{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `testwebapplication` image has no explicit tag", "shortDescription": {"text": "Compose service `testwebapplication` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `read_lines_document_file` has cognitive complexity 21 (SonarSource scale)", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `read_lines_document_file` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, an"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 21."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 54 more): Same pattern found in 54 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 54 more): Same pattern found in 54 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 51 more): Same pattern found in 51 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `test/dotnet.Tests/ShellShimTests/WpfBinaryTestAssets/testwpf.dll` committed in source repo: `tes", "shortDescription": {"text": "[MINED134] Binary file `test/dotnet.Tests/ShellShimTests/WpfBinaryTestAssets/testwpf.dll` committed in source repo: `test/dotnet.Tests/ShellShimTests/WpfBinaryTestAssets/testwpf.dll` is a .dll binary (7,168 bytes) committed to a repo that o"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `dotnet/arcade/.github/workflows/backport-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcad", "shortDescription": {"text": "[MINED115] Action `dotnet/arcade/.github/workflows/backport-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcade/.github/workflows/backport-base.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the act"}, "fullDescription": {"text": "Replace with: `uses: dotnet/arcade/.github/workflows/backport-base.yml@<40-char-sha>  # main` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `pandoc/core:2.18.0` not pinned by digest: `FROM pandoc/core:2.18.0` resolves the tag at buil", "shortDescription": {"text": "[MINED118] Dockerfile FROM `pandoc/core:2.18.0` not pinned by digest: `FROM pandoc/core:2.18.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production"}, "fullDescription": {"text": "Replace with: `FROM pandoc/core:2.18.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC025", "name": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand externa", "shortDescription": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure a"}, "fullDescription": {"text": "Set XmlResolver = null on XmlDocument before Load. On XmlReader, pass XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null }. Prefer XDocument / XElement which don't expand external entities by default."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1342"}, "properties": {"repository": "dotnet/sdk", "repoUrl": "https://github.com/dotnet/sdk", "branch": "main"}, "results": [{"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 137022, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `testwebapplication` image has no explicit tag"}, "properties": {"repobilityId": 137016, "scanner": "repobility-docker", "fingerprint": "9cb9d6f6ad7f338537da6ef122fe34e6bba5c2cf3396bf0128c5da71a40e0d94", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "testwebapplication", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9cb9d6f6ad7f338537da6ef122fe34e6bba5c2cf3396bf0128c5da71a40e0d94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/TestAssets/TestProjects/docker-compose/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 137015, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 137014, "scanner": "repobility-docker", "fingerprint": "0a473858dd90fb81a42a478ccd32673345dcb6489b58a9eceba0037089267aef", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "pandoc/core:2.18.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0a473858dd90fb81a42a478ccd32673345dcb6489b58a9eceba0037089267aef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/manpages/tool/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 137012, "scanner": "repobility-agent-runtime", "fingerprint": "7e5252f4a745fa8a236ceb8ad157a5530a10001357571223eed7000dca815f90", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7e5252f4a745fa8a236ceb8ad157a5530a10001357571223eed7000dca815f90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/pipelines/search-cache-pipeline.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 137011, "scanner": "repobility-agent-runtime", "fingerprint": "cd5b2bae2b0bf1c2ffd3324f946914852e287ab3fc6a522346480d1370e3d529", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cd5b2bae2b0bf1c2ffd3324f946914852e287ab3fc6a522346480d1370e3d529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/specs/cli-installation-scenarios.md"}, "region": {"startLine": 270}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 136993, "scanner": "repobility-threat-engine", "fingerprint": "1ae39385fdd1e36c010ae333de91bbeac1d104002e69a89423ff71527d661637", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n            catch (FileNotFoundException)\n            {\n                return null;\n            }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1ae39385fdd1e36c010ae333de91bbeac1d104002e69a89423ff71527d661637"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/dotnet/Commands/Workload/GlobalJsonWorkloadSetFile.cs"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 136992, "scanner": "repobility-threat-engine", "fingerprint": "b94e949a088a9a02c2b81b3f8a0fc77521b955b3ab8dd9c5e07af596f3e52913", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (Exception)\n        {\n            return [];\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b94e949a088a9a02c2b81b3f8a0fc77521b955b3ab8dd9c5e07af596f3e52913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/dotnet/Commands/Package/PackageCommandParser.cs"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 136991, "scanner": "repobility-threat-engine", "fingerprint": "3fb1dcb843b936107af400cd1d548bf2bc54eae0ea1e8d4b89fced1d96d77251", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (DirectoryNotFoundException)\n        {\n            return [];\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3fb1dcb843b936107af400cd1d548bf2bc54eae0ea1e8d4b89fced1d96d77251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/dotnet/Commands/New/PostActions/DotnetAddPostActionProcessor.cs"}, "region": {"startLine": 98}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `read_lines_document_file` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, else=3, for=2, if=5, nested_bonus=9, recursion=1."}, "properties": {"repobilityId": 136976, "scanner": "repobility-threat-engine", "fingerprint": "f334dde03d8b751111a020d344dc9afd39346014947e790768ab3e01672cbd32", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 21 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "read_lines_document_file", "breakdown": {"if": 5, "for": 2, "else": 3, "break": 1, "recursion": 1, "nested_bonus": 9}, "complexity": 21, "correlation_key": "fp|f334dde03d8b751111a020d344dc9afd39346014947e790768ab3e01672cbd32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/manpages/tool/remove-metadata-and-embed-includes.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 136970, "scanner": "repobility-threat-engine", "fingerprint": "8300e5a3f3cac26d4f8db9b89ffff1089c1065beff1b0c04a68df309f72f4749", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.UseDeveloperExceptionPage()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8300e5a3f3cac26d4f8db9b89ffff1089c1065beff1b0c04a68df309f72f4749"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/TemplateEngine/Samples/content/03-optional-page/MyProject.StarterWeb/Startup.cs"}, "region": {"startLine": 41}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 137021, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 137020, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 137019, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 137018, "scanner": "repobility-docker", "fingerprint": "098cb9f195b01f1d98093253959412260ffebf2b0b99e2a8f363d027505cdab0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "testwebapplication", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|098cb9f195b01f1d98093253959412260ffebf2b0b99e2a8f363d027505cdab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/TestAssets/TestProjects/docker-compose/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 137017, "scanner": "repobility-docker", "fingerprint": "0331595a118784454e3e6c5e9b505a7cde77e4075aed36ffca0d50713b7347a7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "testwebapplication", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0331595a118784454e3e6c5e9b505a7cde77e4075aed36ffca0d50713b7347a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/TestAssets/TestProjects/docker-compose/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 137013, "scanner": "repobility-docker", "fingerprint": "ebfcf0a3640738c2751d0c366cec0a621f7430aeccd439d7cdcce5b96ba6a2be", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ebfcf0a3640738c2751d0c366cec0a621f7430aeccd439d7cdcce5b96ba6a2be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/manpages/tool/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137010, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a224b9dfd8471cf21995ab474cb7fc34ef057d0d3b9d4a2d3574430a5fd18525", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Cli/dotnet/CommandFactory/CommandResolution/PackagedCommandSpecFactory.cs", "duplicate_line": 102, "correlation_key": "fp|a224b9dfd8471cf21995ab474cb7fc34ef057d0d3b9d4a2d3574430a5fd18525"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/dotnet/CommandFactory/CommandResolution/PublishPathCommandSpecFactory.cs"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137009, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17b3ab5fcc213b4a88a55eb3defc14c633497f12fcdb35ff00681ae46dc76213", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Cli/Microsoft.TemplateEngine.Cli/Commands/HelpStrings.Designer.cs", "duplicate_line": 18, "correlation_key": "fp|17b3ab5fcc213b4a88a55eb3defc14c633497f12fcdb35ff00681ae46dc76213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.TemplateEngine.Cli/Commands/SymbolStrings.Designer.cs"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "296fec566b091d25e34aed4352e11a9062a29a7d9b46848b126332aeea077c83", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Cli/Microsoft.DotNet.Cli.Definitions/Help/HelpBuilder.cs", "duplicate_line": 240, "correlation_key": "fp|296fec566b091d25e34aed4352e11a9062a29a7d9b46848b126332aeea077c83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.TemplateEngine.Cli/Commands/CommandLineUtils.cs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e0ce3902d871b8bba21ad0b14b410daea0a77edb9bd93185fb82b88c08598dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Cli/Microsoft.DotNet.Cli.Definitions/Commands/New/NewListCommandDefinition.cs", "duplicate_line": 28, "correlation_key": "fp|5e0ce3902d871b8bba21ad0b14b410daea0a77edb9bd93185fb82b88c08598dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.DotNet.Cli.Definitions/Commands/New/NewSearchCommandDefinition.cs"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 137006, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 136990, "scanner": "repobility-threat-engine", "fingerprint": "c0c46fab35d3d260cbf82e4a88883ba3242c40656cecb73e7c492be8035438ee", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"\\x1B[30m\" + text + \"\\x1B[39m\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0c46fab35d3d260cbf82e4a88883ba3242c40656cecb73e7c492be8035438ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.DotNet.Cli.Utils/Extensions/AnsiExtensions.cs"}, "region": {"startLine": 22}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `fix_space_in_command_names` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=1, if=4, nested_bonus=4."}, "properties": {"repobilityId": 136975, "scanner": "repobility-threat-engine", "fingerprint": "abe5bd065a0d31d986c8889bc50255f7a291d9599f0e1ef34c85a9b68ba40839", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "fix_space_in_command_names", "breakdown": {"if": 4, "for": 1, "else": 1, "nested_bonus": 4}, "complexity": 10, "correlation_key": "fp|abe5bd065a0d31d986c8889bc50255f7a291d9599f0e1ef34c85a9b68ba40839"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/manpages/tool/man-pandoc-filter.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `promote_and_capitalize_sections` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=3, nested_bonus=6."}, "properties": {"repobilityId": 136974, "scanner": "repobility-threat-engine", "fingerprint": "7ceb134f1f34058e19f47218297f04ec167351287ffeaee83e9b17461053366c", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "promote_and_capitalize_sections", "breakdown": {"if": 3, "for": 1, "nested_bonus": 6}, "complexity": 10, "correlation_key": "fp|7ceb134f1f34058e19f47218297f04ec167351287ffeaee83e9b17461053366c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/manpages/tool/man-pandoc-filter.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 137005, "scanner": "repobility-threat-engine", "fingerprint": "b8f6476b40c6b0c117c62705cc8affa9b98ac771199163ac6db926e38da22eac", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b8f6476b40c6b0c117c62705cc8affa9b98ac771199163ac6db926e38da22eac", "aggregated_count": 1}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 137004, "scanner": "repobility-threat-engine", "fingerprint": "d61cbf8976d4a8047af73d386406dbca57e354ebe7781f839d7fcbd2d7a399f1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d61cbf8976d4a8047af73d386406dbca57e354ebe7781f839d7fcbd2d7a399f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.VisualBasic.NetAnalyzers/Microsoft.NetCore.Analyzers/Performance/BasicUseStringMethodCharOverloadWithSingleCharacters.Fixer.vb"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 137003, "scanner": "repobility-threat-engine", "fingerprint": "9e6e75a294af35fed5d33f8e0fa0e40072b6ecc17aebe6977b662729f57a29f6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e6e75a294af35fed5d33f8e0fa0e40072b6ecc17aebe6977b662729f57a29f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.VisualBasic.NetAnalyzers/Microsoft.NetCore.Analyzers/Performance/BasicRecommendCaseInsensitiveStringComparisonFixer.vb"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 137002, "scanner": "repobility-threat-engine", "fingerprint": "3bcc59a0ae2607197c84af92fed183fa9460cbaf9ec66daa831075be89468aa2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3bcc59a0ae2607197c84af92fed183fa9460cbaf9ec66daa831075be89468aa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.VisualBasic.NetAnalyzers/Microsoft.CodeQuality.Analyzers/Maintainability/BasicMakeTypesInternal.Fixer.vb"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 136998, "scanner": "repobility-threat-engine", "fingerprint": "89001b2c0de6527cd73b9d0e5b77b2f19d2a0cbd09a3d87c9dbc1068ae40fbb4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89001b2c0de6527cd73b9d0e5b77b2f19d2a0cbd09a3d87c9dbc1068ae40fbb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Dotnet.Watch/Web.Middleware/BlazorHotReload.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 136997, "scanner": "repobility-threat-engine", "fingerprint": "326dfcc092d4a22145389e862bc8fa8494f87e85acb308e3050193e274fdbf5a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "logger.LogWarning(\"WebSocket connection rejected: missing subprotocol (shared secret)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|12|logger.logwarning websocket connection rejected: missing subprotocol shared secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Dotnet.Watch/HotReloadClient/WebSocketClientTransport.cs"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 136996, "scanner": "repobility-threat-engine", "fingerprint": "c48961b336a3a2bc5829e183b5b590c2626e37a25da12d383306752b171b1d43", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c48961b336a3a2bc5829e183b5b590c2626e37a25da12d383306752b171b1d43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Dotnet.Format/dotnet-format/Formatters/DocumentFormatter.cs"}, "region": {"startLine": 168}}}]}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 136994, "scanner": "repobility-threat-engine", "fingerprint": "8e478e56b730255b619eaaf214c2ac68864bd09b58591d59c20fe11bd4508abd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8e478e56b730255b619eaaf214c2ac68864bd09b58591d59c20fe11bd4508abd"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 136989, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 54 more): Same pattern found in 54 additional files. Review if needed."}, "properties": {"repobilityId": 136985, "scanner": "repobility-threat-engine", "fingerprint": "0b4ca39520df76ef2b3de3dcf83deec7381053649c4825a2f512891e956a363c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 54 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0b4ca39520df76ef2b3de3dcf83deec7381053649c4825a2f512891e956a363c", "aggregated_count": 54}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 136984, "scanner": "repobility-threat-engine", "fingerprint": "34536ce99940edd4f9e654b54d659634d56294cf99ceaffd06c54f6ee7b461a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34536ce99940edd4f9e654b54d659634d56294cf99ceaffd06c54f6ee7b461a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.TemplateEngine.Cli/Alias/AliasRegistry.cs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 136983, "scanner": "repobility-threat-engine", "fingerprint": "aebd58f63f0b38191a9eed9317ac2c06fe7f671039e5cd7399b64d0f1fd96ac7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aebd58f63f0b38191a9eed9317ac2c06fe7f671039e5cd7399b64d0f1fd96ac7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.DotNet.Cli.Utils/Windows/Win32/Foundation/StringParameterArray.cs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 136982, "scanner": "repobility-threat-engine", "fingerprint": "8a50766442ebc9bf344f637928e5e54a20fe8d60760fdcc2f9c2410bd5a358c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a50766442ebc9bf344f637928e5e54a20fe8d60760fdcc2f9c2410bd5a358c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.DotNet.Cli.Definitions/Commands/Tool/StoreCommandDefinition.cs"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "properties": {"repobilityId": 136981, "scanner": "repobility-threat-engine", "fingerprint": "7172016ce8246c517d2350c039c5d0cdb96a634b9400c047fca9510ffa3f0659", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 51 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 51 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7172016ce8246c517d2350c039c5d0cdb96a634b9400c047fca9510ffa3f0659"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136973, "scanner": "repobility-threat-engine", "fingerprint": "0db7ef6f90303bbc861b07f01ba30b19741a1c06857d213153bd384b5422930d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0db7ef6f90303bbc861b07f01ba30b19741a1c06857d213153bd384b5422930d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Dotnet.Watch/HotReloadClient/Web/WebSocketConfig.cs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136972, "scanner": "repobility-threat-engine", "fingerprint": "88a5ffd44e99f61041c7009d54cf584edf172d728dc9471e1640ed0b479dea8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88a5ffd44e99f61041c7009d54cf584edf172d728dc9471e1640ed0b479dea8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/common/cross/tizen-fetch.sh"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136971, "scanner": "repobility-threat-engine", "fingerprint": "a76a775f252c456c8325888bcdf2decbff06b768a9beb114b28167b8159e76fa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a76a775f252c456c8325888bcdf2decbff06b768a9beb114b28167b8159e76fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/TemplateEngine/Samples/content/06-console-csharp-fsharp/MyProject.Con.FSharp/Program.fs"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `test/dotnet.Tests/ShellShimTests/WpfBinaryTestAssets/testwpf.dll` committed in source repo: `test/dotnet.Tests/ShellShimTests/WpfBinaryTestAssets/testwpf.dll` is a .dll binary (7,168 bytes) committed to a repo that otherwise has 6066 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 137043, "scanner": "repobility-supply-chain", "fingerprint": "19aa3f7f7fd494f3da719be16aef28efa7f7e078a136333cdfe69c8d08baa7da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19aa3f7f7fd494f3da719be16aef28efa7f7e078a136333cdfe69c8d08baa7da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/dotnet.Tests/ShellShimTests/WpfBinaryTestAssets/testwpf.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dotnet/arcade/.github/workflows/backport-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcade/.github/workflows/backport-base.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137042, "scanner": "repobility-supply-chain", "fingerprint": "a859796abba17ce05c962637b5d5e20afe10e571143f4669c239cbef7e99ad08", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a859796abba17ce05c962637b5d5e20afe10e571143f4669c239cbef7e99ad08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backport.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137041, "scanner": "repobility-supply-chain", "fingerprint": "e0618b00eae6655bb2e25b4c0c72ebaf139c6196ef7cfc2a9f446f7d31729a0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0618b00eae6655bb2e25b4c0c72ebaf139c6196ef7cfc2a9f446f7d31729a0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137040, "scanner": "repobility-supply-chain", "fingerprint": "bf22377da400fed5fb2dc4f708e48be5ff0ddfe591e94632ddced22b23832777", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf22377da400fed5fb2dc4f708e48be5ff0ddfe591e94632ddced22b23832777"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 392}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137039, "scanner": "repobility-supply-chain", "fingerprint": "665ce02df0ba311e28de7ebd9ff53d89882c1c9d771cdfcd1977df31a5d173b1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|665ce02df0ba311e28de7ebd9ff53d89882c1c9d771cdfcd1977df31a5d173b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137038, "scanner": "repobility-supply-chain", "fingerprint": "80f64e5a2a2d11ded215cb59932a67e3400ed32ca6dcf81c9359859d20feb954", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80f64e5a2a2d11ded215cb59932a67e3400ed32ca6dcf81c9359859d20feb954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137037, "scanner": "repobility-supply-chain", "fingerprint": "f042087ed2b4641760be08a58cefa45a4981611def5794be54f02c5a7c31e317", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f042087ed2b4641760be08a58cefa45a4981611def5794be54f02c5a7c31e317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137036, "scanner": "repobility-supply-chain", "fingerprint": "6b4ebf9b7a4f8ec9c85d553d1a49a30e5e8e1c1b3dd115abcd396c3cbd84c1a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b4ebf9b7a4f8ec9c85d553d1a49a30e5e8e1c1b3dd115abcd396c3cbd84c1a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137035, "scanner": "repobility-supply-chain", "fingerprint": "82a9a3787dd8179c9103e5bf58b34cb50089903b8ae54c4b046e4f5e9109b6e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82a9a3787dd8179c9103e5bf58b34cb50089903b8ae54c4b046e4f5e9109b6e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137034, "scanner": "repobility-supply-chain", "fingerprint": "4e7e6fd081f0340eab93871c58b85f549dad1b5532b5a2f5af061af99875f0af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e7e6fd081f0340eab93871c58b85f549dad1b5532b5a2f5af061af99875f0af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137033, "scanner": "repobility-supply-chain", "fingerprint": "48632e6c5786f3f40a3a8290df3f80e1e26be6b58e3ea1e0101b3fe72be728e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48632e6c5786f3f40a3a8290df3f80e1e26be6b58e3ea1e0101b3fe72be728e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137032, "scanner": "repobility-supply-chain", "fingerprint": "0f537069254fcb2603fde728974418805bedb26d5a04bcdd5a1a61b488fa9e63", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f537069254fcb2603fde728974418805bedb26d5a04bcdd5a1a61b488fa9e63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137031, "scanner": "repobility-supply-chain", "fingerprint": "0abae7993c66c9ed04c1a464a8711228806a8f38c0384ce40f101ca0807acd44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0abae7993c66c9ed04c1a464a8711228806a8f38c0384ce40f101ca0807acd44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-static-web-assets-baselines.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v4`: `uses: actions/github-script@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137030, "scanner": "repobility-supply-chain", "fingerprint": "36471644390443b19dfbad9c06e3907c4f53abdbfe5cb9b905b117fd1a221f05", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36471644390443b19dfbad9c06e3907c4f53abdbfe5cb9b905b117fd1a221f05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove-lockdown-label.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v4`: `uses: actions/github-script@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137029, "scanner": "repobility-supply-chain", "fingerprint": "699733d85f1f082d41f7c680808e344dc6d3abb642fd895d87233a5b357db377", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|699733d85f1f082d41f7c680808e344dc6d3abb642fd895d87233a5b357db377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove-lockdown-label.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137028, "scanner": "repobility-supply-chain", "fingerprint": "91a30eab8fd440963edf2d3ef4bef4e7673b6b9d7fa1be1a3fa83484f1f95238", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91a30eab8fd440963edf2d3ef4bef4e7673b6b9d7fa1be1a3fa83484f1f95238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/add-lockdown-label.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v4`: `uses: actions/setup-dotnet@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137027, "scanner": "repobility-supply-chain", "fingerprint": "aa99f27d0c1087079510efa13de43cac20d0cfc5dcbafcd8d206d4182f85e618", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa99f27d0c1087079510efa13de43cac20d0cfc5dcbafcd8d206d4182f85e618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v4`: `uses: actions/setup-dotnet@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137026, "scanner": "repobility-supply-chain", "fingerprint": "08c5feec74758a4d91e472005da0129b33209b4f2440b56c4ea11aa8097b6839", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08c5feec74758a4d91e472005da0129b33209b4f2440b56c4ea11aa8097b6839"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dotnet/arcade/.github/workflows/inter-branch-merge-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcade/.github/workflows/inter-branch-merge-base.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137025, "scanner": "repobility-supply-chain", "fingerprint": "31fdf89c7324c4d0a4537f4b077cf514f286ef3b591b681f9130aca9f067201d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31fdf89c7324c4d0a4537f4b077cf514f286ef3b591b681f9130aca9f067201d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/inter-branch-merge-flow.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 137024, "scanner": "repobility-supply-chain", "fingerprint": "cbf205f70e15c28c20250edef28d58633b7a9a64e57202b9776bd454cf8f6ad6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbf205f70e15c28c20250edef28d58633b7a9a64e57202b9776bd454cf8f6ad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-man-pages.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `pandoc/core:2.18.0` not pinned by digest: `FROM pandoc/core:2.18.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 137023, "scanner": "repobility-supply-chain", "fingerprint": "b5247f29b3b25482a348a8b6aed5d8a32642e8b00f8efe79cc189772985d4262", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5247f29b3b25482a348a8b6aed5d8a32642e8b00f8efe79cc189772985d4262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/manpages/tool/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 137001, "scanner": "repobility-threat-engine", "fingerprint": "cbd641b4232ee53d870e12aecfcd764dbdaeeea1f632ae76eb415ba7b4ddeb94", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cbd641b4232ee53d870e12aecfcd764dbdaeeea1f632ae76eb415ba7b4ddeb94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.NetAnalyzers/Microsoft.NetCore.Analyzers/Security/Helpers/CompilationSecurityTypes.cs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 137000, "scanner": "repobility-threat-engine", "fingerprint": "88eb28eac3813ad5fc3a5e3ca9f26de662408a3e270597e562870dc4c853cef6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88eb28eac3813ad5fc3a5e3ca9f26de662408a3e270597e562870dc4c853cef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.NetAnalyzers/Microsoft.NetCore.Analyzers/Security/DoNotUseWeakKDFAlgorithm.cs"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 136999, "scanner": "repobility-threat-engine", "fingerprint": "923239dd159139e4b32aa2789968e5bff17ae6ca869ca54eefb91d958221056c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|923239dd159139e4b32aa2789968e5bff17ae6ca869ca54eefb91d958221056c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.NetAnalyzers/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureCryptographicAlgorithms.cs"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC025", "level": "error", "message": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure and SSRF via XXE."}, "properties": {"repobilityId": 136995, "scanner": "repobility-threat-engine", "fingerprint": "4a8cfc5f92440b3383459e0a65cb30c3244f43696be6a8936796d875762f4ef1", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "XmlReader.Create(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC025", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a8cfc5f92440b3383459e0a65cb30c3244f43696be6a8936796d875762f4ef1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/dotnet/NugetPackageDownloader/WorkloadUnixFilePermissionsFileList.cs"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136988, "scanner": "repobility-threat-engine", "fingerprint": "8502b6335545a3dc72ce498a6750624d34e92b77503333b4f8a64f221d097ed8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(P", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8502b6335545a3dc72ce498a6750624d34e92b77503333b4f8a64f221d097ed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/dotnet/NugetPackageDownloader/INuGetPackageDownloader.cs"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136987, "scanner": "repobility-threat-engine", "fingerprint": "4405d001a1c77419cc61dc2c68db44de275e08ff57305e73a86e5650071f7463", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4405d001a1c77419cc61dc2c68db44de275e08ff57305e73a86e5650071f7463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/dotnet/Commands/Workload/Update/WorkloadUpdateCommand.cs"}, "region": {"startLine": 219}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136986, "scanner": "repobility-threat-engine", "fingerprint": "cd9c389df0cea10b90287c05800bda7b7b32d6bf309603e9abf42ea0997bb128", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd9c389df0cea10b90287c05800bda7b7b32d6bf309603e9abf42ea0997bb128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.DotNet.Cli.Utils/Extensions/AnsiExtensions.cs"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136980, "scanner": "repobility-threat-engine", "fingerprint": "3a6865dbf5f79e5f8baad73fed278adcef7c1c44c97af6a64e73a70a2cb8f512", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Directory.Delete(path, recursive);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a6865dbf5f79e5f8baad73fed278adcef7c1c44c97af6a64e73a70a2cb8f512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.DotNet.InternalAbstractions/DirectoryWrapper.cs"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136979, "scanner": "repobility-threat-engine", "fingerprint": "88204184e1aa0e627cd8b7948944d6cdc5c8d4ac970844f1f8fb11b644626263", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_toolPathSentinel.Create();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|88204184e1aa0e627cd8b7948944d6cdc5c8d4ac970844f1f8fb11b644626263"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Cli/Microsoft.DotNet.Configurer/DotnetFirstTimeUseConfigurer.cs"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136978, "scanner": "repobility-threat-engine", "fingerprint": "4445a38fa51a21495bea6baa213b4c683ed6d56233279d84b2a77ef994d3b40e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "xDocument.Save(writer);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4445a38fa51a21495bea6baa213b4c683ed6d56233279d84b2a77ef994d3b40e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/BlazorWasmSdk/Tasks/BlazorWriteSatelliteAssemblyFile.cs"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 136977, "scanner": "repobility-threat-engine", "fingerprint": "1edaab31b5a84aa337e7ab5af43d3a926ddecfdce978f9d622c787776101a528", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'\\[!INCLUDE *\\[[^\\]]+\\] *\\(([^)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|39|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "documentation/manpages/tool/remove-metadata-and-embed-includes.py"}, "region": {"startLine": 39}}}]}]}]}