{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `run_git_hook` (list): `def run_git_hook(... = []/{}/set())` \u2014 Python's default v", "shortDescription": {"text": "[MINED109] Mutable default argument in `run_git_hook` (list): `def run_git_hook(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def run_git_hook(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED047] Emoji In Source (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED075] C Malloc No Check (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 74 more): Same pattern found in 74 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` witho", "shortDescription": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chai"}, "fullDescription": {"text": "Replace with `ubuntu:rolling@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v7` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.getUserCacheFilename` used but never assigned in __init__: Method `loadUserMapFromCache` of class `P4Us", "shortDescription": {"text": "[MINED108] `self.getUserCacheFilename` used but never assigned in __init__: Method `loadUserMapFromCache` of class `P4UserMap` reads `self.getUserCacheFilename`, but no assignment to it exists in __init__ (and no class-level fallback). This"}, "fullDescription": {"text": "Initialize `self.getUserCacheFilename = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED104", "name": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local pr", "shortDescription": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "fullDescription": {"text": "Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED017", "name": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.", "shortDescription": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED010", "name": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.", "shortDescription": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED030", "name": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.", "shortDescription": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.", "shortDescription": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED015", "name": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection.", "shortDescription": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC081", "name": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary co", "shortDescription": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "fullDescription": {"text": "Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/874"}, "properties": {"repository": "git/git", "repoUrl": "https://github.com/git/git", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 79902, "scanner": "repobility-ast-engine", "fingerprint": "d8c21412258035829bddfefd92e23a960969936445c9654ac852466c6234373f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8c21412258035829bddfefd92e23a960969936445c9654ac852466c6234373f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 79901, "scanner": "repobility-ast-engine", "fingerprint": "c2a11125997eb38440f7b53b12330846c035ef73c1607dbca4d7319a962788e8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c2a11125997eb38440f7b53b12330846c035ef73c1607dbca4d7319a962788e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 3181}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 79900, "scanner": "repobility-ast-engine", "fingerprint": "8ce785d877c694161b8f03d4d1891dafdf5e6a8298a5719bcb869cf1aa59133b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ce785d877c694161b8f03d4d1891dafdf5e6a8298a5719bcb869cf1aa59133b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 2683}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 79899, "scanner": "repobility-ast-engine", "fingerprint": "ec010bab3fc1e1b0020c87657a8d1d8299099a7caf149211e4cc94ae11d06240", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec010bab3fc1e1b0020c87657a8d1d8299099a7caf149211e4cc94ae11d06240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 3118}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 79898, "scanner": "repobility-ast-engine", "fingerprint": "2d9590b5aafc5be572416328527760cf522e229ad5c37652c1aaf1d7f04e23da", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2d9590b5aafc5be572416328527760cf522e229ad5c37652c1aaf1d7f04e23da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `run_git_hook` (list): `def run_git_hook(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 79897, "scanner": "repobility-ast-engine", "fingerprint": "0fd6798c387067ef5ab84ec03a7ca1be402ef431d4130a66aff8b07a3c845526", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0fd6798c387067ef5ab84ec03a7ca1be402ef431d4130a66aff8b07a3c845526"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 318}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 79852, "scanner": "repobility-threat-engine", "fingerprint": "727df3e6751a1e6f656a7657daf6a08a0fe2230b764c031b628214bc9336f11a", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify=false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|t/t1460-refs-migrate.sh|32|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t1460-refs-migrate.sh"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 79850, "scanner": "repobility-threat-engine", "fingerprint": "8844df39d3733ea03d1fc44c7f1f6244de4fed1bdda93483aa986ced9df69137", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"foo bar\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8844df39d3733ea03d1fc44c7f1f6244de4fed1bdda93483aa986ced9df69137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t3905-stash-include-untracked.sh"}, "region": {"startLine": 210}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 79849, "scanner": "repobility-threat-engine", "fingerprint": "585a82bd992f49950c89858514708399e3053b366c85d010aa3f318ed6e258a5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"foo bar\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|585a82bd992f49950c89858514708399e3053b366c85d010aa3f318ed6e258a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t3304-notes-mixed.sh"}, "region": {"startLine": 194}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 79848, "scanner": "repobility-threat-engine", "fingerprint": "db9cb4f3d7d85feee31b4a574c3e7346770a243e621e957a7f1979a10384a3ab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Foo bAr\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|db9cb4f3d7d85feee31b4a574c3e7346770a243e621e957a7f1979a10384a3ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t1308-config-set.sh"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 79837, "scanner": "repobility-threat-engine", "fingerprint": "a37275446dc5f11d2f880f9688da211b30e4c07aabd1708166ad2f1c3a21834e", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|188|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/generate.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 79836, "scanner": "repobility-threat-engine", "fingerprint": "9dfc837cb16a34d9253c1a049e174151be304a4cb9d489b4e826d5331e783a77", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "marshal.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|t/lib-git-p4.sh|196|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/lib-git-p4.sh"}, "region": {"startLine": 196}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 79832, "scanner": "repobility-threat-engine", "fingerprint": "bdcc20897a77b42a77185270d340d5715e83de3fca9ee62bf1344d97cce4c43e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ">exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|shell.c|213|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shell.c"}, "region": {"startLine": 213}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 79871, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4cfe48cf4029343c3dac4182354db23197a1a104752021dc24eb2f89abb7162", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "kwset.c", "duplicate_line": 2, "correlation_key": "fp|c4cfe48cf4029343c3dac4182354db23197a1a104752021dc24eb2f89abb7162"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "kwset.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 79870, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edd407fe62ef69e457b96d54ec9eb6e03535f6359c6991e45ecc1f97b52675c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/simple-ipc/ipc-unix-socket.c", "duplicate_line": 77, "correlation_key": "fp|edd407fe62ef69e457b96d54ec9eb6e03535f6359c6991e45ecc1f97b52675c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/simple-ipc/ipc-win32.c"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 79869, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e926ea8e46e5ab21afd2701db0b4cd6737f01789eaa8d1ba321364990de19be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/regex/regex.c", "duplicate_line": 2, "correlation_key": "fp|2e926ea8e46e5ab21afd2701db0b4cd6737f01789eaa8d1ba321364990de19be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/regex/regex_internal.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 79868, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5fab68e6d729101223ee795c6277d8e3ccd235e17b8485bf0d6b05cc2a1a8fe8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/obstack.c", "duplicate_line": 3, "correlation_key": "fp|5fab68e6d729101223ee795c6277d8e3ccd235e17b8485bf0d6b05cc2a1a8fe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/regex/regex.h"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 79867, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81cef178eda4d617bda7ef5b673a0b6dc0e4de96b2688eb4f3720b0ad8572ce0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/obstack.h", "duplicate_line": 2, "correlation_key": "fp|81cef178eda4d617bda7ef5b673a0b6dc0e4de96b2688eb4f3720b0ad8572ce0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/regex/regex.h"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 79866, "scanner": "repobility-ai-code-hygiene", "fingerprint": "57c9b5a851be59eee11a03d926a38b6e2503b8b21542d6d997a7877ffc740c3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "compat/obstack.c", "duplicate_line": 3, "correlation_key": "fp|57c9b5a851be59eee11a03d926a38b6e2503b8b21542d6d997a7877ffc740c3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/obstack.h"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 79865, "scanner": "repobility-ai-code-hygiene", "fingerprint": "609e502f24a606be21f0e2219f95e93a7dac4c9bf49c95eedf034d71e9783fc7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "builtin/refs.c", "duplicate_line": 111, "correlation_key": "fp|609e502f24a606be21f0e2219f95e93a7dac4c9bf49c95eedf034d71e9783fc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "builtin/show-ref.c"}, "region": {"startLine": 194}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 79864, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df432f51ab37351a13338f4c897c8533aa61a61132d4dc6dba301cfbaf56bea3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "builtin/ls-files.c", "duplicate_line": 179, "correlation_key": "fp|df432f51ab37351a13338f4c897c8533aa61a61132d4dc6dba301cfbaf56bea3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "builtin/ls-tree.c"}, "region": {"startLine": 11}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 79810, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 79863, "scanner": "repobility-threat-engine", "fingerprint": "8e0abd4991b9f5ca55b32dfc20130081c9977ea569f7eb295a55287373219cf8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e0abd4991b9f5ca55b32dfc20130081c9977ea569f7eb295a55287373219cf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/generate.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 79862, "scanner": "repobility-threat-engine", "fingerprint": "5cf941887f3b58910dc0833c6490f58729f1d421655681717c3aea499b09349a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5cf941887f3b58910dc0833c6490f58729f1d421655681717c3aea499b09349a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/generate.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 79855, "scanner": "repobility-threat-engine", "fingerprint": "35967c2c51f60040b1c4897ef89266deac2eb8864dbb0b067333a5ca2ddd0ed2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35967c2c51f60040b1c4897ef89266deac2eb8864dbb0b067333a5ca2ddd0ed2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t5603-clone-dirname.sh"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 79854, "scanner": "repobility-threat-engine", "fingerprint": "11a010c843889cfe13b5fa4b916365bb62507549fe72677de76ff480b989d053", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11a010c843889cfe13b5fa4b916365bb62507549fe72677de76ff480b989d053"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t4018-diff-funcname.sh"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 79851, "scanner": "repobility-threat-engine", "fingerprint": "ee421e2f5fddad0a231bf20d28a5a2a96771650d5074a7f38bbf6c1fc641897f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ee421e2f5fddad0a231bf20d28a5a2a96771650d5074a7f38bbf6c1fc641897f"}}}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 79844, "scanner": "repobility-threat-engine", "fingerprint": "0a8b3c5a518a9cdd659fdd0b464d2bf4180e3ef7aeea526b02fc592daf044124", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0a8b3c5a518a9cdd659fdd0b464d2bf4180e3ef7aeea526b02fc592daf044124", "aggregated_count": 1}}}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 79843, "scanner": "repobility-threat-engine", "fingerprint": "ff6e6af39467b8981aa7a744be651c1a65794da655c0c29815324359b132a8ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff6e6af39467b8981aa7a744be651c1a65794da655c0c29815324359b132a8ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t7815-grep-binary.sh"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 79842, "scanner": "repobility-threat-engine", "fingerprint": "24c01f1ba2b8b8e2cc71d9cdfd9d5c85865157a1da12f1cbbf570c55a7c542ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|24c01f1ba2b8b8e2cc71d9cdfd9d5c85865157a1da12f1cbbf570c55a7c542ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t0200-gettext-basic.sh"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 79841, "scanner": "repobility-threat-engine", "fingerprint": "a4e11223927236e9a2f181668e0e2bcbc5570e151f80def80223350d9fbdbb3d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4e11223927236e9a2f181668e0e2bcbc5570e151f80def80223350d9fbdbb3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/perf/p4209-pickaxe.sh"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 79835, "scanner": "repobility-threat-engine", "fingerprint": "d4aebbc20e8b7e37e1e74773f647fa496b9becdfcd7aca564dddfecb0fd12445", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d4aebbc20e8b7e37e1e74773f647fa496b9becdfcd7aca564dddfecb0fd12445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/varint.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 79834, "scanner": "repobility-threat-engine", "fingerprint": "1b7bd3d42579a1fa5a67245db136e1820beab42008f06df7614ca5609631fac4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b7bd3d42579a1fa5a67245db136e1820beab42008f06df7614ca5609631fac4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/csum_file.rs"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 79826, "scanner": "repobility-threat-engine", "fingerprint": "7799d82dbb37b51c44d7a5ba2f2e4edeef95309d183bb4b817ddfe8bfcef0cb6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7799d82dbb37b51c44d7a5ba2f2e4edeef95309d183bb4b817ddfe8bfcef0cb6", "aggregated_count": 11}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 79825, "scanner": "repobility-threat-engine", "fingerprint": "fd860fae0a854ffd1e648638ab5fb94432c07f680b3d1ac9f75d72642d3e4615", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd860fae0a854ffd1e648638ab5fb94432c07f680b3d1ac9f75d72642d3e4615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t5411-proc-receive-hook.sh"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 79824, "scanner": "repobility-threat-engine", "fingerprint": "02914f6c20ae6c305307d9e91ef39a7dcfb902305d7c36fbacd13f3ea902841d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|02914f6c20ae6c305307d9e91ef39a7dcfb902305d7c36fbacd13f3ea902841d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/regex/regex.c"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 79823, "scanner": "repobility-threat-engine", "fingerprint": "864d81e05b021b736ed7c746590c6681e40e008f94cefa44de1f8fe913a6924a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|864d81e05b021b736ed7c746590c6681e40e008f94cefa44de1f8fe913a6924a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/poll/poll.h"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 79822, "scanner": "repobility-threat-engine", "fingerprint": "c2c0449eee5a53e768a7b6d1519e57d1fddf612b5ef4ccda193e8812bc703639", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c2c0449eee5a53e768a7b6d1519e57d1fddf612b5ef4ccda193e8812bc703639", "aggregated_count": 7}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 79821, "scanner": "repobility-threat-engine", "fingerprint": "8601e253797d92ead509592fee9f3cf98528a7d762269edfe0f331438222af13", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8601e253797d92ead509592fee9f3cf98528a7d762269edfe0f331438222af13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/snprintf.c"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 79820, "scanner": "repobility-threat-engine", "fingerprint": "5608c90ed3ce6044937ff12cac495ac939b0f42b2130172fec11aac722db4176", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5608c90ed3ce6044937ff12cac495ac939b0f42b2130172fec11aac722db4176"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/setenv.c"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 79819, "scanner": "repobility-threat-engine", "fingerprint": "c133cc3b9eb25f9496aad5e65f69a6a9aa3f5627482e76973d23fcb8ff0f8937", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c133cc3b9eb25f9496aad5e65f69a6a9aa3f5627482e76973d23fcb8ff0f8937"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/mmap.c"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 79818, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "properties": {"repobilityId": 79814, "scanner": "repobility-threat-engine", "fingerprint": "5e5faae8b415a170491b6d4a7529b3b72b6f15f79b381673f6d001362ae6b5cc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 74 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5e5faae8b415a170491b6d4a7529b3b72b6f15f79b381673f6d001362ae6b5cc", "aggregated_count": 74}}}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79942, "scanner": "repobility-supply-chain", "fingerprint": "52932e1964c41d24ed27992f6970f24e779409315a6ff81686329037460f6568", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52932e1964c41d24ed27992f6970f24e779409315a6ff81686329037460f6568"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 478}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `debian:11` unpinned: `container/services image: debian:11` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79941, "scanner": "repobility-supply-chain", "fingerprint": "a3ced5c2a7c17de425ba22683729535ea967e12dbb42660a843daf53f4b8a2b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3ced5c2a7c17de425ba22683729535ea967e12dbb42660a843daf53f4b8a2b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 416}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `almalinux:8` unpinned: `container/services image: almalinux:8` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79940, "scanner": "repobility-supply-chain", "fingerprint": "a942268b39b1c3cef4b30aa2565eebcfbf3a71017cf9788dde0f1b185d00c49b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a942268b39b1c3cef4b30aa2565eebcfbf3a71017cf9788dde0f1b185d00c49b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 413}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `i386/ubuntu:focal` unpinned: `container/services image: i386/ubuntu:focal` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79939, "scanner": "repobility-supply-chain", "fingerprint": "36cb2bd8b3160d15742b95f8909756d67e1ac89f2e9ae17e544c958147887ff7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36cb2bd8b3160d15742b95f8909756d67e1ac89f2e9ae17e544c958147887ff7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 410}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `alpine:latest` unpinned: `container/services image: alpine:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79938, "scanner": "repobility-supply-chain", "fingerprint": "c87e8fc766c8a6a2e8b62ec5d5faf31e1be8795339bf71fd6aae00135c84c0ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c87e8fc766c8a6a2e8b62ec5d5faf31e1be8795339bf71fd6aae00135c84c0ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 407}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79937, "scanner": "repobility-supply-chain", "fingerprint": "e7bb7e9179fb20451cff0c9e5b9eec5a50ef3583c3ebedc6d65481774158efe5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7bb7e9179fb20451cff0c9e5b9eec5a50ef3583c3ebedc6d65481774158efe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 404}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79936, "scanner": "repobility-supply-chain", "fingerprint": "a1f4a1c0a0e1de0b5dda0e47c4ab142c73dbd0f08db2d6ffd2dbfcfb6d3f883d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1f4a1c0a0e1de0b5dda0e47c4ab142c73dbd0f08db2d6ffd2dbfcfb6d3f883d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79935, "scanner": "repobility-supply-chain", "fingerprint": "9d30f42b465b46ed140f8b36bacad7648c8277ecef87c90f31ef6618febb82d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d30f42b465b46ed140f8b36bacad7648c8277ecef87c90f31ef6618febb82d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 398}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79934, "scanner": "repobility-supply-chain", "fingerprint": "47f65028d29f3f4f5acf161f903f40af9577dbdab51153a19bef54e0ce6d2371", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47f65028d29f3f4f5acf161f903f40af9577dbdab51153a19bef54e0ce6d2371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 395}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `fedora:latest` unpinned: `container/services image: fedora:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79933, "scanner": "repobility-supply-chain", "fingerprint": "428f19b5e1581ed16e0730fa09bc30d1495c1f9d3de7c4d93871b139597f4ade", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|428f19b5e1581ed16e0730fa09bc30d1495c1f9d3de7c4d93871b139597f4ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 393}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79932, "scanner": "repobility-supply-chain", "fingerprint": "26559850d4073508f7740ae33ac89e5e6c7db77f1ff910f2a5ffb374796123e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26559850d4073508f7740ae33ac89e5e6c7db77f1ff910f2a5ffb374796123e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 391}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:20.04` unpinned: `container/services image: ubuntu:20.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79931, "scanner": "repobility-supply-chain", "fingerprint": "b320a1a87cb0594ecede5288b3d1adf388d76a2417907aa95e928586a6013c70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b320a1a87cb0594ecede5288b3d1adf388d76a2417907aa95e928586a6013c70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 386}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79930, "scanner": "repobility-supply-chain", "fingerprint": "6d1e7a40c1257b4152ba0e11c41b3b34b238bec9745273faa44881ea326c9638", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6d1e7a40c1257b4152ba0e11c41b3b34b238bec9745273faa44881ea326c9638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 383}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:rolling` unpinned: `container/services image: ubuntu:rolling` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79929, "scanner": "repobility-supply-chain", "fingerprint": "26427058cb3a03fa118c1a41737943e78bd41bb99dba9c4f4bfa54cedf40893a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26427058cb3a03fa118c1a41737943e78bd41bb99dba9c4f4bfa54cedf40893a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 380}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79928, "scanner": "repobility-supply-chain", "fingerprint": "7a357381bc2fbca7da7e51548a783e2fc3d3e298a3d68379a3a62e4fd9c0d4b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a357381bc2fbca7da7e51548a783e2fc3d3e298a3d68379a3a62e4fd9c0d4b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79927, "scanner": "repobility-supply-chain", "fingerprint": "789ed886163408450d3372b9c0285c27c4ccf7863da056c2dcba1f0b84e8d431", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|789ed886163408450d3372b9c0285c27c4ccf7863da056c2dcba1f0b84e8d431"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `git-for-windows/setup-git-for-windows-sdk` pinned to mutable ref `@v2`: `uses: git-for-windows/setup-git-for-windows-sdk@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79926, "scanner": "repobility-supply-chain", "fingerprint": "b2f8cf71147801319fd71944e93943ee9e4753ad61afb72163076f0b81bd7c11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2f8cf71147801319fd71944e93943ee9e4753ad61afb72163076f0b81bd7c11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79925, "scanner": "repobility-supply-chain", "fingerprint": "5125f0477c1d0cd4f5416901bef21294a03222c4bf32e4e91b1ceaab08bb49e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5125f0477c1d0cd4f5416901bef21294a03222c4bf32e4e91b1ceaab08bb49e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `microsoft/setup-msbuild` pinned to mutable ref `@v3`: `uses: microsoft/setup-msbuild@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79924, "scanner": "repobility-supply-chain", "fingerprint": "5e82f081d431e0b132b9258f725b6c5858db3d6f8b4027deedd5b46a5087f74a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e82f081d431e0b132b9258f725b6c5858db3d6f8b4027deedd5b46a5087f74a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `git-for-windows/get-azure-pipelines-artifact` pinned to mutable ref `@v0`: `uses: git-for-windows/get-azure-pipelines-artifact@v0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79923, "scanner": "repobility-supply-chain", "fingerprint": "fe08654f2e4cb36d17e6a29407c518efc4d5a9ca7a84da973a44e2f986c7bd68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe08654f2e4cb36d17e6a29407c518efc4d5a9ca7a84da973a44e2f986c7bd68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79922, "scanner": "repobility-supply-chain", "fingerprint": "41533880ef855779cf279321b640f62588cec4188fb05337a431cfd927c1dd08", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41533880ef855779cf279321b640f62588cec4188fb05337a431cfd927c1dd08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `git-for-windows/setup-git-for-windows-sdk` pinned to mutable ref `@v2`: `uses: git-for-windows/setup-git-for-windows-sdk@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79921, "scanner": "repobility-supply-chain", "fingerprint": "393120a19829fa3f85545329fef404789b8e4b780969df3bd1b23a7179be45d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|393120a19829fa3f85545329fef404789b8e4b780969df3bd1b23a7179be45d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79920, "scanner": "repobility-supply-chain", "fingerprint": "48b3a6b2e986cb5ef73af3092af727185071d21ebb4af3a3ba91906517c1bc22", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48b3a6b2e986cb5ef73af3092af727185071d21ebb4af3a3ba91906517c1bc22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79919, "scanner": "repobility-supply-chain", "fingerprint": "384f4fd66e98bfe0fb2c776db4b4379062b3c44a41935b599e6c8af2537ab9bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|384f4fd66e98bfe0fb2c776db4b4379062b3c44a41935b599e6c8af2537ab9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `git-for-windows/setup-git-for-windows-sdk` pinned to mutable ref `@v2`: `uses: git-for-windows/setup-git-for-windows-sdk@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79918, "scanner": "repobility-supply-chain", "fingerprint": "7fbc7febf8cf7d86c9a436ef19f64cdb3b54073c60369e1520f3a6f34b6d9f68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7fbc7febf8cf7d86c9a436ef19f64cdb3b54073c60369e1520f3a6f34b6d9f68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79917, "scanner": "repobility-supply-chain", "fingerprint": "e453c77a19b3b09a2832cdc71ef576072c26657ea455d931a81ed83a4b50feec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e453c77a19b3b09a2832cdc71ef576072c26657ea455d931a81ed83a4b50feec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79916, "scanner": "repobility-supply-chain", "fingerprint": "8df17d8e1e0fd80127fb066420c97450c21bde22a56ca4bcb9ce7f2f1bd52273", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8df17d8e1e0fd80127fb066420c97450c21bde22a56ca4bcb9ce7f2f1bd52273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `git-for-windows/setup-git-for-windows-sdk` pinned to mutable ref `@v2`: `uses: git-for-windows/setup-git-for-windows-sdk@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79915, "scanner": "repobility-supply-chain", "fingerprint": "1597abfb44e5d46fdb41fe4df18e1728cfd3b9661d487b92bbe2a2dad7a1e4fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1597abfb44e5d46fdb41fe4df18e1728cfd3b9661d487b92bbe2a2dad7a1e4fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79914, "scanner": "repobility-supply-chain", "fingerprint": "753ce4c7a4138ac09e37cf9a10a44e68889ed4f2443374742a57413cb54bd8cc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|753ce4c7a4138ac09e37cf9a10a44e68889ed4f2443374742a57413cb54bd8cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79913, "scanner": "repobility-supply-chain", "fingerprint": "9ae5eba3f405bc78d252290e78fe86a4c8e03310a86583038ec064e330423a02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ae5eba3f405bc78d252290e78fe86a4c8e03310a86583038ec064e330423a02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79912, "scanner": "repobility-supply-chain", "fingerprint": "da663fd4692da41710faf84eb1e2a48707b2eae3669de98e52371da2c2f857a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da663fd4692da41710faf84eb1e2a48707b2eae3669de98e52371da2c2f857a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-style.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79911, "scanner": "repobility-supply-chain", "fingerprint": "4309181b3bd9bb821fe42a21681d2dd3e5a44520e5c28531aadc258cf6352bc4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4309181b3bd9bb821fe42a21681d2dd3e5a44520e5c28531aadc258cf6352bc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-whitespace.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mshick/add-pr-comment` pinned to mutable ref `@v3`: `uses: mshick/add-pr-comment@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79910, "scanner": "repobility-supply-chain", "fingerprint": "16a6553248de9f8aa24a3501c240e833d40f98338c70f84963cacf93ec3f65bd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16a6553248de9f8aa24a3501c240e833d40f98338c70f84963cacf93ec3f65bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/l10n.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79909, "scanner": "repobility-supply-chain", "fingerprint": "c18a65050370a3510cd9ebb9fe348a69c12c2412f84b509e1ea4a73db9c30354", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c18a65050370a3510cd9ebb9fe348a69c12c2412f84b509e1ea4a73db9c30354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/l10n.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v5`: `uses: actions/cache/save@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79908, "scanner": "repobility-supply-chain", "fingerprint": "e9b6f34a050a7959566a9d789fa71e95404ef2bd24d6e3b3f9cf908691ffa2aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9b6f34a050a7959566a9d789fa71e95404ef2bd24d6e3b3f9cf908691ffa2aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79907, "scanner": "repobility-supply-chain", "fingerprint": "a3331c425e6fb5420ce1f1d296c8390f00661ab8fe2e724708d55fc3e6a7569a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3331c425e6fb5420ce1f1d296c8390f00661ab8fe2e724708d55fc3e6a7569a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `git-for-windows/setup-git-for-windows-sdk` pinned to mutable ref `@v2`: `uses: git-for-windows/setup-git-for-windows-sdk@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79906, "scanner": "repobility-supply-chain", "fingerprint": "99828be0a8b4ebbcc3b8d869aa3f128930c88f9211d45785d862ce1485167565", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99828be0a8b4ebbcc3b8d869aa3f128930c88f9211d45785d862ce1485167565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79905, "scanner": "repobility-supply-chain", "fingerprint": "edcaa34f7b170d12cd6583b69a0c34d1025fbcee5076fd7ad6adc32d62c6ea4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edcaa34f7b170d12cd6583b69a0c34d1025fbcee5076fd7ad6adc32d62c6ea4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `i386/debian:latest` unpinned: `container/services image: i386/debian:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79904, "scanner": "repobility-supply-chain", "fingerprint": "b1faf2d6b874e9593b5f26a4fc43b5e3ed654c1f17cff8613b47da53e1d5ae1b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1faf2d6b874e9593b5f26a4fc43b5e3ed654c1f17cff8613b47da53e1d5ae1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/.github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79903, "scanner": "repobility-supply-chain", "fingerprint": "7c8ca953e28c60a9e010a8a9c25c3c0640e9855582f41f116341ec7d1ba83433", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c8ca953e28c60a9e010a8a9c25c3c0640e9855582f41f116341ec7d1ba83433"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/.github/workflows/ci.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.getUserCacheFilename` used but never assigned in __init__: Method `loadUserMapFromCache` of class `P4UserMap` reads `self.getUserCacheFilename`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79896, "scanner": "repobility-ast-engine", "fingerprint": "2c11ed82bc174648a49899dc44a93191c1bc22664416ba50f92bffedfd21deb9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c11ed82bc174648a49899dc44a93191c1bc22664416ba50f92bffedfd21deb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1748}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.users` used but never assigned in __init__: Method `loadUserMapFromCache` of class `P4UserMap` reads `self.users`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79895, "scanner": "repobility-ast-engine", "fingerprint": "a5306938f5dedd9b827e3ddef61b112f87a38ddb52f940ee6541b041b7af65b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a5306938f5dedd9b827e3ddef61b112f87a38ddb52f940ee6541b041b7af65b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1745}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.getUserCacheFilename` used but never assigned in __init__: Method `getUserMapFromPerforceServer` of class `P4UserMap` reads `self.getUserCacheFilename`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79894, "scanner": "repobility-ast-engine", "fingerprint": "5b15aecaaebca054ba4286e700ce0557598134788b3d6d26cc7a774bdfda2f43", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b15aecaaebca054ba4286e700ce0557598134788b3d6d26cc7a774bdfda2f43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1741}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.emails` used but never assigned in __init__: Method `getUserMapFromPerforceServer` of class `P4UserMap` reads `self.emails`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79893, "scanner": "repobility-ast-engine", "fingerprint": "bce90589456d5fd1d2832bcbc716ec575e70ca626bba7a75b0b6cf37feda4a05", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bce90589456d5fd1d2832bcbc716ec575e70ca626bba7a75b0b6cf37feda4a05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1734}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.users` used but never assigned in __init__: Method `getUserMapFromPerforceServer` of class `P4UserMap` reads `self.users`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79892, "scanner": "repobility-ast-engine", "fingerprint": "a3e8375dd0729260376548a57e625d038e3852b74c8bedd57625d2cfab5201c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3e8375dd0729260376548a57e625d038e3852b74c8bedd57625d2cfab5201c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1733}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.users` used but never assigned in __init__: Method `getUserMapFromPerforceServer` of class `P4UserMap` reads `self.users`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79891, "scanner": "repobility-ast-engine", "fingerprint": "768a658a0a9af8ab942ec09a4e4a287ce1746aef412067c002fc138026c3f1a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|768a658a0a9af8ab942ec09a4e4a287ce1746aef412067c002fc138026c3f1a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1737}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.emails` used but never assigned in __init__: Method `getUserMapFromPerforceServer` of class `P4UserMap` reads `self.emails`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79890, "scanner": "repobility-ast-engine", "fingerprint": "83b9db4845d30e4a523b1bc982275ffd60282323a04f98504a98c8bd926ba0ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|83b9db4845d30e4a523b1bc982275ffd60282323a04f98504a98c8bd926ba0ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1723}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.users` used but never assigned in __init__: Method `getUserMapFromPerforceServer` of class `P4UserMap` reads `self.users`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79889, "scanner": "repobility-ast-engine", "fingerprint": "98894b032bdb45644f389024e385325e58a9bc01bbecc5de8e19e7dadfdcad70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98894b032bdb45644f389024e385325e58a9bc01bbecc5de8e19e7dadfdcad70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1722}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.emails` used but never assigned in __init__: Method `getUserMapFromPerforceServer` of class `P4UserMap` reads `self.emails`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79888, "scanner": "repobility-ast-engine", "fingerprint": "241cbe9ffaf7a58dd16327346f95b2a237adc826cb0c57cf0625c1ba6abbf244", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|241cbe9ffaf7a58dd16327346f95b2a237adc826cb0c57cf0625c1ba6abbf244"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1711}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.users` used but never assigned in __init__: Method `getUserMapFromPerforceServer` of class `P4UserMap` reads `self.users`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79887, "scanner": "repobility-ast-engine", "fingerprint": "2c361b954ca1e80e8aec16d1be5d50258b523bd63ec2f9f23240d1b713b193fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c361b954ca1e80e8aec16d1be5d50258b523bd63ec2f9f23240d1b713b193fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1710}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.p4UserId` used but never assigned in __init__: Method `p4UserIsMe` of class `P4UserMap` reads `self.p4UserId`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79886, "scanner": "repobility-ast-engine", "fingerprint": "a9b031ece5ff26cd7eb18247927f663e4bb3ad86ded58bce7691bc85e82c2b33", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9b031ece5ff26cd7eb18247927f663e4bb3ad86ded58bce7691bc85e82c2b33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1697}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generateGitAttributes` used but never assigned in __init__: Method `processContent` of class `GitLFS` reads `self.generateGitAttributes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79885, "scanner": "repobility-ast-engine", "fingerprint": "eac1f067a564210914e9c0ab4a5e5afa3cb533118e48ed7743a979f01e5b03b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eac1f067a564210914e9c0ab4a5e5afa3cb533118e48ed7743a979f01e5b03b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1658}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generateGitAttributes` used but never assigned in __init__: Method `removeLargeFile` of class `GitLFS` reads `self.generateGitAttributes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79884, "scanner": "repobility-ast-engine", "fingerprint": "50935ef6795db1b8b96d5826c22d6186925b63ba91a2d9d7f7d579d23df52283", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|50935ef6795db1b8b96d5826c22d6186925b63ba91a2d9d7f7d579d23df52283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1653}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.writeToGitStream` used but never assigned in __init__: Method `removeLargeFile` of class `GitLFS` reads `self.writeToGitStream`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79883, "scanner": "repobility-ast-engine", "fingerprint": "876965db482c787878ba1e794acd054c8e29c6b46ded0e8a6b734daf63790c3c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|876965db482c787878ba1e794acd054c8e29c6b46ded0e8a6b734daf63790c3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1653}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generateGitAttributes` used but never assigned in __init__: Method `addLargeFile` of class `GitLFS` reads `self.generateGitAttributes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79882, "scanner": "repobility-ast-engine", "fingerprint": "d1a25165a4d8cf5814913ecfc877905c30b38c4f53613f10dd84c3095ead5c0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1a25165a4d8cf5814913ecfc877905c30b38c4f53613f10dd84c3095ead5c0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1649}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.writeToGitStream` used but never assigned in __init__: Method `addLargeFile` of class `GitLFS` reads `self.writeToGitStream`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79881, "scanner": "repobility-ast-engine", "fingerprint": "37373a03fe3649d6c5b0cab9a950110382bf8d462e55bae2fdc8a383cae26ce5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|37373a03fe3649d6c5b0cab9a950110382bf8d462e55bae2fdc8a383cae26ce5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1649}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.hasLargeFileExtension` used but never assigned in __init__: Method `generateGitAttributes` of class `GitLFS` reads `self.hasLargeFileExtension`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79880, "scanner": "repobility-ast-engine", "fingerprint": "d02636a76c46c2aa8287458f9aa2e044e7dbe1631a1baa60c2047010e7db1032", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d02636a76c46c2aa8287458f9aa2e044e7dbe1631a1baa60c2047010e7db1032"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1643}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.largeFiles` used but never assigned in __init__: Method `generateGitAttributes` of class `GitLFS` reads `self.largeFiles`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79879, "scanner": "repobility-ast-engine", "fingerprint": "9a4c2af657d19e4b22c29342310e36f1da7e40ef260f933b32e3b866516fe4cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a4c2af657d19e4b22c29342310e36f1da7e40ef260f933b32e3b866516fe4cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1643}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.pushFile` used but never assigned in __init__: Method `processContent` of class `LargeFileSystem` reads `self.pushFile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79878, "scanner": "repobility-ast-engine", "fingerprint": "0dc8e45c3600afeb96bfe9f2258ec645de1396cd726987ad189172e22f2e0c58", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0dc8e45c3600afeb96bfe9f2258ec645de1396cd726987ad189172e22f2e0c58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1542}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.addLargeFile` used but never assigned in __init__: Method `processContent` of class `LargeFileSystem` reads `self.addLargeFile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79877, "scanner": "repobility-ast-engine", "fingerprint": "643df8e594883f191eae34529bcd226fe8adf481e0d3c09ecb75ad30d457db4b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|643df8e594883f191eae34529bcd226fe8adf481e0d3c09ecb75ad30d457db4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1540}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generatePointer` used but never assigned in __init__: Method `processContent` of class `LargeFileSystem` reads `self.generatePointer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79876, "scanner": "repobility-ast-engine", "fingerprint": "b42ffe83fd4eb96589e6159ab837019481fb5b56e9c5e0db456e011e6057c310", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b42ffe83fd4eb96589e6159ab837019481fb5b56e9c5e0db456e011e6057c310"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1531}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generateTempFile` used but never assigned in __init__: Method `processContent` of class `LargeFileSystem` reads `self.generateTempFile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79875, "scanner": "repobility-ast-engine", "fingerprint": "d770581acc29e582fc0f1fb006511aabc1456c5d5c5c99a3495d48a960e120ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d770581acc29e582fc0f1fb006511aabc1456c5d5c5c99a3495d48a960e120ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1530}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.hasLargeFileExtension` used but never assigned in __init__: Method `processContent` of class `LargeFileSystem` reads `self.hasLargeFileExtension`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79874, "scanner": "repobility-ast-engine", "fingerprint": "ccf0507786fff338ad0799033b2429f1a1b2055453e390b88c58efd0257d560e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ccf0507786fff338ad0799033b2429f1a1b2055453e390b88c58efd0257d560e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1529}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.exceedsLargeFileThreshold` used but never assigned in __init__: Method `processContent` of class `LargeFileSystem` reads `self.exceedsLargeFileThreshold`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79873, "scanner": "repobility-ast-engine", "fingerprint": "57ce250a93b1e4044de58ca3a8b60b097ba3ca94fa7a54130497eb676ac0aaf8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57ce250a93b1e4044de58ca3a8b60b097ba3ca94fa7a54130497eb676ac0aaf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1529}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generateTempFile` used but never assigned in __init__: Method `exceedsLargeFileThreshold` of class `LargeFileSystem` reads `self.generateTempFile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 79872, "scanner": "repobility-ast-engine", "fingerprint": "0294f475fcd86bf9280fcdb2a6090bd60a14c0ef3503380ca603487be25dad66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0294f475fcd86bf9280fcdb2a6090bd60a14c0ef3503380ca603487be25dad66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "git-p4.py"}, "region": {"startLine": 1501}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 79860, "scanner": "repobility-threat-engine", "fingerprint": "03d2f20791b14410767b473653ee7e96e8cf732c13c589dc2af965a15b10f95f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03d2f20791b14410767b473653ee7e96e8cf732c13c589dc2af965a15b10f95f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/generate.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 79859, "scanner": "repobility-threat-engine", "fingerprint": "79e8029e28bc8b6d9d5f08bc4c02581ab18c1b921f20df33b92b53f9cbfda2a6", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(fn, 'r') as input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|245|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/generate.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED104", "level": "error", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 79856, "scanner": "repobility-threat-engine", "fingerprint": "5b2189468929506c0fb2040f4f7ca59c2f4fc0ab2124f084daeef88022839d4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b2189468929506c0fb2040f4f7ca59c2f4fc0ab2124f084daeef88022839d4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t4053-diff-no-index.sh"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 79853, "scanner": "repobility-threat-engine", "fingerprint": "9a25752275cf4df9e3279628d27fae029bd9ca4f77ab8ad00472c3c3267daa4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a25752275cf4df9e3279628d27fae029bd9ca4f77ab8ad00472c3c3267daa4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t1460-refs-migrate.sh"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 79833, "scanner": "repobility-threat-engine", "fingerprint": "93cdc6740b3ed46f565ad6e674106ca69072555daf6d7270873b5a893564b88a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|93cdc6740b3ed46f565ad6e674106ca69072555daf6d7270873b5a893564b88a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shell.c"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 79831, "scanner": "repobility-threat-engine", "fingerprint": "08afe368102a7892af568568f37381fac557fa43ca4a246cc4a773e6241b6618", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08afe368102a7892af568568f37381fac557fa43ca4a246cc4a773e6241b6618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/helper/test-drop-caches.c"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 79830, "scanner": "repobility-threat-engine", "fingerprint": "0beb7b6fbe8f3ff0b3650c3594e6ecacc32963eecfe2e896556127b978133471", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0beb7b6fbe8f3ff0b3650c3594e6ecacc32963eecfe2e896556127b978133471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/vcbuild/scripts/lib.pl"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 79829, "scanner": "repobility-threat-engine", "fingerprint": "df25c9e0e266f22fb73bd2c8203661620c789b1dd88f38283dba7eb8455c5024", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df25c9e0e266f22fb73bd2c8203661620c789b1dd88f38283dba7eb8455c5024"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/vcbuild/scripts/clink.pl"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 79828, "scanner": "repobility-threat-engine", "fingerprint": "dd3b5de1e6c90c1cfa8778a4c2004724070a161dcdb9c0f0cc4a7c5cb1f6e3d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd3b5de1e6c90c1cfa8778a4c2004724070a161dcdb9c0f0cc4a7c5cb1f6e3d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/vcbuild/scripts/lib.pl"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 79827, "scanner": "repobility-threat-engine", "fingerprint": "89b8cd6c086fa0a00cc5e3d20c3550fe1071cec6ff7ca3a0c196c5b5b41590a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89b8cd6c086fa0a00cc5e3d20c3550fe1071cec6ff7ca3a0c196c5b5b41590a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compat/vcbuild/scripts/clink.pl"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 79817, "scanner": "repobility-threat-engine", "fingerprint": "60390ceda3180b4238510c0ce47e144f1f1ac203201ed66840c76f491f265e6c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60390ceda3180b4238510c0ce47e144f1f1ac203201ed66840c76f491f265e6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "http.h"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 79816, "scanner": "repobility-threat-engine", "fingerprint": "156641568f31a8ae4fffe6cd530c7ef4dfaa94a9da53de3454d42bb612b0731f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|156641568f31a8ae4fffe6cd530c7ef4dfaa94a9da53de3454d42bb612b0731f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "credential.h"}, "region": {"startLine": 305}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 79815, "scanner": "repobility-threat-engine", "fingerprint": "fcfd93e9a41e2ff668c070b168c500969f3d35a6ba554434f65280231e4eea39", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fcfd93e9a41e2ff668c070b168c500969f3d35a6ba554434f65280231e4eea39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "builtin/send-pack.c"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 79813, "scanner": "repobility-threat-engine", "fingerprint": "fe7ea1b4dac22be6dba82bb0479b425c14fb2b21406e3a2b7598947b5871a269", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe7ea1b4dac22be6dba82bb0479b425c14fb2b21406e3a2b7598947b5871a269"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "builtin/show-ref.c"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 79812, "scanner": "repobility-threat-engine", "fingerprint": "cd2387ce9469a6247ee4ceff6a27ac9726531f9a40163855708ec3be4bb8797e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd2387ce9469a6247ee4ceff6a27ac9726531f9a40163855708ec3be4bb8797e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "builtin/show-index.c"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 79811, "scanner": "repobility-threat-engine", "fingerprint": "52d74003c82e5b65fefb28dbe77538e809fb8743cd3242b819b2fd9b18acb33f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52d74003c82e5b65fefb28dbe77538e809fb8743cd3242b819b2fd9b18acb33f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "builtin/prune.c"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 79861, "scanner": "repobility-threat-engine", "fingerprint": "9e2c41e34c15b61b5660d3ef5df5329be151f5e7543d9cf2f3c680d2e660cddb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e2c41e34c15b61b5660d3ef5df5329be151f5e7543d9cf2f3c680d2e660cddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/generate.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 79858, "scanner": "repobility-threat-engine", "fingerprint": "e6962684d93ce819c88577afc4e901487580055b43352b0242658620fa79bac3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e6962684d93ce819c88577afc4e901487580055b43352b0242658620fa79bac3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/clar/sandbox.h"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 79857, "scanner": "repobility-threat-engine", "fingerprint": "5589633c8cc56358cd6c3ba7829f90596a40a4108451ac48c97fba650b5743c4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5589633c8cc56358cd6c3ba7829f90596a40a4108451ac48c97fba650b5743c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t9700/test.pl"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 79847, "scanner": "repobility-threat-engine", "fingerprint": "a8d564f670f474095c447549c136e2f90d05dbb1f59c32f123a7690454baed61", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a8d564f670f474095c447549c136e2f90d05dbb1f59c32f123a7690454baed61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/u-urlmatch-normalization.c"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 79846, "scanner": "repobility-threat-engine", "fingerprint": "72ae1340ae0d57816fec8f7eedd026ee3b4ee50c092df3773d52d023ba345142", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72ae1340ae0d57816fec8f7eedd026ee3b4ee50c092df3773d52d023ba345142"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t5564-http-proxy.sh"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 79845, "scanner": "repobility-threat-engine", "fingerprint": "2ecf773ffb4bc20dbedf4544fd10ef16f0d4ba41483aabc49832cffdb889f4c7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ecf773ffb4bc20dbedf4544fd10ef16f0d4ba41483aabc49832cffdb889f4c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/t0302-credential-store.sh"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 79840, "scanner": "repobility-threat-engine", "fingerprint": "378a20a5f07ad93241226f4e7baa7eceedee644d8d62901a77727a337dd84e1a", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "marshal.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|t/lib-git-p4.sh|196|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/lib-git-p4.sh"}, "region": {"startLine": 196}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 79839, "scanner": "repobility-threat-engine", "fingerprint": "bac55f304b294166571459a257003dd032876359d9a1cf9e017e8883221be832", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bac55f304b294166571459a257003dd032876359d9a1cf9e017e8883221be832"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/unit-tests/clar/generate.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 79838, "scanner": "repobility-threat-engine", "fingerprint": "cf39666e982ece2b9e82890d0d20acd1ad146b3950d41338a0399044ab37f3a4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "marshal.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf39666e982ece2b9e82890d0d20acd1ad146b3950d41338a0399044ab37f3a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "t/lib-git-p4.sh"}, "region": {"startLine": 196}}}]}]}]}