{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_find_root` has cognitive complexity 15 (SonarSource scale). Cognitive co", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_find_root` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion al"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 15."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.repo` used but never assigned in __init__", "shortDescription": {"text": "`self.repo` used but never assigned in __init__"}, "fullDescription": {"text": "Method `prefetch` of class `GitlabPrefetcher` reads `self.repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1422"}, "properties": {"repository": "nix-community/NUR", "repoUrl": "https://github.com/nix-community/NUR", "branch": "main"}, "results": [{"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `_find_root` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, if=4, nested_bonus=8, while=1."}, "properties": {"repobilityId": 145733, "scanner": "repobility-threat-engine", "fingerprint": "a277b7f3ebf492ac081d90c6c07132f1ee215bf817a0c627d3897474ea5d8e32", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 15 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_find_root", "breakdown": {"if": 4, "else": 2, "while": 1, "nested_bonus": 8}, "complexity": 15, "correlation_key": "fp|a277b7f3ebf492ac081d90c6c07132f1ee215bf817a0c627d3897474ea5d8e32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/path.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `resolve_source` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=3, else=2, if=3, nested_bonus=6."}, "properties": {"repobilityId": 145732, "scanner": "repobility-threat-engine", "fingerprint": "b82a4c46c619124efe4360c4d75eb9a18791a45355758b965ea6586379a12835", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "resolve_source", "breakdown": {"if": 3, "elif": 3, "else": 2, "nested_bonus": 6}, "complexity": 14, "correlation_key": "fp|b82a4c46c619124efe4360c4d75eb9a18791a45355758b965ea6586379a12835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/index.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `update_combined` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, except=1, for=2, if=2, nested_bonus=3."}, "properties": {"repobilityId": 145731, "scanner": "repobility-threat-engine", "fingerprint": "696714f906e33454d350ebde1e4e7cfa0afbee5517558463b3a1ba2016b0e8b2", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "update_combined", "breakdown": {"if": 2, "for": 2, "except": 1, "continue": 1, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|696714f906e33454d350ebde1e4e7cfa0afbee5517558463b3a1ba2016b0e8b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/combine.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 145737, "scanner": "repobility-threat-engine", "fingerprint": "7dc43dc231ddb2503f8bcc8a03e3a5aafd585e94f1cf907b788455d60b3ccf83", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7dc43dc231ddb2503f8bcc8a03e3a5aafd585e94f1cf907b788455d60b3ccf83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/error.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 145736, "scanner": "repobility-threat-engine", "fingerprint": "43baf26e5dc0792ab27b879042c884a2ef57a2e44a8949df947d6d8885c118b2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|43baf26e5dc0792ab27b879042c884a2ef57a2e44a8949df947d6d8885c118b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/error.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 145734, "scanner": "repobility-threat-engine", "fingerprint": "374b2f9ca97c941ea8799534a3f6a7246c4a413e5ec69c34d7f4988e5034f739", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "update_combined", "breakdown": {"if": 2, "for": 2, "except": 1, "continue": 1, "nested_bonus": 3}, "aggregated": true, "complexity": 9, "correlation_key": "fp|374b2f9ca97c941ea8799534a3f6a7246c4a413e5ec69c34d7f4988e5034f739", "aggregated_count": 2}}}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 145740, "scanner": "repobility-threat-engine", "fingerprint": "6586c7a4925da6a1357666c9c050e9e96aee347a78d4d1e0fbac6bcab2ab8d10", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6586c7a4925da6a1357666c9c050e9e96aee347a78d4d1e0fbac6bcab2ab8d10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/update.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 145739, "scanner": "repobility-threat-engine", "fingerprint": "c2c6752fa17302173933f478bd68f561f2df4ddafb416992cd5bab69498194d7", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(\"path is (.+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|ci/nur/prefetch.py|110|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/prefetch.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 145738, "scanner": "repobility-threat-engine", "fingerprint": "dc877fae656ec07a24d276749362cd61782f778de51cbacd5a58bf2f5901654c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "env.update(NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=\"1\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc877fae656ec07a24d276749362cd61782f778de51cbacd5a58bf2f5901654c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/index.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 145735, "scanner": "repobility-threat-engine", "fingerprint": "60877e5423671d49f0b67880b6c50ccbcf9e308c721ef1e31d4e033591844169", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60877e5423671d49f0b67880b6c50ccbcf9e308c721ef1e31d4e033591844169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/error.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.repo` used but never assigned in __init__"}, "properties": {"repobilityId": 145730, "scanner": "repobility-ast-engine", "fingerprint": "ee3c362e2844589af7ad68f13be28c6ff2e71c98375f92b7c478c04cd0bc8878", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee3c362e2844589af7ad68f13be28c6ff2e71c98375f92b7c478c04cd0bc8878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/prefetch.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.repo` used but never assigned in __init__"}, "properties": {"repobilityId": 145729, "scanner": "repobility-ast-engine", "fingerprint": "6d1ce17641c9a0e95eb1bf031380b81c2af291aff44c7a60cdcd30eeba24a056", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d1ce17641c9a0e95eb1bf031380b81c2af291aff44c7a60cdcd30eeba24a056"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/prefetch.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.repo` used but never assigned in __init__"}, "properties": {"repobilityId": 145728, "scanner": "repobility-ast-engine", "fingerprint": "7e876bcba1c7a8fbc8def1cc71134f6bd63d42f5ff770a63bdb2baac5302de1b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e876bcba1c7a8fbc8def1cc71134f6bd63d42f5ff770a63bdb2baac5302de1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/prefetch.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.repo` used but never assigned in __init__"}, "properties": {"repobilityId": 145727, "scanner": "repobility-ast-engine", "fingerprint": "391b502dc8c227007ec9ffb50c3c42d43e8d7ec0ecab109ab6bf25e7441ea83f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|391b502dc8c227007ec9ffb50c3c42d43e8d7ec0ecab109ab6bf25e7441ea83f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/nur/prefetch.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 145726, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}