{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/471"}, "properties": {"repository": "Open-Less/openless", "repoUrl": "https://github.com/Open-Less/openless", "branch": "main"}, "results": [{"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 27597, "scanner": "repobility-threat-engine", "fingerprint": "4877f1027ecd71bff72b921ed2b91e657afb4daa134d0e8cffd62e2f9da7f5a6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4877f1027ecd71bff72b921ed2b91e657afb4daa134d0e8cffd62e2f9da7f5a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/design_handoff_openless/design-canvas.jsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 27595, "scanner": "repobility-threat-engine", "fingerprint": "e3302222693eb1473e9579405df1c0e5c5d83a763a77786e1521cfb9e2c598d7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e3302222693eb1473e9579405df1c0e5c5d83a763a77786e1521cfb9e2c598d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/scripts/windows-openless-lifecycle-e2e.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 27590, "scanner": "repobility-agent-runtime", "fingerprint": "3b33d231908ea650e35bb2f0f16212d9c0def1d143e4c4341269a0553f20720d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|3b33d231908ea650e35bb2f0f16212d9c0def1d143e4c4341269a0553f20720d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src/lib/fontScale.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27589, "scanner": "repobility-ai-code-hygiene", "fingerprint": "53711db6954d092699ffacbd55c19f957624e10582624001012b5b0fa0af55f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src/pages/settings/ShortcutsSection.tsx", "duplicate_line": 104, "correlation_key": "fp|53711db6954d092699ffacbd55c19f957624e10582624001012b5b0fa0af55f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/design_handoff_openless/pages.jsx"}, "region": {"startLine": 758}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27588, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c91fbe77fd1771d724b8d51f8df1d6202301b2833baa50ae190e66ae3b992f2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src/pages/_atoms.tsx", "duplicate_line": 38, "correlation_key": "fp|c91fbe77fd1771d724b8d51f8df1d6202301b2833baa50ae190e66ae3b992f2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/design_handoff_openless/pages.jsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27587, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f462d5acd807ef31905ebb03f3e7a638a028a82b404c51d661757cbccff5fdeb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src/components/Icon.tsx", "duplicate_line": 9, "correlation_key": "fp|f462d5acd807ef31905ebb03f3e7a638a028a82b404c51d661757cbccff5fdeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/design_handoff_openless/icons.jsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27586, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49036bcd2d9b6496e86fa8618443b0927517de388a44ed6918582d17e96832de", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src/lib/mockData.ts", "duplicate_line": 42, "correlation_key": "fp|49036bcd2d9b6496e86fa8618443b0927517de388a44ed6918582d17e96832de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/design_handoff_openless/data.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27585, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68be3b6a2849b7ce499aa9eab345a50589f0d1681279683b8e3ea1230ffc6bc4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src/components/ui/SwitchLite.tsx", "duplicate_line": 17, "correlation_key": "fp|68be3b6a2849b7ce499aa9eab345a50589f0d1681279683b8e3ea1230ffc6bc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src/pages/settings/shared.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27584, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9aeac0a8870ef9df1a1fabe19cd99b0dbdfc23a96b30fcb66c6e4093be619d71", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src/pages/SelectionAsk.tsx", "duplicate_line": 17, "correlation_key": "fp|9aeac0a8870ef9df1a1fabe19cd99b0dbdfc23a96b30fcb66c6e4093be619d71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src/pages/Translation.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27583, "scanner": "repobility-ai-code-hygiene", "fingerprint": "77aea8050d8ae2adb8a60783cbf77db2e2547a2fc935e43ba9e517f811c3b229", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src/components/MarketplaceModal.tsx", "duplicate_line": 22, "correlation_key": "fp|77aea8050d8ae2adb8a60783cbf77db2e2547a2fc935e43ba9e517f811c3b229"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src/components/SettingsModal.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27582, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94a6eb4a755a2855c71e9db635fad6ddfa0d0405cd3624d1141f439d482ed2dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src-tauri/src/insertion.rs", "duplicate_line": 296, "correlation_key": "fp|94a6eb4a755a2855c71e9db635fad6ddfa0d0405cd3624d1141f439d482ed2dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src-tauri/src/unicode_keystroke.rs"}, "region": {"startLine": 261}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27581, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc3d29b2eb167ecf6328a2d625793ab4acfc8eace22d87c35e89268ed7dda5cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src-tauri/src/insertion.rs", "duplicate_line": 335, "correlation_key": "fp|fc3d29b2eb167ecf6328a2d625793ab4acfc8eace22d87c35e89268ed7dda5cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src-tauri/src/selection.rs"}, "region": {"startLine": 291}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 27580, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e98a618da68a0e349e2d9b0eedc91575a843db062c86727f185725a20b84f751", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "openless-all/app/src-tauri/src/asr/bailian.rs", "duplicate_line": 1, "correlation_key": "fp|e98a618da68a0e349e2d9b0eedc91575a843db062c86727f185725a20b84f751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src-tauri/src/asr/volcengine.rs"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 27596, "scanner": "repobility-threat-engine", "fingerprint": "a5e38e3e3c97b6b8e476c63bbc02587f4dd928577328d969682eaaf4a7b5994c", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|1024|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src/pages/Settings.tsx"}, "region": {"startLine": 1024}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 27594, "scanner": "repobility-threat-engine", "fingerprint": "4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2"}}}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27593, "scanner": "repobility-threat-engine", "fingerprint": "2252ec1f12bf308caecc6b23852fdd790a5030ae439f97353dccf18411905305", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2252ec1f12bf308caecc6b23852fdd790a5030ae439f97353dccf18411905305"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/src-tauri/src/asr/local/download.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27592, "scanner": "repobility-threat-engine", "fingerprint": "44ee127a1877e78ac3f8ad86dac24b2ad0293aeb760cfb1a96b3b2200a49786c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|44ee127a1877e78ac3f8ad86dac24b2ad0293aeb760cfb1a96b3b2200a49786c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/scripts/check-window-hotkey-fallback.mjs"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 27591, "scanner": "repobility-threat-engine", "fingerprint": "44a8f542813cc52097c0d29fe3a76cbf3d0842d71bd9c9166da5454938c43fc4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|44a8f542813cc52097c0d29fe3a76cbf3d0842d71bd9c9166da5454938c43fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openless-all/app/scripts/check-hotkey-recorder.mjs"}, "region": {"startLine": 19}}}]}]}]}