message": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "properties": {"repobilityId": 67097, "scanner": "osv-scanner", "fingerprint": "827b1e133b1d1fae4bbe3a6bec8b3421b9bdabd2fca4b92f5a0562718d9eabf3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24842"], "package": "tar", "rule_id": "GHSA-34x7-hfp2-rc4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-24842|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jvwf-75h9-cwgg", "level": "error", "message": {"text": "protobufjs: GHSA-jvwf-75h9-cwgg"}, "properties": {"repobilityId": 67093, "scanner": "osv-scanner", "fingerprint": "fb3c6689ad0f74f4eb4ab460870246fafb6133428f22049cdf1b015adca490c5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44290"], "package": "protobufjs", "rule_id": "GHSA-jvwf-75h9-cwgg", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44290|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-75px-5xx7-5xc7", "level": "error", "message": {"text": "protobufjs: GHSA-75px-5xx7-5xc7"}, "properties": {"repobilityId": 67090, "scanner": "osv-scanner", "fingerprint": "0a6ddf9978a562020435183e48029376cfed3e935f48f0113e8aa4a01c238379", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44291"], "package": "protobufjs", "rule_id": "GHSA-75px-5xx7-5xc7", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44291|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-685m-2w69-288q", "level": "error", "message": {"text": "protobufjs: GHSA-685m-2w69-288q"}, "properties": {"repobilityId": 67089, "scanner": "osv-scanner", "fingerprint": "01768ce98dc433df81605ccb86016f17163ba24fd95e45016e3e0c8a8527a0d8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44289"], "package": "protobufjs", "rule_id": "GHSA-685m-2w69-288q", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44289|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-66ff-xgx4-vchm", "level": "error", "message": {"text": "protobufjs: GHSA-66ff-xgx4-vchm"}, "properties": {"repobilityId": 67088, "scanner": "osv-scanner", "fingerprint": "21b1b5d58bc3ccdf242c6a8306e0393f881e2dc87deba518fdf67f2fe9b70961", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44293"], "package": "protobufjs", "rule_id": "GHSA-66ff-xgx4-vchm", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44293|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7mvr-c777-76hp", "level": "error", "message": {"text": "playwright: GHSA-7mvr-c777-76hp"}, "properties": {"repobilityId": 67086, "scanner": "osv-scanner", "fingerprint": "a30b2e6c21afd79bd953ed73fe5cd35258a93cf2a8fcc681bc5681c5382a1ad9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-59288"], "package": "playwright", "rule_id": "GHSA-7mvr-c777-76hp", "scanner": "osv-scanner", "correlation_key": "vuln|playwright|CVE-2025-59288|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 67083, "scanner": "osv-scanner", "fingerprint": "eefef250e5a6e239df447b5946f207cdb0dd68151255b2332fb8ba8f476755c1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 67082, "scanner": "osv-scanner", "fingerprint": "51db4fe99f02113d5057e54849a1514660f72202efa765a619a8195e282ff31f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 67081, "scanner": "osv-scanner", "fingerprint": "f4f398661d95064420cba5942b7bc163815b09d09751c05f0247afa0ed407b54", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 67080, "scanner": "osv-scanner", "fingerprint": "069f9bb4f0a38c36ca2992b2ffe11f999b2e5befc1dec86319fea7bbf65a679b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 67078, "scanner": "osv-scanner", "fingerprint": "eb490bd1b89973ff050f29fea98c6d9f88110605102c7a249218d08c2cfd6d73", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 67072, "scanner": "repobility-docker", "fingerprint": "94610bdfdf4f4f101f4652046c84431a244486d357fcf5eee5b0368c25ef1f77", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6380:6380", "target": "6380", "host_ip": "", "published": "6380"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|94610bdfdf4f4f101f4652046c84431a244486d357fcf5eee5b0368c25ef1f77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius-tls/compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 67068, "scanner": "repobility-docker", "fingerprint": "f1dd209da36b23ec930268f940b9e9e001786586e9977c7ffa31eb58b25f9c60", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|f1dd209da36b23ec930268f940b9e9e001786586e9977c7ffa31eb58b25f9c60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius/compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 67052, "scanner": "repobility-threat-engine", "fingerprint": "4975a184b007d258f4364311ea444f0610056e5b99f7aac0170ac12a299ba973", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4975a184b007d258f4364311ea444f0610056e5b99f7aac0170ac12a299ba973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/password-hash.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 67051, "scanner": "repobility-threat-engine", "fingerprint": "2e96615f4d0114999c6df4a5b882b8eaaa1f14e1e07f0fb7246ae996dc413c6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e96615f4d0114999c6df4a5b882b8eaaa1f14e1e07f0fb7246ae996dc413c6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/aliyun-sms.js"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67047, "scanner": "repobility-threat-engine", "fingerprint": "0a1d464cf1e13a704d3746bb21f92877127ed11a6c2b1fba451e0a3f5df6c640", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "connection.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a1d464cf1e13a704d3746bb21f92877127ed11a6c2b1fba451e0a3f5df6c640"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/monitor-types/mysql.js"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67046, "scanner": "repobility-threat-engine", "fingerprint": "bda9fb576f99f2aed12e34a463b50c19e56035d1675964cb09ad98a30908f514", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bda9fb576f99f2aed12e34a463b50c19e56035d1675964cb09ad98a30908f514"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/modules/apicache/memory-cache.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 67034, "scanner": "repobility-threat-engine", "fingerprint": "9f9604103e2754344e75db36b832484aab86aac908eb0862ed63a5d86c42981d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(executablePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f9604103e2754344e75db36b832484aab86aac908eb0862ed63a5d86c42981d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/monitor-types/real-browser-monitor-type.js"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 67033, "scanner": "repobility-threat-engine", "fingerprint": "e1912640eba259a237fd8484815c7059951779a4d7524871b6f7905196f2a161", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1912640eba259a237fd8484815c7059951779a4d7524871b6f7905196f2a161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/release/lib.mjs"}, "region": {"startLine": 241}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67030, "scanner": "repobility-threat-engine", "fingerprint": "21e598497d3fa979387c95150757dd32363e8118977ea61e6da4a2b60e83a3b2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21e598497d3fa979387c95150757dd32363e8118977ea61e6da4a2b60e83a3b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/push-examples/python/index.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67029, "scanner": "repobility-threat-engine", "fingerprint": "e9445b11707c90defd26d33c260997142f5593c0accabb971b956529893d3ad9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(P", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9445b11707c90defd26d33c260997142f5593c0accabb971b956529893d3ad9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/push-examples/java/index.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67028, "scanner": "repobility-threat-engine", "fingerprint": "c44a3ff6f136dad494beb8d931759556966e2a07305c5173c81a9d286ab9669f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(P", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c44a3ff6f136dad494beb8d931759556966e2a07305c5173c81a9d286ab9669f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/push-examples/go/index.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 67023, "scanner": "repobility-threat-engine", "fingerprint": "5d002fe734c884d9b24daed5aaa7b5124bdd29648c02103d6e9a90e8a88056e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d002fe734c884d9b24daed5aaa7b5124bdd29648c02103d6e9a90e8a88056e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/uptime-kuma-push/uptime-kuma-push.go"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 67022, "scanner": "repobility-threat-engine", "fingerprint": "c2c455b0099e90dcc7eb05ff0db71eb025047574df12c29cb54c9d5a53863286", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2c455b0099e90dcc7eb05ff0db71eb025047574df12c29cb54c9d5a53863286"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/push-examples/go/index.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 67021, "scanner": "repobility-threat-engine", "fingerprint": "c07105d3a12a808eda2d8adad6ef4c05b5d40fddf8a189bab79230f00f5b0df3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c07105d3a12a808eda2d8adad6ef4c05b5d40fddf8a189bab79230f00f5b0df3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/healthcheck.go"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 67020, "scanner": "repobility-threat-engine", "fingerprint": "59e0909f4530ec052edbeeef16b687ebd339876367736afbbd795186dbc86992", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59e0909f4530ec052edbeeef16b687ebd339876367736afbbd795186dbc86992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/teltonika.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 67019, "scanner": "repobility-threat-engine", "fingerprint": "0bc392838691a27f694f64132b359166f86d8b986f899fccceee63ee3b8467b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0bc392838691a27f694f64132b359166f86d8b986f899fccceee63ee3b8467b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/healthcheck.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC088", "level": "error", "message": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "properties": {"repobilityId": 67018, "scanner": "repobility-threat-engine", "fingerprint": "36d49c8e188030ec1546d7beea5df27c0bb0eaa8d794dd0182f4dc571e7e73e0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "InsecureSkipVerify: true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC088", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|36d49c8e188030ec1546d7beea5df27c0bb0eaa8d794dd0182f4dc571e7e73e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/healthcheck.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 67017, "scanner": "repobility-threat-engine", "fingerprint": "03ead5d037eb4a6699f71cd6f295e20eb76614b8bcd04cc338b73955696c0ee8", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((item) => `@${item}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|03ead5d037eb4a6699f71cd6f295e20eb76614b8bcd04cc338b73955696c0ee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/notification-providers/dingding.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 67016, "scanner": "repobility-threat-engine", "fingerprint": "efb3312a5b348bb301a936ac13416748cff728ef29872d0e23e54f6a8d5f8947", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((record) => `Hostname: ${record.exchange} - Priority: ${record.priority}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|efb3312a5b348bb301a936ac13416748cff728ef29872d0e23e54f6a8d5f8947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/monitor-types/dns.js"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 67015, "scanner": "repobility-threat-engine", "fingerprint": "f277b4b1733ca7c218e3fa62045e2ae8bd894c431d884f78c457a451a4f31cca", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((num) => `#${num}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f277b4b1733ca7c218e3fa62045e2ae8bd894c431d884f78c457a451a4f31cca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/generate-changelog.mjs"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `debian:bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 66979, "scanner": "repobility-supply-chain", "fingerprint": "46b1ac03757b2f828c49eed1d826179cde05675622065946717fe88f7872a4cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46b1ac03757b2f828c49eed1d826179cde05675622065946717fe88f7872a4cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/uptime-kuma-push/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 66978, "scanner": "repobility-supply-chain", "fingerprint": "944e1c9f52d3d69fecbe7c9084542dc64ff77fedadeb360cf607a3c64e375c07", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|944e1c9f52d3d69fecbe7c9084542dc64ff77fedadeb360cf607a3c64e375c07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extra/uptime-kuma-push/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `louislam/uptime-kuma:base2` not pinned by digest"}, "properties": {"repobilityId": 66977, "scanner": "repobility-supply-chain", "fingerprint": "92b05e01805e242b40657979ee5960e43cab054f02750eb17390a88f4fb23f26", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92b05e01805e242b40657979ee5960e43cab054f02750eb17390a88f4fb23f26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `louislam/uptime-kuma:base2` not pinned by digest"}, "properties": {"repobilityId": 66976, "scanner": "repobility-supply-chain", "fingerprint": "ceeabdb13abd641928780c66fe8af3d337dddf5eda6c7cff0392000ce9532a42", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ceeabdb13abd641928780c66fe8af3d337dddf5eda6c7cff0392000ce9532a42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `louislam/uptime-kuma:base2` not pinned by digest"}, "properties": {"repobilityId": 66975, "scanner": "repobility-supply-chain", "fingerprint": "240a0dd69834936070ac4267e87800adb2144df86b2f8851f72475a348c75a57", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|240a0dd69834936070ac4267e87800adb2144df86b2f8851f72475a348c75a57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `louislam/uptime-kuma:builder-go` not pinned by digest"}, "properties": {"repobilityId": 66974, "scanner": "repobility-supply-chain", "fingerprint": "f77c5c0071099fd8c6f71777c5473d7e6159f9a05d93a62afd8d11662893a887", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f77c5c0071099fd8c6f71777c5473d7e6159f9a05d93a62afd8d11662893a887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `louislam/uptime-kuma:base2-slim` not pinned by digest"}, "properties": {"repobilityId": 66973, "scanner": "repobility-supply-chain", "fingerprint": "ea0984512fd8c24e22cf08a760cd4e3761c046626ed4eab2eb4e59d2fac6743b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea0984512fd8c24e22cf08a760cd4e3761c046626ed4eab2eb4e59d2fac6743b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/debian-base.dockerfile"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 66972, "scanner": "repobility-supply-chain", "fingerprint": "fd4038d2114c60935b70e553ce2da8e5e72ba278eb84cd49718e76626476b368", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd4038d2114c60935b70e553ce2da8e5e72ba278eb84cd49718e76626476b368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/debian-base.dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-bookworm-slim` not pinned by digest"}, "properties": {"repobilityId": 66971, "scanner": "repobility-supply-chain", "fingerprint": "479b8ff6ff47cc8bb57473cb2c6e86e102f46f95a569a2a8cc13466fcaff47ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|479b8ff6ff47cc8bb57473cb2c6e86e102f46f95a569a2a8cc13466fcaff47ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/debian-base.dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `golang:1-buster` not pinned by digest"}, "properties": {"repobilityId": 66970, "scanner": "repobility-supply-chain", "fingerprint": "fa49f5af7aeb7f47207e56e636a49be859a21b7244bca7282b80036ba42cc566", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa49f5af7aeb7f47207e56e636a49be859a21b7244bca7282b80036ba42cc566"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/builder-go.dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `freeradius/freeradius-server:latest` not pinned by digest"}, "properties": {"repobilityId": 66969, "scanner": "repobility-supply-chain", "fingerprint": "e12a8ad12a83fea5d3cd0a1137b3932520c75976ad1d5d97e11fbd83f8bb4620", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e12a8ad12a83fea5d3cd0a1137b3932520c75976ad1d5d97e11fbd83f8bb4620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-radius.dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test-x-www-form-urlencoded has no auth"}, "properties": {"repobilityId": 66968, "scanner": "repobility-route-auth", "fingerprint": "ea9bd4bf9a5ef9cbca1025c70eef21011c9a8e3886cd345eaf42221274ac84f1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ea9bd4bf9a5ef9cbca1025c70eef21011c9a8e3886cd345eaf42221274ac84f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/server.js"}, "region": {"startLine": 286}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test-webhook has no auth"}, "properties": {"repobilityId": 66967, "scanner": "repobility-route-auth", "fingerprint": "0f4e5bb525b50194c3f02ef95463779ac299a5f61c7d4a9feaf7be27f3fbdf4c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0f4e5bb525b50194c3f02ef95463779ac299a5f61c7d4a9feaf7be27f3fbdf4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/server.js"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /setup-database has no auth"}, "properties": {"repobilityId": 66966, "scanner": "repobility-route-auth", "fingerprint": "5a2192f43971f2a9cc06ac99ded251278bef222b574c8779ae26481fd0fa7d74", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5a2192f43971f2a9cc06ac99ded251278bef222b574c8779ae26481fd0fa7d74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/setup-database.js"}, "region": {"startLine": 170}}}]}, {"ruleId": "GHSA-xq3m-2v4x-88gg", "level": "error", "message": {"text": "protobufjs: GHSA-xq3m-2v4x-88gg"}, "properties": {"repobilityId": 67095, "scanner": "osv-scanner", "fingerprint": "2fd6ba9511d3e3bd68535310339d539ff9e7db2dee73dc2ceda1dfdea24a2b7f", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41242"], "package": "protobufjs", "rule_id": "GHSA-xq3m-2v4x-88gg", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-41242|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 67075, "scanner": "gitleaks", "fingerprint": "93b3f740b26397b0880ac1907970b6f8aa50662410e2e7b32f3e3bdbed5327ac", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/manual-test-radius-tls/certs/redis.key"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.JUST_FOR_TEST` on a `pull_request` trigger"}, "properties": {"repobilityId": 66980, "scanner": "repobility-supply-chain", "fingerprint": "18780e35c0748b643a3e870d3ecdde38c94f6032bda09bcecad182a2757cb52c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18780e35c0748b643a3e870d3ecdde38c94f6032bda09bcecad182a2757cb52c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-test.yml"}, "region": {"startLine": 64}}}]}]}]}