{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `send2trash` has no version pin: Unpinned pip requirement means every fresh install may res", "shortDescription": {"text": "[MINED124] requirements.txt: `send2trash` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible in"}, "fullDescription": {"text": "Replace `send2trash` with `send2trash==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `crawl_all` has cognitive complexity 18 (SonarSource scale). Cognitive com", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `crawl_all` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 18."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ll"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `budtmo/docker-android:emulator_11.0` not pinned by digest: `FROM budtmo/docker-android:emula", "shortDescription": {"text": "[MINED118] Dockerfile FROM `budtmo/docker-android:emulator_11.0` not pinned by digest: `FROM budtmo/docker-android:emulator_11.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is"}, "fullDescription": {"text": "Replace with: `FROM budtmo/docker-android:emulator_11.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "[MINED131] pre-commit hook `https://github.com/charliermarsh/ruff-pre-commit` pinned to mutable rev `v0.14.1`: `.pre-com", "shortDescription": {"text": "[MINED131] pre-commit hook `https://github.com/charliermarsh/ruff-pre-commit` pinned to mutable rev `v0.14.1`: `.pre-commit-config.yaml` references `https://github.com/charliermarsh/ruff-pre-commit` at `rev: v0.14.1`. If `{rev}` is a branch"}, "fullDescription": {"text": "Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /playwright_exec has no auth: Handler `playwright_exec_endpoint` is registered with router/app.p", "shortDescription": {"text": "[MINED112] FastAPI POST /playwright_exec has no auth: Handler `playwright_exec_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `input` inside async function `_record_skill_async`: `input` is a synchronous (blocking) call. ", "shortDescription": {"text": "[MINED110] Blocking call `input` inside async function `_record_skill_async`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making"}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._make_click_through` used but never assigned in __init__: Method `move_to` of class `OverlayCursor` rea", "shortDescription": {"text": "[MINED108] `self._make_click_through` used but never assigned in __init__: Method `move_to` of class `OverlayCursor` reads `self._make_click_through`, but no assignment to it exists in __init__ (and no class-level fallback). This raises Att"}, "fullDescription": {"text": "Initialize `self._make_click_through = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_keypress_combination: Test function `test_keypress_combination` runs code but con", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_keypress_combination: Test function `test_keypress_combination` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anythin"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = ?', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ", "shortDescription": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.RELEASE_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.RELEASE_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_APP_PRIVATE_KEY }` lets a PR from any fork e"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `", "shortDescription": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import platform` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/177"}, "properties": {"repository": "trycua/cua", "repoUrl": "https://github.com/trycua/cua.git", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `send2trash` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 41517, "scanner": "repobility-supply-chain", "fingerprint": "049f1b5b2d434c40f94f202e8361939f7e615c348869f3f53feb8168124d4dce", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|049f1b5b2d434c40f94f202e8361939f7e615c348869f3f53feb8168124d4dce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/infra/vm/setup/server/requirements.txt"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pygetwindow` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 41516, "scanner": "repobility-supply-chain", "fingerprint": "29812ef5cb25b8f3bd652d1b63c64e1d7c8264d36a5606d54b9dc49572762c3a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29812ef5cb25b8f3bd652d1b63c64e1d7c8264d36a5606d54b9dc49572762c3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/infra/vm/setup/server/requirements.txt"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `screeninfo` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 41515, "scanner": "repobility-supply-chain", "fingerprint": "775232fee1604f99b0f542fa361ffc6f65fdc52f3188b50599e1d0e97e6f17f1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|775232fee1604f99b0f542fa361ffc6f65fdc52f3188b50599e1d0e97e6f17f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/infra/vm/setup/server/requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pygame` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 41514, "scanner": "repobility-supply-chain", "fingerprint": "a94b7ff2345cb0f79d08894a50b4a93e11920576d46ba1ddd306a1c21cf15beb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a94b7ff2345cb0f79d08894a50b4a93e11920576d46ba1ddd306a1c21cf15beb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/infra/vm/setup/server/requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `lxml` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 41513, "scanner": "repobility-supply-chain", "fingerprint": "196744cda7e52bf2f7fba4c406ddc1a06595ba50cd4a209944c21674a020dac3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|196744cda7e52bf2f7fba4c406ddc1a06595ba50cd4a209944c21674a020dac3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/infra/vm/setup/server/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `numpy` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 41512, "scanner": "repobility-supply-chain", "fingerprint": "6a67c2cd9f95ebb3acadf21267a0f8dd011d3f12c26a0d43465d5541a4719e05", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a67c2cd9f95ebb3acadf21267a0f8dd011d3f12c26a0d43465d5541a4719e05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/infra/vm/setup/server/requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `flask` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 41511, "scanner": "repobility-supply-chain", "fingerprint": "040d6023f6a489081c3f5ea905c2ae30bfdb1b2a86fc46b6af0c5106c941c885", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|040d6023f6a489081c3f5ea905c2ae30bfdb1b2a86fc46b6af0c5106c941c885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/infra/vm/setup/server/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 41510, "scanner": "repobility-supply-chain", "fingerprint": "98e7c5342c477f4a0cc83ba139c5ef620d496d3d8a8b521bb561c5f2f7208715", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98e7c5342c477f4a0cc83ba139c5ef620d496d3d8a8b521bb561c5f2f7208715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/infra/vm/setup/server/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41437, "scanner": "repobility-ast-engine", "fingerprint": "7f08c58a7b0a19c658a9825ac93d91a0f850561423e2e3f035d740eb2a7435f2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f08c58a7b0a19c658a9825ac93d91a0f850561423e2e3f035d740eb2a7435f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docs-generators/extract_python_docs.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41436, "scanner": "repobility-ast-engine", "fingerprint": "6b11377c9365ac3a2111fffa6c68660b962edb71f54804fdd65a755c08efdef8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b11377c9365ac3a2111fffa6c68660b962edb71f54804fdd65a755c08efdef8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/main.py"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41435, "scanner": "repobility-ast-engine", "fingerprint": "a8ca72af0350c1fa4aa5e5d4f3dc7d541528bce5ae0f3f5dd84b9b9fd18b116b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a8ca72af0350c1fa4aa5e5d4f3dc7d541528bce5ae0f3f5dd84b9b9fd18b116b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/main.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41434, "scanner": "repobility-ast-engine", "fingerprint": "ac75b8fe93332e18b7d9cc1cdcc37e94c535dfe2f4cf206dba3f9a5083a237eb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ac75b8fe93332e18b7d9cc1cdcc37e94c535dfe2f4cf206dba3f9a5083a237eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/main.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41433, "scanner": "repobility-ast-engine", "fingerprint": "60789fa43e15c9485fb6aa667e944d3cd5a62f56753bb5fbdc88e221d95d0761", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60789fa43e15c9485fb6aa667e944d3cd5a62f56753bb5fbdc88e221d95d0761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/main.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41432, "scanner": "repobility-ast-engine", "fingerprint": "357354e02411763c2dc68e837dfa100dc7f04664c24d41221288c952d2d55c56", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|357354e02411763c2dc68e837dfa100dc7f04664c24d41221288c952d2d55c56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/main.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41431, "scanner": "repobility-ast-engine", "fingerprint": "3e54e3ff53ffd52e8f26f0e025b68a321c62d760be2f6ed3e116ca1adb91b15e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3e54e3ff53ffd52e8f26f0e025b68a321c62d760be2f6ed3e116ca1adb91b15e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41421, "scanner": "repobility-ast-engine", "fingerprint": "55e2e725ac96d35f241a3b45d8b351b7982c9b29d83363a1d9ba05748e7dd0ce", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|55e2e725ac96d35f241a3b45d8b351b7982c9b29d83363a1d9ba05748e7dd0ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 303}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41420, "scanner": "repobility-ast-engine", "fingerprint": "9bedbb35202fd12b6805fbd5a7923565a301584a571766620ac1fd0fa3ef744e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9bedbb35202fd12b6805fbd5a7923565a301584a571766620ac1fd0fa3ef744e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1722}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41419, "scanner": "repobility-ast-engine", "fingerprint": "e2318aaa674af86642a33c5e4954e81879b571d3c65023dbf52bc3415044862a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2318aaa674af86642a33c5e4954e81879b571d3c65023dbf52bc3415044862a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1711}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41418, "scanner": "repobility-ast-engine", "fingerprint": "16b31422d782755167a9d035bf1fab4382cfd428c033426f85a9597c8f7e2bc9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16b31422d782755167a9d035bf1fab4382cfd428c033426f85a9597c8f7e2bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1699}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41417, "scanner": "repobility-ast-engine", "fingerprint": "8ec9f5ed48fa95f3254652a33dbd8233b1fb16ed38ba0be39f459ab4db865388", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ec9f5ed48fa95f3254652a33dbd8233b1fb16ed38ba0be39f459ab4db865388"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1688}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41416, "scanner": "repobility-ast-engine", "fingerprint": "66e594b6ce9ccca7103a9e41c2a286f64e0114756bfbcb7cd37e0b02fe74a02f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|66e594b6ce9ccca7103a9e41c2a286f64e0114756bfbcb7cd37e0b02fe74a02f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1293}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41415, "scanner": "repobility-ast-engine", "fingerprint": "c75a2a6d07b429757541f5943e36843cf6f2040e2a669b78a7019ab038f63d8a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c75a2a6d07b429757541f5943e36843cf6f2040e2a669b78a7019ab038f63d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1588}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41414, "scanner": "repobility-ast-engine", "fingerprint": "6fa0e664c4e4fc17e0564aaaefe0de88de2f8101fff749710905306e05c56218", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fa0e664c4e4fc17e0564aaaefe0de88de2f8101fff749710905306e05c56218"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1091}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41413, "scanner": "repobility-ast-engine", "fingerprint": "2829f2583062b2f5c1ac39a78eab6d8558f15e9094600b7327cdbe250377a3c0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2829f2583062b2f5c1ac39a78eab6d8558f15e9094600b7327cdbe250377a3c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/agent_loop_testing/agent_test_uitars.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41412, "scanner": "repobility-ast-engine", "fingerprint": "5cb447f413f85ee2bbda3a29b66c11ef265943cdb30c6fc0f4a9594c80fa1273", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cb447f413f85ee2bbda3a29b66c11ef265943cdb30c6fc0f4a9594c80fa1273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/agent_loop_testing/agent_test.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41411, "scanner": "repobility-ast-engine", "fingerprint": "3231c23ed245b9142ea1291952c7148a44a8ee99b20390d5914a91efbdc58984", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3231c23ed245b9142ea1291952c7148a44a8ee99b20390d5914a91efbdc58984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/1_fleet_throughput.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41410, "scanner": "repobility-ast-engine", "fingerprint": "b981704ab7d2c168ce7fa27ca0e36d96aabd9973a8faaeff598c5e42c016b7d2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b981704ab7d2c168ce7fa27ca0e36d96aabd9973a8faaeff598c5e42c016b7d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/1_fleet_throughput.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41402, "scanner": "repobility-ast-engine", "fingerprint": "3b9ba8d28f58c12269f0a7db487270c2d6db3dc0fdd5b1e6ec90cd7ca5f382d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b9ba8d28f58c12269f0a7db487270c2d6db3dc0fdd5b1e6ec90cd7ca5f382d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_tracing.py"}, "region": {"startLine": 265}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41401, "scanner": "repobility-ast-engine", "fingerprint": "96498efe4a91412e5b6706241c4fef2d2c0e7fd1452ba736f79ec8e3b78c21be", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|96498efe4a91412e5b6706241c4fef2d2c0e7fd1452ba736f79ec8e3b78c21be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_tracing.py"}, "region": {"startLine": 272}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41399, "scanner": "repobility-ast-engine", "fingerprint": "14ca49df101c5de2070e02dbef4e37cd87a3b36db5fde6e2f7b8a6685a74bb80", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|14ca49df101c5de2070e02dbef4e37cd87a3b36db5fde6e2f7b8a6685a74bb80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/android_rps_benchmark.py"}, "region": {"startLine": 424}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41398, "scanner": "repobility-ast-engine", "fingerprint": "03b5ce93c6cf815c4d831e4f25df4c14ab56a22f784fcb2b130151750ed8581f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|03b5ce93c6cf815c4d831e4f25df4c14ab56a22f784fcb2b130151750ed8581f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/android_rps_benchmark.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41397, "scanner": "repobility-ast-engine", "fingerprint": "43c26625928f6e01cf006f153094a06433fe4125ecf19ffb8781af8f8978814c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43c26625928f6e01cf006f153094a06433fe4125ecf19ffb8781af8f8978814c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/cold_start_benchmark.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 41394, "scanner": "repobility-ast-engine", "fingerprint": "5dba6c6530e5013af119fb79fec8b5d717538fb3622b1965d387fc1b4a28000a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5dba6c6530e5013af119fb79fec8b5d717538fb3622b1965d387fc1b4a28000a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/android_rps_benchmark_local.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 41342, "scanner": "repobility-threat-engine", "fingerprint": "22b7c8a271644c0d52d3e6ceb4da353e1039192392f1c3d34255c932f4b75dd0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|202|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docs-generators/extract_python_docs.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 41340, "scanner": "repobility-threat-engine", "fingerprint": "125d6f960f99cededcc00a6a1aa07edfad26ba11dcaf5ed459c0630398e2f0b4", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(githubEditUrl, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|70|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/doc-actions-menu.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `crawl_all` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, break=1, for=2, if=4, nested_bonus=8, while=2."}, "properties": {"repobilityId": 41327, "scanner": "repobility-threat-engine", "fingerprint": "5ecea9318e5526687aebd3a1677e49c81b4cc1a9e0c8679617f465e59d20c609", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 18 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "crawl_all", "breakdown": {"if": 4, "and": 1, "for": 2, "break": 1, "while": 2, "nested_bonus": 8}, "complexity": 18, "correlation_key": "fp|5ecea9318e5526687aebd3a1677e49c81b4cc1a9e0c8679617f465e59d20c609"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5098, "scanner": "repobility-journey-contract", "fingerprint": "55ee0a951ef581a8d5aa0ecad58122862176ad986b5af4d62345a1c5f8cac1a3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/job/{param}/output", "correlation_key": "fp|55ee0a951ef581a8d5aa0ecad58122862176ad986b5af4d62345a1c5f8cac1a3", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environments.html"}, "region": {"startLine": 429}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5097, "scanner": "repobility-journey-contract", "fingerprint": "488518324d33ff5c28062ed5f9df2d5bc1ac1becc33dec0b58db73a4604276ac", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/job/{param}/history", "correlation_key": "fp|488518324d33ff5c28062ed5f9df2d5bc1ac1becc33dec0b58db73a4604276ac", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environments.html"}, "region": {"startLine": 394}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5096, "scanner": "repobility-journey-contract", "fingerprint": "affce42b09bf545804830b98350f3dca32c73f6f47a0823ddf9697459de7e46a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/environments", "correlation_key": "fp|affce42b09bf545804830b98350f3dca32c73f6f47a0823ddf9697459de7e46a", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environments.html"}, "region": {"startLine": 244}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5095, "scanner": "repobility-journey-contract", "fingerprint": "2d8c7156b6f8bcf91daaafef805975e4be02aebfe73ddaaf1b376944108a2e8d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/job/{param}/output", "correlation_key": "fp|2d8c7156b6f8bcf91daaafef805975e4be02aebfe73ddaaf1b376944108a2e8d", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environment-detail.html"}, "region": {"startLine": 751}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5094, "scanner": "repobility-journey-contract", "fingerprint": "c521940e328913bb6f4029f373cc24f13b3e6a9cc702fd8919d8f30ccb1266ac", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/job/{param}/history", "correlation_key": "fp|c521940e328913bb6f4029f373cc24f13b3e6a9cc702fd8919d8f30ccb1266ac", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environment-detail.html"}, "region": {"startLine": 715}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5093, "scanner": "repobility-journey-contract", "fingerprint": "c0a33b64e19bff891dde2d9708857df2f0d4dfc2605583fe2e57b8d820d166b0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/environments/{param}", "correlation_key": "fp|c0a33b64e19bff891dde2d9708857df2f0d4dfc2605583fe2e57b8d820d166b0", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environment-detail.html"}, "region": {"startLine": 548}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5092, "scanner": "repobility-journey-contract", "fingerprint": "32995e45bee37144db9537f0a51dc913d82f69f8a3d8082d98da26351c665750", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/environments/{param}/generate-preview", "correlation_key": "fp|32995e45bee37144db9537f0a51dc913d82f69f8a3d8082d98da26351c665750", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environment-detail.html"}, "region": {"startLine": 500}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5091, "scanner": "repobility-journey-contract", "fingerprint": "df1edac1e382bc7313581113159e1607992cfc9e9446882b1c0eb3267189eecb", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/environments/{param}/generate-dataset", "correlation_key": "fp|df1edac1e382bc7313581113159e1607992cfc9e9446882b1c0eb3267189eecb", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environment-detail.html"}, "region": {"startLine": 457}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5090, "scanner": "repobility-journey-contract", "fingerprint": "bb6f5db3a94ddebe5a52df4e927507915df5fca2fb466d52d5d4b6b434072e46", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/environments/{param}/run-benchmark", "correlation_key": "fp|bb6f5db3a94ddebe5a52df4e927507915df5fca2fb466d52d5d4b6b434072e46", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environment-detail.html"}, "region": {"startLine": 420}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5089, "scanner": "repobility-journey-contract", "fingerprint": "8a620c686f3361eff6e8f654d1c48e76f01da50f5b4c166272d5dc25ed4c0888", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/environments/{param}/open-explorer", "correlation_key": "fp|8a620c686f3361eff6e8f654d1c48e76f01da50f5b4c166272d5dc25ed4c0888", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/www/environment-detail.html"}, "region": {"startLine": 391}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5088, "scanner": "repobility-journey-contract", "fingerprint": "e3dc7775d02d411b6b97fa58d80bca165c9d74c8cb2a6083154ae2e2ef9dd09a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/copilotkit", "correlation_key": "fp|e3dc7775d02d411b6b97fa58d80bca165c9d74c8cb2a6083154ae2e2ef9dd09a", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/lib/copilotkit-fetch-patch.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5087, "scanner": "repobility-journey-contract", "fingerprint": "8a523c5a92fdd7ae7fb23f09f4338d5d3e3d5e15d57727caf8bcf9c61c641477", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/copilotkit", "correlation_key": "fp|8a523c5a92fdd7ae7fb23f09f4338d5d3e3d5e15d57727caf8bcf9c61c641477", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/api/copilotkit/route.ts"}, "region": {"startLine": 519}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5086, "scanner": "repobility-journey-contract", "fingerprint": "78071a3f6b3da7304f8fc6e801aa8eb5944335c691666cf0459c138229c18536", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/copilotkit", "correlation_key": "fp|78071a3f6b3da7304f8fc6e801aa8eb5944335c691666cf0459c138229c18536", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/api/copilotkit/route.ts"}, "region": {"startLine": 509}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5085, "scanner": "repobility-journey-contract", "fingerprint": "be0d15fb0be19d76521d83d7ca8f0243331ea7b6dfc3b0ba84ada7698aadc734", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/{param}/{param}", "correlation_key": "fp|be0d15fb0be19d76521d83d7ca8f0243331ea7b6dfc3b0ba84ada7698aadc734", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/(docs)/[...slug]/page.tsx"}, "region": {"startLine": 231}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5084, "scanner": "repobility-journey-contract", "fingerprint": "0fcc24b226fa97e9e19ef95c5e0268aafef37bd97b07b7d1ab41819973adbafa", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/{param}", "correlation_key": "fp|0fcc24b226fa97e9e19ef95c5e0268aafef37bd97b07b7d1ab41819973adbafa", "backend_endpoint_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/(docs)/[...slug]/page.tsx"}, "region": {"startLine": 230}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.mdx/::...slug."}, "properties": {"repobilityId": 5083, "scanner": "repobility-access-control", "fingerprint": "9349513a399a801e9a26139a6326569379b4ce17308d9de109111d705684bbf9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms.mdx/::...slug", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|docs/src/app/llms.mdx/ ...slug /route.ts|8|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/llms.mdx/[[...slug]]/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /cron/prompt-digest/route."}, "properties": {"repobilityId": 5082, "scanner": "repobility-access-control", "fingerprint": "37002893d4b4ecb75e05927b210f338fefb8a46840f1653b6095defc99bcc2e2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cron/prompt-digest/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|6|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/api/cron/prompt-digest/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.txt."}, "properties": {"repobilityId": 5081, "scanner": "repobility-access-control", "fingerprint": "b98a4cb5dbb9e105c000d841619314c871797c273bf1844e69780b2a54480126", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/llms.txt/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 33.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 5080, "scanner": "repobility-access-control", "fingerprint": "428bba7e78ca5dadacd769b0ae359888a4bbbdef443ba24eb50394e8f889518f", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 3, "correlation_key": "fp|428bba7e78ca5dadacd769b0ae359888a4bbbdef443ba24eb50394e8f889518f", "auth_visible_percent": 33.3}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 5079, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5060, "scanner": "repobility-docker", "fingerprint": "2d3272a7e9af1aa491a104b3bb670f916f157961d053f7969812c82f04be1c44", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "trycua/windows-local:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d3272a7e9af1aa491a104b3bb670f916f157961d053f7969812c82f04be1c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/windows/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 5059, "scanner": "repobility-docker", "fingerprint": "922b2b6438c2e2797227a35dbd1629191a3e6e939743a41fb5f1d523065faf74", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "trycua/windows-local:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|922b2b6438c2e2797227a35dbd1629191a3e6e939743a41fb5f1d523065faf74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/windows/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5058, "scanner": "repobility-docker", "fingerprint": "6ae31ecee2fc871858fa85f050932ece668ca1464f19c47d95cd6a947a37c50d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "trycua/qemu-local:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6ae31ecee2fc871858fa85f050932ece668ca1464f19c47d95cd6a947a37c50d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/linux/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 5057, "scanner": "repobility-docker", "fingerprint": "52b2c3a40a6e21307183a776146a7171e18de4b8e0bd747aa036329fb66d8d91", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "trycua/qemu-local:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|52b2c3a40a6e21307183a776146a7171e18de4b8e0bd747aa036329fb66d8d91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/linux/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5052, "scanner": "repobility-docker", "fingerprint": "b833b8de7f738aaccc14a9609aca0563bd3864f3dd51c294e91ed7da4b6eac6e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bullseye-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b833b8de7f738aaccc14a9609aca0563bd3864f3dd51c294e91ed7da4b6eac6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/lumier/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5033, "scanner": "repobility-docker", "fingerprint": "6b74aa014b4a46ea1d3ee93e1be6a62f9cbac89b7cda5614c9cdacf8bf54b104", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6b74aa014b4a46ea1d3ee93e1be6a62f9cbac89b7cda5614c9cdacf8bf54b104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/templates/agent/Dockerfile.template"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5032, "scanner": "repobility-docker", "fingerprint": "51e1c75e6f8cce9b298f065af81e52345b3a06a84b7c71e863cc213f6be7ff3b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|51e1c75e6f8cce9b298f065af81e52345b3a06a84b7c71e863cc213f6be7ff3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/cli/templates/agent/Dockerfile.template"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 5031, "scanner": "repobility-docker", "fingerprint": "c9a6c00315f094a04810697b750c7592d6e87b4efd2174877a5acc0afee8757c", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c9a6c00315f094a04810697b750c7592d6e87b4efd2174877a5acc0afee8757c", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/cli/templates/agent/Dockerfile.template"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 5027, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 5026, "scanner": "repobility-docker", "fingerprint": "4a8cc253d8f771cea683754c1216b9a6c93ee0754de2a51fc9505cf223d3a3c6", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4a8cc253d8f771cea683754c1216b9a6c93ee0754de2a51fc9505cf223d3a3c6", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 5025, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "libs/cua-bench/tasks/winarena_adapter/assets/history_empty.sqlite", "size_mb": 0.2}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5018, "scanner": "repobility-agent-runtime", "fingerprint": "653f6140da23d24d469312f4d1941d66df20a956de26c6234e96ca995f670eaf", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|653f6140da23d24d469312f4d1941d66df20a956de26c6234e96ca995f670eaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/main.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5017, "scanner": "repobility-agent-runtime", "fingerprint": "c18f456afcf727e807b30b079810bd6e0b686adfde0cefba1febb7cd48a5aa43", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c18f456afcf727e807b30b079810bd6e0b686adfde0cefba1febb7cd48a5aa43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/docs/lume/reference/v0.2/http-api.mdx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5016, "scanner": "repobility-agent-runtime", "fingerprint": "51a9fbd0152ffecc1f26efe46cfe255e3f69ed6df9352bb08756d6a8944c0353", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|51a9fbd0152ffecc1f26efe46cfe255e3f69ed6df9352bb08756d6a8944c0353"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/docs/lume/reference/http-api.mdx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5015, "scanner": "repobility-agent-runtime", "fingerprint": "dded1e09cc516c712f7b7c8fa9c496d80b4982728960f26e0e1f22bec21190de", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|dded1e09cc516c712f7b7c8fa9c496d80b4982728960f26e0e1f22bec21190de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/docs/lume/examples/claude-code/sandbox.mdx"}, "region": {"startLine": 70}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5014, "scanner": "repobility-agent-runtime", "fingerprint": "9995fa81adacce00fc088bad44669cb425bbce3595c97681f9768e780b6de118", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9995fa81adacce00fc088bad44669cb425bbce3595c97681f9768e780b6de118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/docs/cua-driver/reference/cli-reference.mdx"}, "region": {"startLine": 21}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5013, "scanner": "repobility-agent-runtime", "fingerprint": "80161e3be69846e37076bbf17cb513d0f5ca2f382a97cf3d4ce219f42e517a77", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|80161e3be69846e37076bbf17cb513d0f5ca2f382a97cf3d4ce219f42e517a77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/docs/cua/reference/mcp-server/installation.mdx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5012, "scanner": "repobility-agent-runtime", "fingerprint": "e4b1d3b23fb60a5b23ba999941d0af14b58d99ef91038bfde00277d6c0a3d036", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e4b1d3b23fb60a5b23ba999941d0af14b58d99ef91038bfde00277d6c0a3d036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/docs/cua/guide/sandbox/images.mdx"}, "region": {"startLine": 134}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5011, "scanner": "repobility-agent-runtime", "fingerprint": "cd481fc23e0d3a699417fbdb3688239354c7a62e88ba28992fe773d4cec8861a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cd481fc23e0d3a699417fbdb3688239354c7a62e88ba28992fe773d4cec8861a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/content/docs/cua/guide/get-started/set-up-sandbox.mdx"}, "region": {"startLine": 38}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5010, "scanner": "repobility-agent-runtime", "fingerprint": "41e0d73463e14768aa92e3e4cb670f5cc63358d24551f06340d3faa3a9c6feed", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|41e0d73463e14768aa92e3e4cb670f5cc63358d24551f06340d3faa3a9c6feed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blog/introducing-cua-cli.md"}, "region": {"startLine": 49}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5009, "scanner": "repobility-agent-runtime", "fingerprint": "ea9b6a69a6677ac1f190d4017bdd96e1f470b6bb4c4e745bdbaf50b447a82bb7", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ea9b6a69a6677ac1f190d4017bdd96e1f470b6bb4c4e745bdbaf50b447a82bb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd-ts-cli.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41368, "scanner": "repobility-ai-code-hygiene", "fingerprint": "302c96512e4aa1720418ee0ee0703554e1d0f3e108e5b869d21821e61a6ad7ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|302c96512e4aa1720418ee0ee0703554e1d0f3e108e5b869d21821e61a6ad7ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/toggle-switch/main.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41367, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4cd9bc0775796a3da878cfc5db1ef36cceb409aa783fec2107bc5ffcc444e37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|c4cd9bc0775796a3da878cfc5db1ef36cceb409aa783fec2107bc5ffcc444e37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/spreadsheet-cell/main.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41366, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c75989413cdd6369efce63c4029a74f29e6b824ac88318e26314b30160bb1b51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|c75989413cdd6369efce63c4029a74f29e6b824ac88318e26314b30160bb1b51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/select-dropdown/main.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41365, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0045abcd08a86e235ef58996081b47beaa13ae8be57beb2c994d54e9699343d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/drag-slider/main.py", "duplicate_line": 18, "correlation_key": "fp|c0045abcd08a86e235ef58996081b47beaa13ae8be57beb2c994d54e9699343d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/select-dropdown/main.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41364, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc53eab47e43680440ddb77d6e3a6c7d925714dd6b45853fef85ae0acb5a843d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|cc53eab47e43680440ddb77d6e3a6c7d925714dd6b45853fef85ae0acb5a843d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/right-click-menu/main.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41363, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9009b0e619dcad9cb705ed7a637a064661db2afd2960b06d0dac3af6998872d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/drag-slider/main.py", "duplicate_line": 18, "correlation_key": "fp|9009b0e619dcad9cb705ed7a637a064661db2afd2960b06d0dac3af6998872d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/right-click-menu/main.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41362, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c322fc051df0d79ccd29f9aeefed00fee18f7666e7a6d0b8b3241ed07ae25bd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|8c322fc051df0d79ccd29f9aeefed00fee18f7666e7a6d0b8b3241ed07ae25bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/drag-slider/main.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41361, "scanner": "repobility-ai-code-hygiene", "fingerprint": "091e8d7c0f5ae29046a37829cc327131a4044ae11196e8f8e72de9ced96c1037", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|091e8d7c0f5ae29046a37829cc327131a4044ae11196e8f8e72de9ced96c1037"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/drag-drop/main.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41360, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d2a618109dc44eeabb048c4ec14d3f91240bb922057f686ec5c41bed1bb1fab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|3d2a618109dc44eeabb048c4ec14d3f91240bb922057f686ec5c41bed1bb1fab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/date-picker/main.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41359, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06377a5360d2571af7bf0934df8e4d23fad655cc9cb76b7c789e175b4d472914", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|06377a5360d2571af7bf0934df8e4d23fad655cc9cb76b7c789e175b4d472914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/color-picker/main.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41358, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b399bf0fbb1ea70885596a98baa2b6487c04f83e7b41e47412876a83963c0ad4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-icon/main.py", "duplicate_line": 23, "correlation_key": "fp|b399bf0fbb1ea70885596a98baa2b6487c04f83e7b41e47412876a83963c0ad4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/color-picker/main.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41357, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca962005183e1cc4e09cc19da02e92a5c6c172c7f4a77a850948e86b8105cd29", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/datasets/cua-bench-basic/click-button/main.py", "duplicate_line": 12, "correlation_key": "fp|ca962005183e1cc4e09cc19da02e92a5c6c172c7f4a77a850948e86b8105cd29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/datasets/cua-bench-basic/click-icon/main.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41356, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36ffc2b08ccb8f63659b0ce2c16ce6e0f1715ee728b60e8a4663ccf4eb8834c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/__init__.py", "duplicate_line": 16, "correlation_key": "fp|36ffc2b08ccb8f63659b0ce2c16ce6e0f1715ee728b60e8a4663ccf4eb8834c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/workers/worker_server.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41355, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f9c570c6d846632a77d625b640084a81e657e9cabd438348adec9f0f3b90626", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/actions.py", "duplicate_line": 3, "correlation_key": "fp|8f9c570c6d846632a77d625b640084a81e657e9cabd438348adec9f0f3b90626"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/workers/worker_server.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41354, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2fe7d09ad8065309bebcecdb131edd96f1cb170520a0e96d4e85ae0169352658", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/processors/aguvis_stage_1.py", "duplicate_line": 201, "correlation_key": "fp|2fe7d09ad8065309bebcecdb131edd96f1cb170520a0e96d4e85ae0169352658"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/processors/gui_r1.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41353, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f636b5b9a1e98c34e9e9939ced087faa3377b047428969fa86ee89325c2d5450", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/computers/webtop.py", "duplicate_line": 443, "correlation_key": "fp|f636b5b9a1e98c34e9e9939ced087faa3377b047428969fa86ee89325c2d5450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/desktop.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41352, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d443bf6809ec0ce10e8fcbeb7490dcad83ae7bd8bbb9796dedca053f8a4bab8c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/__init__.py", "duplicate_line": 17, "correlation_key": "fp|d443bf6809ec0ce10e8fcbeb7490dcad83ae7bd8bbb9796dedca053f8a4bab8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/computers/webtop.py"}, "region": {"startLine": 276}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 41351, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c25bd8f3c54b8fc5d2aa88230bd79636a55232a5d64d382f36e36f3d4ed813d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/agents/gemini.py", "duplicate_line": 221, "correlation_key": "fp|0c25bd8f3c54b8fc5d2aa88230bd79636a55232a5d64d382f36e36f3d4ed813d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/computers/webtop.py"}, "region": {"startLine": 275}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `crawl_page` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=1, for=1, if=2, nested_bonus=5, ternary=2."}, "properties": {"repobilityId": 41328, "scanner": "repobility-threat-engine", "fingerprint": "8c2f946d17fd6381c8b4752e04781d83b4fc6f70ebfa662e831b95908a5e7ca5", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "crawl_page", "breakdown": {"if": 2, "for": 1, "else": 1, "except": 1, "ternary": 2, "nested_bonus": 5}, "complexity": 12, "correlation_key": "fp|8c2f946d17fd6381c8b4752e04781d83b4fc6f70ebfa662e831b95908a5e7ca5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=4, if=3, nested_bonus=2."}, "properties": {"repobilityId": 41326, "scanner": "repobility-threat-engine", "fingerprint": "9f86d8b07e31a70705e310142a9cd80365b6d6363bb33b608a585ee6071c8617", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 3, "except": 4, "nested_bonus": 2}, "complexity": 9, "correlation_key": "fp|9f86d8b07e31a70705e310142a9cd80365b6d6363bb33b608a585ee6071c8617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/get_pyproject_version.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5077, "scanner": "repobility-docker", "fingerprint": "951f2af234ea220de5e2d66edeb90be0a0f371d71c73014d555ecd01ca2cb7e1", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|951f2af234ea220de5e2d66edeb90be0a0f371d71c73014d555ecd01ca2cb7e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5076, "scanner": "repobility-docker", "fingerprint": "88fa9e22abffb548b069ec309864621a0c5be4d2e6616529e74e523c74a2e712", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|88fa9e22abffb548b069ec309864621a0c5be4d2e6616529e74e523c74a2e712"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 143}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5075, "scanner": "repobility-docker", "fingerprint": "894b7f4b4eae55a5911aa11a6843751b52e9f39300c3d3225894db86f721eae1", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|894b7f4b4eae55a5911aa11a6843751b52e9f39300c3d3225894db86f721eae1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5074, "scanner": "repobility-docker", "fingerprint": "75664c55830ddff84da66d9face61af02b7df6575338f01663ff966fb0abfea1", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|75664c55830ddff84da66d9face61af02b7df6575338f01663ff966fb0abfea1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 127}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5073, "scanner": "repobility-docker", "fingerprint": "54caacf71d38d6d80446ed4efc750146b8dd352573cc56c04b088b2b69aa77d3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|54caacf71d38d6d80446ed4efc750146b8dd352573cc56c04b088b2b69aa77d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5072, "scanner": "repobility-docker", "fingerprint": "47a3c4b2bf5b955b20a95f79d8fe4880e1ec7782f38baa5a5f994b316c3ade35", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|47a3c4b2bf5b955b20a95f79d8fe4880e1ec7782f38baa5a5f994b316c3ade35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5071, "scanner": "repobility-docker", "fingerprint": "36e1b26b5adc79e9f32ea002da69a4cd76d726d2e5ad51ebc93879854ce70670", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|36e1b26b5adc79e9f32ea002da69a4cd76d726d2e5ad51ebc93879854ce70670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5070, "scanner": "repobility-docker", "fingerprint": "758bf7424366e4a12b22cf823766952391de34cce630c72ffbe64a8bc09ab1a3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|758bf7424366e4a12b22cf823766952391de34cce630c72ffbe64a8bc09ab1a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5068, "scanner": "repobility-docker", "fingerprint": "15b04fafda45dad532f623aacb0f6b271aead2344a3a8a4c24e7551eccd7de4f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|15b04fafda45dad532f623aacb0f6b271aead2344a3a8a4c24e7551eccd7de4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5067, "scanner": "repobility-docker", "fingerprint": "b32a964125ad24d11f6b6d5dc5c42777a2c23758b77cb91387b96ccdc4780fb0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b32a964125ad24d11f6b6d5dc5c42777a2c23758b77cb91387b96ccdc4780fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 143}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5066, "scanner": "repobility-docker", "fingerprint": "44d91d225d35f60835ed014c1411beffa32cfc6c3fbf3170b672e99146bf6261", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|44d91d225d35f60835ed014c1411beffa32cfc6c3fbf3170b672e99146bf6261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5065, "scanner": "repobility-docker", "fingerprint": "57aad6736368d003e520aa1b45a7f974685667fe6073c6f2531c8d6a9bf13e13", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|57aad6736368d003e520aa1b45a7f974685667fe6073c6f2531c8d6a9bf13e13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 128}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5064, "scanner": "repobility-docker", "fingerprint": "ae645a088b030d4eefd485dfdcb7366a2dd70ceea4524e4b9762eb4da77b8f0a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ae645a088b030d4eefd485dfdcb7366a2dd70ceea4524e4b9762eb4da77b8f0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 108}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5063, "scanner": "repobility-docker", "fingerprint": "477fe496f7656a7446d57ab9a991eceebed298d71d31df74da63ce3236c4561e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|477fe496f7656a7446d57ab9a991eceebed298d71d31df74da63ce3236c4561e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5062, "scanner": "repobility-docker", "fingerprint": "22bae03176ff35a76458838873d955fd158449c0d577ecfa6a88721b898d38c0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|22bae03176ff35a76458838873d955fd158449c0d577ecfa6a88721b898d38c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5061, "scanner": "repobility-docker", "fingerprint": "a3de481a9a1a90b4796a33fa57dea7aff2c5e480b654d3eadc023a9258e77914", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a3de481a9a1a90b4796a33fa57dea7aff2c5e480b654d3eadc023a9258e77914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5055, "scanner": "repobility-docker", "fingerprint": "0bc9116248c06b05b6d3892aeac1991a2b83fe3055b0949192fb2d283e78fc44", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0bc9116248c06b05b6d3892aeac1991a2b83fe3055b0949192fb2d283e78fc44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/android/Dockerfile"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5054, "scanner": "repobility-docker", "fingerprint": "4270f301f5c0fdd8741319917c9639da17ecb1fef18aeaaf924037ffd3159c86", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4270f301f5c0fdd8741319917c9639da17ecb1fef18aeaaf924037ffd3159c86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/android/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 5053, "scanner": "repobility-docker", "fingerprint": "5c75adc355e6ea6dd3b7aceaf7e913a53f85ddcfb7706a9e5395934019f9dc98", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5c75adc355e6ea6dd3b7aceaf7e913a53f85ddcfb7706a9e5395934019f9dc98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/android/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5051, "scanner": "repobility-docker", "fingerprint": "b26fef13b15e8bcc1dcfd123bae70fa72202e9411cc57dfc2968b68ad4af7a25", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b26fef13b15e8bcc1dcfd123bae70fa72202e9411cc57dfc2968b68ad4af7a25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/lumier/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5050, "scanner": "repobility-docker", "fingerprint": "b0c733bf38c111cbc03e2c336dfd16e6838d514670cd5ed24f3d6412405578c6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b0c733bf38c111cbc03e2c336dfd16e6838d514670cd5ed24f3d6412405578c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/kasm/Dockerfile"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5049, "scanner": "repobility-docker", "fingerprint": "80abcd9b000de1138e46525c7ef294097d5f1b7238cf0624af014cfe92930a75", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|80abcd9b000de1138e46525c7ef294097d5f1b7238cf0624af014cfe92930a75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/kasm/Dockerfile"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5048, "scanner": "repobility-docker", "fingerprint": "eaa0169a13396f2f9acb677dca08aa077ce2e6f8fa4756ff5c60f1ca0e22cdb0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|eaa0169a13396f2f9acb677dca08aa077ce2e6f8fa4756ff5c60f1ca0e22cdb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/kasm/Dockerfile"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5047, "scanner": "repobility-docker", "fingerprint": "8272dbb463918ec11897d6f7415fae6b0b35e68fb0b05b0bf84d233d092c8fb9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8272dbb463918ec11897d6f7415fae6b0b35e68fb0b05b0bf84d233d092c8fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/kasm/Dockerfile"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5046, "scanner": "repobility-docker", "fingerprint": "a8d1a3875aa4a1c35a4de726841fb0942909916c1ad7cd9f540bdc1572464594", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a8d1a3875aa4a1c35a4de726841fb0942909916c1ad7cd9f540bdc1572464594"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/kasm/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5042, "scanner": "repobility-docker", "fingerprint": "7c2e672c3b669b88ab5ffa1ae879e6b1b5c622f1b75069dd6f39b867920aed25", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7c2e672c3b669b88ab5ffa1ae879e6b1b5c622f1b75069dd6f39b867920aed25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 122}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5041, "scanner": "repobility-docker", "fingerprint": "f0510d911218583e65bbb1f9a9c39e4c8ed2cd46cd7d3dfd3f23a6bb029dc95d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f0510d911218583e65bbb1f9a9c39e4c8ed2cd46cd7d3dfd3f23a6bb029dc95d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5040, "scanner": "repobility-docker", "fingerprint": "b3f5810cbcd4875adaf7edb9b75ba23833de5a567f7402de3b164909565d0cad", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b3f5810cbcd4875adaf7edb9b75ba23833de5a567f7402de3b164909565d0cad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5039, "scanner": "repobility-docker", "fingerprint": "617aa7861e648c88fa8f288647425029e9e84e48b57966c7dba8b4070d0008cb", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|617aa7861e648c88fa8f288647425029e9e84e48b57966c7dba8b4070d0008cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 5038, "scanner": "repobility-docker", "fingerprint": "1c85ea5bba8a1f11cf107665a60c6b148b7e8801f172367dde9a10da4a4eeda3", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1c85ea5bba8a1f11cf107665a60c6b148b7e8801f172367dde9a10da4a4eeda3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5037, "scanner": "repobility-docker", "fingerprint": "32f163cc6395c62489605642e154caade3b5d5a67e0348ecf45c828fe00d582a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|32f163cc6395c62489605642e154caade3b5d5a67e0348ecf45c828fe00d582a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 5036, "scanner": "repobility-docker", "fingerprint": "5f6347b5c1d6578f4b19a7b8d8bd979cd67815d91d928b6f475b7e900b249c32", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5f6347b5c1d6578f4b19a7b8d8bd979cd67815d91d928b6f475b7e900b249c32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 5035, "scanner": "repobility-docker", "fingerprint": "8f3e30cdc260afaf702e2126a408e41e851e7705c0b9c34c693c3839057dda95", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8f3e30cdc260afaf702e2126a408e41e851e7705c0b9c34c693c3839057dda95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 5034, "scanner": "repobility-docker", "fingerprint": "8c7ed8614f14b48a1a2eec2c32bf2cfaa0a2ab192b194f94b4b15aba2f74bd99", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8c7ed8614f14b48a1a2eec2c32bf2cfaa0a2ab192b194f94b4b15aba2f74bd99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 5029, "scanner": "repobility-docker", "fingerprint": "a7a1edcf5c0a1aea70473b9ce05cb1ff6278c7c12e1ac525546291c0eaa20442", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a7a1edcf5c0a1aea70473b9ce05cb1ff6278c7c12e1ac525546291c0eaa20442"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 5028, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "250695394df81a68fcc519e00be808864f9586f959b39c786775a838b59ab843", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/computers/base.py", "duplicate_line": 85, "correlation_key": "fp|250695394df81a68fcc519e00be808864f9586f959b39c786775a838b59ab843"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/computers/webtop.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7877427d75eae7d25a0a5a4eb60e415275a71a96a00b61b9ec7d2549405c8f36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/computers/base.py", "duplicate_line": 85, "correlation_key": "fp|7877427d75eae7d25a0a5a4eb60e415275a71a96a00b61b9ec7d2549405c8f36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/computers/remote.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5006, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6c0926e0374b97c6bd3fd66e69760adef66ffcd0a22d43f737ee783034119d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/apps/calendar.py", "duplicate_line": 230, "correlation_key": "fp|f6c0926e0374b97c6bd3fd66e69760adef66ffcd0a22d43f737ee783034119d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/apps/reminders.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5005, "scanner": "repobility-ai-code-hygiene", "fingerprint": "85807dcbdbeb96b4e0e5a4173f7bdd16fb07d5e1b5557e835a96995b900180b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/apps/calendar.py", "duplicate_line": 257, "correlation_key": "fp|85807dcbdbeb96b4e0e5a4173f7bdd16fb07d5e1b5557e835a96995b900180b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/apps/notes.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5004, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e930988492ff6e49a4f6b59fee8472c6a1e2f27e1d9d3765c778277d010ac530", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/agents/qwen35_agent.py", "duplicate_line": 129, "correlation_key": "fp|e930988492ff6e49a4f6b59fee8472c6a1e2f27e1d9d3765c778277d010ac530"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/agents/qwen3vl_agent.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5003, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67812b8b3eb4a64a6101ff148e855bee4a3f22a50a5b7cdf03620f4c4498e719", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/agents/opencua_agent.py", "duplicate_line": 45, "correlation_key": "fp|67812b8b3eb4a64a6101ff148e855bee4a3f22a50a5b7cdf03620f4c4498e719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/agents/qwen3vl_agent.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5002, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b38808f49b45f33f97331cc9b840256506648bcc8c506ca82c574372fe6873e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/agents/cua_agent.py", "duplicate_line": 5, "correlation_key": "fp|b38808f49b45f33f97331cc9b840256506648bcc8c506ca82c574372fe6873e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/agents/qwen3vl_agent.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5001, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b51d182733b62fead089f5a5bc75a7c6c2ca743912ea27c043dbc890ad28beb6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/agents/opencua_agent.py", "duplicate_line": 45, "correlation_key": "fp|b51d182733b62fead089f5a5bc75a7c6c2ca743912ea27c043dbc890ad28beb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/agents/qwen35_agent.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5000, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e433b858099ce00cdb8df5a70c5f976ec85fac8ab7ae3a640d3ce83b186f4c33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/agents/cua_agent.py", "duplicate_line": 5, "correlation_key": "fp|e433b858099ce00cdb8df5a70c5f976ec85fac8ab7ae3a640d3ce83b186f4c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/agents/qwen35_agent.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4999, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa7c5ba0f21ba2e13a4a6bad5f85d41dc100d665d94b9117622a68f662bb4a5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/agents/cua_agent.py", "duplicate_line": 5, "correlation_key": "fp|fa7c5ba0f21ba2e13a4a6bad5f85d41dc100d665d94b9117622a68f662bb4a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/agents/opencua_agent.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4998, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7e607a9a08fe3856d1a7e91fd6fe17b7260869d5888f295e747fdb92912fa63", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/__init__.py", "duplicate_line": 17, "correlation_key": "fp|f7e607a9a08fe3856d1a7e91fd6fe17b7260869d5888f295e747fdb92912fa63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/agents/gemini.py"}, "region": {"startLine": 222}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4997, "scanner": "repobility-ai-code-hygiene", "fingerprint": "274065f2ecea36a9a198eb8dbe7c30631e694ff132e2cc5496110f31b4505ed1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/cua-bench/cua_bench/__init__.py", "duplicate_line": 16, "correlation_key": "fp|274065f2ecea36a9a198eb8dbe7c30631e694ff132e2cc5496110f31b4505ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/actions.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 41350, "scanner": "repobility-threat-engine", "fingerprint": "b35679655a88cdc998a6079685258259fa1037d4221f9539685dcbf944d1bd36", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b35679655a88cdc998a6079685258259fa1037d4221f9539685dcbf944d1bd36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/playground.sh"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 41349, "scanner": "repobility-threat-engine", "fingerprint": "85fe2618037570c3f873413b2a6893bf61c3c4c2760fc64221b76a27d5f62e62", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|85fe2618037570c3f873413b2a6893bf61c3c4c2760fc64221b76a27d5f62e62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/playground.sh"}, "region": {"startLine": 268}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 41344, "scanner": "repobility-threat-engine", "fingerprint": "df75f2873c856bc1f785f34f0f7f91fbd4d11222341533001d6e0880ef1d255a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"\\n\u274c CUA_API_KEY not found in .env.local file.\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|scripts/playground.sh|26|print n cua_api_key not found in .env.local file."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/playground.sh"}, "region": {"startLine": 268}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 41343, "scanner": "repobility-threat-engine", "fingerprint": "dbaa0d0389c420786a3ce7d2226595c67f20c25cbe47ebd86abd6b20854ebcc8", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log('\\nAvailable libraries:', Object.keys(config.generators)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|9|console.log navailable libraries: object.keys config.generators"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docs-generators/runner.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 41341, "scanner": "repobility-threat-engine", "fingerprint": "a6bd37539b30b991db2f646c9b52868e55ff942e060de4ef5c435121780be1f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6bd37539b30b991db2f646c9b52868e55ff942e060de4ef5c435121780be1f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/iou.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 41339, "scanner": "repobility-threat-engine", "fingerprint": "daaf044437d084230c6e6eee7ed34f53c83bea41bfe4ec98776ac638ffce7a96", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|daaf044437d084230c6e6eee7ed34f53c83bea41bfe4ec98776ac638ffce7a96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/mermaid.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 41338, "scanner": "repobility-threat-engine", "fingerprint": "430dec180316a336bfa1da2a79bc08e9ac002ef9f91e2c5359bc6270c5e01ea0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|430dec180316a336bfa1da2a79bc08e9ac002ef9f91e2c5359bc6270c5e01ea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/layout.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 41337, "scanner": "repobility-threat-engine", "fingerprint": "95b901eeba36f2da033b57fce497dcd102f57cb0c42904c7484ae751933deaaf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95b901eeba36f2da033b57fce497dcd102f57cb0c42904c7484ae751933deaaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/generate_sqlite.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 41336, "scanner": "repobility-threat-engine", "fingerprint": "616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "aggregated_count": 5}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41335, "scanner": "repobility-threat-engine", "fingerprint": "1a276d48546a03265947588d7420f19b88ead1a33d663b2f9b172771a4b43d60", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a276d48546a03265947588d7420f19b88ead1a33d663b2f9b172771a4b43d60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/doc-actions-menu.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41334, "scanner": "repobility-threat-engine", "fingerprint": "64e0559b9baf59f8e0913b50f0e4e6a7ad1788c3ae3bb3f787102e0e179ba297", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64e0559b9baf59f8e0913b50f0e4e6a7ad1788c3ae3bb3f787102e0e179ba297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/app/api/cron/prompt-digest/route.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 41333, "scanner": "repobility-threat-engine", "fingerprint": "98b50ea003deaeeff13f88c27a70369dad096f13723518213d3fa6efae4c0cc4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98b50ea003deaeeff13f88c27a70369dad096f13723518213d3fa6efae4c0cc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/check-links.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 41329, "scanner": "repobility-threat-engine", "fingerprint": "8d1502acd42cce6119d839e48acbcfd7f61fd37700295976e1fa3a0ac15210ab", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 3, "except": 4, "nested_bonus": 2}, "aggregated": true, "complexity": 9, "correlation_key": "fp|8d1502acd42cce6119d839e48acbcfd7f61fd37700295976e1fa3a0ac15210ab", "aggregated_count": 11}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5024, "scanner": "repobility-threat-engine", "fingerprint": "438a44bfa98f29daaaf6cfc4289afaeadc7232ef118b27d8a069405850d5bc0a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|261|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/providers/copilotkit-provider.tsx"}, "region": {"startLine": 261}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 5022, "scanner": "repobility-threat-engine", "fingerprint": "501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5021, "scanner": "repobility-threat-engine", "fingerprint": "4d99153529522c23879a626376754631882c8c63765d95631c72d8276edda9d1", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`\\n\ud83d\udce6 ${config.displayName}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|13|console.log n config.displayname"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docs-generators/generate-versioned-docs.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5020, "scanner": "repobility-threat-engine", "fingerprint": "d92c180a03ae539dcd5082270ee82d7dd98830ba7eef744565e1710640d2dd4d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`\ud83d\udcd6 Processing ${config.displayName}...`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|14|console.log processing config.displayname ..."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docs-generators/typescript-sdk.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5019, "scanner": "repobility-threat-engine", "fingerprint": "f47625f6937d9df7c19251af12ba68455290d30689c28d52605fdc408ef9963d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"Warning: No GITHUB_TOKEN found\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|docs/scripts/modal_app.py|103|print warning: no github_token found"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1033}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41548, "scanner": "repobility-supply-chain", "fingerprint": "31c17d1c16ec3c3f7824603a0c295f54480cf4c431411c05eb7068688165782a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31c17d1c16ec3c3f7824603a0c295f54480cf4c431411c05eb7068688165782a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd-swift-cua-driver.yml"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41547, "scanner": "repobility-supply-chain", "fingerprint": "8a265bd43c440f80d1186d6d5a1486597744aca02936ccc2271125fc2de60378", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a265bd43c440f80d1186d6d5a1486597744aca02936ccc2271125fc2de60378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd-swift-cua-driver.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pdm-project/setup-pdm` pinned to mutable ref `@v3`: `uses: pdm-project/setup-pdm@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41546, "scanner": "repobility-supply-chain", "fingerprint": "b76f2a33cdd8aa6438c5debcffd99bbd213ca85b623abb6e7c4df3b334af709a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b76f2a33cdd8aa6438c5debcffd99bbd213ca85b623abb6e7c4df3b334af709a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-reusable-publish.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v4`: `uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41545, "scanner": "repobility-supply-chain", "fingerprint": "f8a30f55b8ca293418356a58ec029007dc36130054af80395c949a074eb25010", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8a30f55b8ca293418356a58ec029007dc36130054af80395c949a074eb25010"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-reusable-publish.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41544, "scanner": "repobility-supply-chain", "fingerprint": "6600a1fbd67afc9a2d56817b5e8fe608ebef7614476f6045ad0fc26a1797ed9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6600a1fbd67afc9a2d56817b5e8fe608ebef7614476f6045ad0fc26a1797ed9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-reusable-publish.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v4`: `uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41543, "scanner": "repobility-supply-chain", "fingerprint": "38f5d15f533fb8ec0ea477f4c0301b12afb326a3115c782bc13bd44f99fa10a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38f5d15f533fb8ec0ea477f4c0301b12afb326a3115c782bc13bd44f99fa10a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd-py-mcp-server.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41542, "scanner": "repobility-supply-chain", "fingerprint": "665f02e2ba1f360c838dd493a56aee1ea9f37ae0030d00d8df114fee0c049969", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|665f02e2ba1f360c838dd493a56aee1ea9f37ae0030d00d8df114fee0c049969"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd-py-mcp-server.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41541, "scanner": "repobility-supply-chain", "fingerprint": "0002f8ea6415466216ee962cbd8a4ecc96662f23484629c5d1bc82669db7bd9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0002f8ea6415466216ee962cbd8a4ecc96662f23484629c5d1bc82669db7bd9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd-ts-core.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41540, "scanner": "repobility-supply-chain", "fingerprint": "ad6383b8ca9346f05287e00878bb5a4257fba994c18f725dd1fe73adfb16b8e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad6383b8ca9346f05287e00878bb5a4257fba994c18f725dd1fe73adfb16b8e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-reusable-publish.yml"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41539, "scanner": "repobility-supply-chain", "fingerprint": "d1305986c9fcb101c81ebe827251c9fc75e14307c3b90c8d8a2b7743fc0b615a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1305986c9fcb101c81ebe827251c9fc75e14307c3b90c8d8a2b7743fc0b615a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-reusable-publish.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41538, "scanner": "repobility-supply-chain", "fingerprint": "ad043d9f9d1bf8b31a336ec60445f7e5ebf3e911efecae2dd41c4ee6ce0b2ad0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad043d9f9d1bf8b31a336ec60445f7e5ebf3e911efecae2dd41c4ee6ce0b2ad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-reusable-publish.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41537, "scanner": "repobility-supply-chain", "fingerprint": "8bad5d0239428c8b5252fcba1992ddd817db747aca22ee1852cc6054156db199", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bad5d0239428c8b5252fcba1992ddd817db747aca22ee1852cc6054156db199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd-py-core.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41536, "scanner": "repobility-supply-chain", "fingerprint": "578d8f77b19e03d2982d344cf7e840f79bbdf27521ced367539dbb746ae40542", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|578d8f77b19e03d2982d344cf7e840f79bbdf27521ced367539dbb746ae40542"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ts-reusable-build.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41535, "scanner": "repobility-supply-chain", "fingerprint": "6ac37aebde4c44ff47f7b48dbb746294fa13e5309c31b69b64ffccfb3753a5be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ac37aebde4c44ff47f7b48dbb746294fa13e5309c31b69b64ffccfb3753a5be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ts-reusable-build.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41534, "scanner": "repobility-supply-chain", "fingerprint": "9527fe2164d12ce0f7d37fe2564a79e1cf4bd9ae1cd31ced8f76a5ec7c5c5a41", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9527fe2164d12ce0f7d37fe2564a79e1cf4bd9ae1cd31ced8f76a5ec7c5c5a41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ts-reusable-build.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41533, "scanner": "repobility-supply-chain", "fingerprint": "ef40c3636e9a16964e7dc446b01b19c8f74928a6c9c57fa98dcb9b15d6784024", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef40c3636e9a16964e7dc446b01b19c8f74928a6c9c57fa98dcb9b15d6784024"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ts-reusable-build.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41532, "scanner": "repobility-supply-chain", "fingerprint": "3804ac3e5bce5342c56c4717cf6b90791fb78763a18e5be89f443a1ed4da1072", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3804ac3e5bce5342c56c4717cf6b90791fb78763a18e5be89f443a1ed4da1072"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cd-ts-cuabot.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41531, "scanner": "repobility-supply-chain", "fingerprint": "7082df1290cc23ba161a11619d46c233c683708d762162b974ef7d0b0d02ac30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7082df1290cc23ba161a11619d46c233c683708d762162b974ef7d0b0d02ac30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-fix.yml"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41530, "scanner": "repobility-supply-chain", "fingerprint": "0849167e32b7eeda64a28a47c3bc89c3b340440c9b151a92f476bc7ef8dcebf9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0849167e32b7eeda64a28a47c3bc89c3b340440c9b151a92f476bc7ef8dcebf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-fix.yml"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41529, "scanner": "repobility-supply-chain", "fingerprint": "3b95ee88960b8cc936fa4cee719649596c4b0c67ba7e6a04e424de4e6721ae86", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b95ee88960b8cc936fa4cee719649596c4b0c67ba7e6a04e424de4e6721ae86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-fix.yml"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41528, "scanner": "repobility-supply-chain", "fingerprint": "b1f728559ea0e6640b5989a324c7d9397b9ff63d22d13b3f82ae96a92750edb1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1f728559ea0e6640b5989a324c7d9397b9ff63d22d13b3f82ae96a92750edb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-fix.yml"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `uses: aws-actions/configure-aws-credentials@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41527, "scanner": "repobility-supply-chain", "fingerprint": "a567d93d5d33b5ffc1eb1838f658bb9452932d224a3e9793bd50b10596e068ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a567d93d5d33b5ffc1eb1838f658bb9452932d224a3e9793bd50b10596e068ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-fix.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41526, "scanner": "repobility-supply-chain", "fingerprint": "1ca28077572d3508b258f785da8aceb863a8888714ae27b48ba10bf892dd209a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ca28077572d3508b258f785da8aceb863a8888714ae27b48ba10bf892dd209a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-fix.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41525, "scanner": "repobility-supply-chain", "fingerprint": "51def7d183ebc32b86c11d3cdd0ce5ff71b876acbf3c62160036a2a0abc464ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51def7d183ebc32b86c11d3cdd0ce5ff71b876acbf3c62160036a2a0abc464ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-fix.yml"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 41524, "scanner": "repobility-supply-chain", "fingerprint": "56c514b62f1343ae408e7757e3e4625e9a894781dd389ca7effbeabc6073cecd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56c514b62f1343ae408e7757e3e4625e9a894781dd389ca7effbeabc6073cecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-fix.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `budtmo/docker-android:emulator_11.0` not pinned by digest: `FROM budtmo/docker-android:emulator_11.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41523, "scanner": "repobility-supply-chain", "fingerprint": "1fbfbde75494721ecf6ab0d7fdbf50667670422888fdf48889833576249eed70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1fbfbde75494721ecf6ab0d7fdbf50667670422888fdf48889833576249eed70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/android/dev.Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:17-jdk` not pinned by digest: `FROM eclipse-temurin:17-jdk` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41522, "scanner": "repobility-supply-chain", "fingerprint": "4943dee32df0511837a33920f90991c0c5235d98cc3784feb05c0f07cfbc82af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4943dee32df0511837a33920f90991c0c5235d98cc3784feb05c0f07cfbc82af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/android/dev.Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `budtmo/docker-android:emulator_11.0` not pinned by digest: `FROM budtmo/docker-android:emulator_11.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41521, "scanner": "repobility-supply-chain", "fingerprint": "2695a4bd4e8a99c79c60bee5dbf242b7921fb7482beb4c7e9a9b1dadc36b6827", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2695a4bd4e8a99c79c60bee5dbf242b7921fb7482beb4c7e9a9b1dadc36b6827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/android/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:17-jdk` not pinned by digest: `FROM eclipse-temurin:17-jdk` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41520, "scanner": "repobility-supply-chain", "fingerprint": "6c1911740a0c3f2a8acf900e0fa34dac26008a7a4ab217497c50b80b2cdcafbc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c1911740a0c3f2a8acf900e0fa34dac26008a7a4ab217497c50b80b2cdcafbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/android/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `trycua/windows-local:latest` not pinned by digest: `FROM trycua/windows-local:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41519, "scanner": "repobility-supply-chain", "fingerprint": "e9409a923ff7bce93fdedd0b7f0a5ec7e34c9aa9394fdfe6dbb55477d25154d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9409a923ff7bce93fdedd0b7f0a5ec7e34c9aa9394fdfe6dbb55477d25154d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/windows/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `trycua/qemu-local:latest` not pinned by digest: `FROM trycua/qemu-local:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41518, "scanner": "repobility-supply-chain", "fingerprint": "9adf63dc9b2b453ab99190b72862ce47d5b7fcd6b65ef81ee2413fd2b9701e97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9adf63dc9b2b453ab99190b72862ce47d5b7fcd6b65ef81ee2413fd2b9701e97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/linux/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41509, "scanner": "repobility-supply-chain", "fingerprint": "ed6b8d5a9e244924298ad4a29ee27b29a898a28f24ddb3b7954fdff909c3c3c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed6b8d5a9e244924298ad4a29ee27b29a898a28f24ddb3b7954fdff909c3c3c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/templates/agent/Dockerfile.template"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41508, "scanner": "repobility-supply-chain", "fingerprint": "cc78f4acd36c4bbbd12034c5f0851f6b6f6bf9637030ffe3441ce3ab6b96f89a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc78f4acd36c4bbbd12034c5f0851f6b6f6bf9637030ffe3441ce3ab6b96f89a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/cli/templates/agent/Dockerfile.template"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `kasmweb/core-ubuntu-jammy:1.17.0` not pinned by digest: `FROM kasmweb/core-ubuntu-jammy:1.17.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41507, "scanner": "repobility-supply-chain", "fingerprint": "6eadb015f000c7824f0bd34b2e61d82bf882b8f4a01aa7360bf1a19b06bb673e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6eadb015f000c7824f0bd34b2e61d82bf882b8f4a01aa7360bf1a19b06bb673e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/kasm/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41506, "scanner": "repobility-supply-chain", "fingerprint": "8eb6322b9e3b3dddd41cdb77b20af7a797070df265d4c93d647e29aa2d0c9da5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8eb6322b9e3b3dddd41cdb77b20af7a797070df265d4c93d647e29aa2d0c9da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41505, "scanner": "repobility-supply-chain", "fingerprint": "e91c3f65c48afdbf73a210247de28c79bb6a20cf59a11cc99ce39b764383066b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e91c3f65c48afdbf73a210247de28c79bb6a20cf59a11cc99ce39b764383066b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41504, "scanner": "repobility-supply-chain", "fingerprint": "45a771158170b3ad7aa71d3a8cc2e252e7615fbc15064c8443b92a0e17ffcd9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45a771158170b3ad7aa71d3a8cc2e252e7615fbc15064c8443b92a0e17ffcd9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41503, "scanner": "repobility-supply-chain", "fingerprint": "649a400ec2a8f1830fb83f734a082b2fa2af6a6d04ca19ea105384a3bb4091fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|649a400ec2a8f1830fb83f734a082b2fa2af6a6d04ca19ea105384a3bb4091fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bullseye-slim` not pinned by digest: `FROM debian:bullseye-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41502, "scanner": "repobility-supply-chain", "fingerprint": "cb9ab29f01d70229ac27f0229f4d66bf8ab2d613f49166ae1c250196098a1dc7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb9ab29f01d70229ac27f0229f4d66bf8ab2d613f49166ae1c250196098a1dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/lumier/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41501, "scanner": "repobility-supply-chain", "fingerprint": "554c9ae4192dd3a9b6620a02679ced03ae16f837c0e495817a8c7b1412964adb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|554c9ae4192dd3a9b6620a02679ced03ae16f837c0e495817a8c7b1412964adb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41500, "scanner": "repobility-supply-chain", "fingerprint": "57e3df58041b588d90ec5d8b93615739ff0ded9e716256e6a830b22d9c20399c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57e3df58041b588d90ec5d8b93615739ff0ded9e716256e6a830b22d9c20399c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/docs-mcp-server/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/charliermarsh/ruff-pre-commit` pinned to mutable rev `v0.14.1`: `.pre-commit-config.yaml` references `https://github.com/charliermarsh/ruff-pre-commit` at `rev: v0.14.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 41499, "scanner": "repobility-supply-chain", "fingerprint": "73426cf4b1fb8bcfba98b8e75b12553504e484e7075b03023a1967d13ab400d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73426cf4b1fb8bcfba98b8e75b12553504e484e7075b03023a1967d13ab400d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/psf/black` pinned to mutable rev `25.9.0`: `.pre-commit-config.yaml` references `https://github.com/psf/black` at `rev: 25.9.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 41498, "scanner": "repobility-supply-chain", "fingerprint": "c4f269136ccd83b24c1f990ea04d28599ba76612263c5253a3b95bfac9776eaa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4f269136ccd83b24c1f990ea04d28599ba76612263c5253a3b95bfac9776eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/PyCQA/isort` pinned to mutable rev `7.0.0`: `.pre-commit-config.yaml` references `https://github.com/PyCQA/isort` at `rev: 7.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 41497, "scanner": "repobility-supply-chain", "fingerprint": "c9c9261435170c2d54b9c96cad44f0fd8a4d0cc87cf82582355688af22295bc9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9c9261435170c2d54b9c96cad44f0fd8a4d0cc87cf82582355688af22295bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-prettier` pinned to mutable rev `v3.0.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-prettier` at `rev: v3.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 41496, "scanner": "repobility-supply-chain", "fingerprint": "dc1faf32bcbe45e3ce04b6a8fa57ab6bfb640bab603b876e4ec2b5e32bc52c77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc1faf32bcbe45e3ce04b6a8fa57ab6bfb640bab603b876e4ec2b5e32bc52c77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 41495, "scanner": "repobility-supply-chain", "fingerprint": "29cbc1eff948d3b668ea1dffaf866f21ec8f1c413742768711c3d3f9609c5428", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29cbc1eff948d3b668ea1dffaf866f21ec8f1c413742768711c3d3f9609c5428"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /playwright_exec has no auth: Handler `playwright_exec_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41494, "scanner": "repobility-route-auth", "fingerprint": "4c16b10487b991fbfa378a0524bf7ef040ea5dc6e07772c00169abe80f41ab21", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4c16b10487b991fbfa378a0524bf7ef040ea5dc6e07772c00169abe80f41ab21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/main.py"}, "region": {"startLine": 1279}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /responses has no auth: Handler `agent_response_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41493, "scanner": "repobility-route-auth", "fingerprint": "02df29c3b58095358b0f65119cb6a19f62dedfc34b55be3247d912da5344af76", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|02df29c3b58095358b0f65119cb6a19f62dedfc34b55be3247d912da5344af76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/main.py"}, "region": {"startLine": 969}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /pty/{pid}/resize has no auth: Handler `pty_resize` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41492, "scanner": "repobility-route-auth", "fingerprint": "a9d2ceeef644a4b55fa98b48de8929d46ba71c057bd17ea90bd558735c70e758", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a9d2ceeef644a4b55fa98b48de8929d46ba71c057bd17ea90bd558735c70e758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/main.py"}, "region": {"startLine": 833}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /pty/{pid}/stdin has no auth: Handler `pty_stdin` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41491, "scanner": "repobility-route-auth", "fingerprint": "0f6a6f0714d911f57507caac01c889612792b1a2cb3a50b4ed0f22f8b558b443", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|0f6a6f0714d911f57507caac01c889612792b1a2cb3a50b4ed0f22f8b558b443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/main.py"}, "region": {"startLine": 815}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI DELETE /pty/{pid} has no auth: Handler `pty_kill` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41490, "scanner": "repobility-route-auth", "fingerprint": "c0a41773db2aece924a057481d912a4f21ee0cc5cd9fe16e658d0721edee3973", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c0a41773db2aece924a057481d912a4f21ee0cc5cd9fe16e658d0721edee3973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/main.py"}, "region": {"startLine": 800}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /pty has no auth: Handler `pty_create` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41489, "scanner": "repobility-route-auth", "fingerprint": "d76aef03c6a623c1802e8c49c2423eaee11475994f5cbdd56df1afcfb46d8dca", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|d76aef03c6a623c1802e8c49c2423eaee11475994f5cbdd56df1afcfb46d8dca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/main.py"}, "region": {"startLine": 747}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /cmd has no auth: Handler `cmd_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41488, "scanner": "repobility-route-auth", "fingerprint": "2816de1a116bf9741c8c6f065aadbead098083bc0892c1637a4529bfb125bded", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|2816de1a116bf9741c8c6f065aadbead098083bc0892c1637a4529bfb125bded"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/main.py"}, "region": {"startLine": 614}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /responses has no auth: Handler `responses_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41487, "scanner": "repobility-route-auth", "fingerprint": "89aad3789121b5d5c1c6fc5e84cb4371e321eef6e5a54ed67f3d962a472113be", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|89aad3789121b5d5c1c6fc5e84cb4371e321eef6e5a54ed67f3d962a472113be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/playground/server.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /fail/{call_id} has no auth: Handler `fail_call` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41486, "scanner": "repobility-route-auth", "fingerprint": "c3fd13db54ccccbbc901423b6fa273f4926158168253773dbe09c9601be4fa6d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c3fd13db54ccccbbc901423b6fa273f4926158168253773dbe09c9601be4fa6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/human_tool/server.py"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /complete/{call_id} has no auth: Handler `complete_call` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41485, "scanner": "repobility-route-auth", "fingerprint": "7d3bc64e07187fae57a9182c3f65d96054f5f1da1b1d66cfbfce5e862ac695f4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7d3bc64e07187fae57a9182c3f65d96054f5f1da1b1d66cfbfce5e862ac695f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/human_tool/server.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /queue has no auth: Handler `queue_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41484, "scanner": "repobility-route-auth", "fingerprint": "2ac81098aedc3a9ad1563f98899c8b9ccfa965f7424b347829ff74855a4a8acb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|2ac81098aedc3a9ad1563f98899c8b9ccfa965f7424b347829ff74855a4a8acb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/human_tool/server.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /shutdown has no auth: Handler `shutdown` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41483, "scanner": "repobility-route-auth", "fingerprint": "71dc32943fa0995d7767366029a972a2b64566ab80bb202bb65102e7ef5f155d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|71dc32943fa0995d7767366029a972a2b64566ab80bb202bb65102e7ef5f155d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/workers/worker_server.py"}, "region": {"startLine": 434}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /step has no auth: Handler `step` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41482, "scanner": "repobility-route-auth", "fingerprint": "e02be9293a9a10f3542817e7b9e0769ccf98cfdffb2d37560cb96d4cbb4009da", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|e02be9293a9a10f3542817e7b9e0769ccf98cfdffb2d37560cb96d4cbb4009da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/workers/worker_server.py"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /reset has no auth: Handler `reset` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 41481, "scanner": "repobility-route-auth", "fingerprint": "c38a33c71415a40c338c682a4778412b1ac7b3943b0ae1737b87821a965b3a47", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c38a33c71415a40c338c682a4778412b1ac7b3943b0ae1737b87821a965b3a47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/workers/worker_server.py"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `_record_skill_async`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41477, "scanner": "repobility-ast-engine", "fingerprint": "3b90385c88d37e69928cfa2fa72eb5e787c217e7a8680e52942448da10fa7235", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b90385c88d37e69928cfa2fa72eb5e787c217e7a8680e52942448da10fa7235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/cua-cli/cua_cli/commands/skills.py"}, "region": {"startLine": 568}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `_record_skill_async`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41476, "scanner": "repobility-ast-engine", "fingerprint": "e70d92975c367529efefedd7dc8535310446e2b37fc725093e7bfa9922b9f1ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e70d92975c367529efefedd7dc8535310446e2b37fc725093e7bfa9922b9f1ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/cua-cli/cua_cli/commands/skills.py"}, "region": {"startLine": 548}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `_record_skill_async`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41475, "scanner": "repobility-ast-engine", "fingerprint": "3c919532026b7f02125d4a16846345b8ff66bd526c3413d105fdb42f025dc8fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c919532026b7f02125d4a16846345b8ff66bd526c3413d105fdb42f025dc8fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/cua-cli/cua_cli/commands/skills.py"}, "region": {"startLine": 565}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `_record_skill_async`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41474, "scanner": "repobility-ast-engine", "fingerprint": "44b34db22d2efb8d58ef4cad432d27d459e2f2a7f658b7eca08efb9b1fe0de7d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44b34db22d2efb8d58ef4cad432d27d459e2f2a7f658b7eca08efb9b1fe0de7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/cua-cli/cua_cli/commands/skills.py"}, "region": {"startLine": 545}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `run_vm`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41473, "scanner": "repobility-ast-engine", "fingerprint": "4ecdbc748b02382a6920f42a53ebf54dab983d707f7b08db81154c8e10fcdf9f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ecdbc748b02382a6920f42a53ebf54dab983d707f7b08db81154c8e10fcdf9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer/computer/providers/lumier/provider.py"}, "region": {"startLine": 431}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `main`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41471, "scanner": "repobility-ast-engine", "fingerprint": "2fa77a29ec8aa81fa19c63d29ce9532c0a13738f539f10e421c15041153c1be5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2fa77a29ec8aa81fa19c63d29ce9532c0a13738f539f10e421c15041153c1be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/diorama/diorama.py"}, "region": {"startLine": 540}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `drag`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41469, "scanner": "repobility-ast-engine", "fingerprint": "9eb2609ab4faa0d75a519d149b1b1c55b7a4a0b4306730c9ae8d5e3fec74780f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9eb2609ab4faa0d75a519d149b1b1c55b7a4a0b4306730c9ae8d5e3fec74780f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/handlers/macos.py"}, "region": {"startLine": 1226}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `drag_to`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41468, "scanner": "repobility-ast-engine", "fingerprint": "2ae25a2003c6e670b669e6e33a08410bdf56dcfc907e3edc2df7e3c96fbede3e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ae25a2003c6e670b669e6e33a08410bdf56dcfc907e3edc2df7e3c96fbede3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/handlers/macos.py"}, "region": {"startLine": 1188}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41463, "scanner": "repobility-ast-engine", "fingerprint": "9ec0208302dd93a49ca872b73c950699eb298a56459d7878125672745ac23af9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ec0208302dd93a49ca872b73c950699eb298a56459d7878125672745ac23af9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/benchmarks/interactive.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41462, "scanner": "repobility-ast-engine", "fingerprint": "c340bae2f059723c1b475bad3f8b54bd3d61080e4e5d39f8c0151565e256d521", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c340bae2f059723c1b475bad3f8b54bd3d61080e4e5d39f8c0151565e256d521"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/cli.py"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41461, "scanner": "repobility-ast-engine", "fingerprint": "937cc2a80a4979624244ac8467b27ab6a1a5c57fc65563096bc5fc891d29da0f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|937cc2a80a4979624244ac8467b27ab6a1a5c57fc65563096bc5fc891d29da0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/cli.py"}, "region": {"startLine": 325}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41460, "scanner": "repobility-ast-engine", "fingerprint": "9bc81556d5a15c550d4022558063b58fdc3004608d57b6580d215e0a82fb2552", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9bc81556d5a15c550d4022558063b58fdc3004608d57b6580d215e0a82fb2552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/cli.py"}, "region": {"startLine": 335}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41459, "scanner": "repobility-ast-engine", "fingerprint": "0707224eb40b5e733604074407aebf9c6879e2e22ce59dc7123772517adf509c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0707224eb40b5e733604074407aebf9c6879e2e22ce59dc7123772517adf509c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/example.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.get` inside async function `_download_setup`: `requests.get` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41456, "scanner": "repobility-ast-engine", "fingerprint": "a6f4b46e7d2439e5a0cd177ea1b111acb33fd23615c7433b0b1e86d8f06f11f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6f4b46e7d2439e5a0cd177ea1b111acb33fd23615c7433b0b1e86d8f06f11f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/setup_controller.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.urlopen` inside async function `_execute_native_interactive`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41454, "scanner": "repobility-ast-engine", "fingerprint": "e0b4f166d17e4a3b953f726321de818ba1c87b78158ae0e331b4b72267901a56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e0b4f166d17e4a3b953f726321de818ba1c87b78158ae0e331b4b72267901a56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/cli/commands/interact.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `_execute_native_interactive`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41453, "scanner": "repobility-ast-engine", "fingerprint": "2f72b84a6e0e2dc6acf31ae252bb3acf18c123b00d03afbbdff6985f6f039874", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f72b84a6e0e2dc6acf31ae252bb3acf18c123b00d03afbbdff6985f6f039874"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/cli/commands/interact.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `_execute_simulated_interactive`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41452, "scanner": "repobility-ast-engine", "fingerprint": "e1b4113760d523c037cb97685b75bbdf112b51920b499f1b8a70bf6f81002314", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e1b4113760d523c037cb97685b75bbdf112b51920b499f1b8a70bf6f81002314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/cli/commands/interact.py"}, "region": {"startLine": 234}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_dataloader_benchmark`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41451, "scanner": "repobility-ast-engine", "fingerprint": "c8fdd5a7510f371da34007085efe707dab48b9fe508584eeaa77d333792ff2f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8fdd5a7510f371da34007085efe707dab48b9fe508584eeaa77d333792ff2f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/tests/test_worker_manager.py"}, "region": {"startLine": 718}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_dataloader_benchmark`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41450, "scanner": "repobility-ast-engine", "fingerprint": "5d10961ec66c6766fca1a4f860cc5c93391226a62096a0b7f102138de5c48686", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d10961ec66c6766fca1a4f860cc5c93391226a62096a0b7f102138de5c48686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/tests/test_worker_manager.py"}, "region": {"startLine": 728}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_dataloader_replay_sampling`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41449, "scanner": "repobility-ast-engine", "fingerprint": "b8e7e3ba1a26411819bab313e04ba6e151b25a93851044f67b37e6fafe6fd657", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8e7e3ba1a26411819bab313e04ba6e151b25a93851044f67b37e6fafe6fd657"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/tests/test_worker_manager.py"}, "region": {"startLine": 568}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `_run`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41448, "scanner": "repobility-ast-engine", "fingerprint": "d0a210ae257fd0598065d387edc93f7a6b18560b179873d966abe420e20adf48", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d0a210ae257fd0598065d387edc93f7a6b18560b179873d966abe420e20adf48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/scripts/benchmark_workers.py"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._make_click_through` used but never assigned in __init__: Method `move_to` of class `OverlayCursor` reads `self._make_click_through`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41447, "scanner": "repobility-ast-engine", "fingerprint": "8a08bc6d47ddc9d0ff1911dac221acbee848f20971567cb98bfd4f04f142be94", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a08bc6d47ddc9d0ff1911dac221acbee848f20971567cb98bfd4f04f142be94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 444}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.move` used but never assigned in __init__: Method `move_to` of class `OverlayCursor` reads `self.move`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41446, "scanner": "repobility-ast-engine", "fingerprint": "341a1c1291f7d386df5ae97bad9af6e0054378e1bb2bacf2618318690b71571e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|341a1c1291f7d386df5ae97bad9af6e0054378e1bb2bacf2618318690b71571e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 443}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.show_all` used but never assigned in __init__: Method `move_to` of class `OverlayCursor` reads `self.show_all`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41445, "scanner": "repobility-ast-engine", "fingerprint": "13d122dfb84f6188bb9d32adc0c11c34c7f9655fe286114af296f72bf2caf611", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13d122dfb84f6188bb9d32adc0c11c34c7f9655fe286114af296f72bf2caf611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.hide` used but never assigned in __init__: Method `animation_tick` of class `OverlayCursor` reads `self.hide`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41444, "scanner": "repobility-ast-engine", "fingerprint": "bac659c1b818126f09fd4b1a859b6c64d148c429cd72595b62fca4ef5e4c0725", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bac659c1b818126f09fd4b1a859b6c64d148c429cd72595b62fca4ef5e4c0725"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 407}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._make_click_through` used but never assigned in __init__: Method `animation_tick` of class `OverlayCursor` reads `self._make_click_through`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41443, "scanner": "repobility-ast-engine", "fingerprint": "294c8ba2efb3e02a40cf5b7c3aa13219883d1f0582d1cd10472575efd2a02499", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|294c8ba2efb3e02a40cf5b7c3aa13219883d1f0582d1cd10472575efd2a02499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.move` used but never assigned in __init__: Method `animation_tick` of class `OverlayCursor` reads `self.move`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41442, "scanner": "repobility-ast-engine", "fingerprint": "60c669598dc7b04b8ebf48ebbb1204c949fc34fdccd4022af81096b3ee482ac6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60c669598dc7b04b8ebf48ebbb1204c949fc34fdccd4022af81096b3ee482ac6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._colorize_pixbuf` used but never assigned in __init__: Method `on_draw` of class `OverlayCursor` reads `self._colorize_pixbuf`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41441, "scanner": "repobility-ast-engine", "fingerprint": "31100accb4eee91148a172d2cc7103d28ee96f2112fcdefeb9f6f0a1d5bb6182", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|31100accb4eee91148a172d2cc7103d28ee96f2112fcdefeb9f6f0a1d5bb6182"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_window` used but never assigned in __init__: Method `_make_click_through` of class `OverlayCursor` reads `self.get_window`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41440, "scanner": "repobility-ast-engine", "fingerprint": "e77f81a9efc1573217941c2808bc6b9e1537df4678a022d02413348d7a0638e0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e77f81a9efc1573217941c2808bc6b9e1537df4678a022d02413348d7a0638e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._make_click_through` used but never assigned in __init__: Method `_on_map` of class `OverlayCursor` reads `self._make_click_through`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41439, "scanner": "repobility-ast-engine", "fingerprint": "83c03223db83e7021912a70578be1b9a5b6fd620aa0a6ac3c4697d937680c29a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|83c03223db83e7021912a70578be1b9a5b6fd620aa0a6ac3c4697d937680c29a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._make_click_through` used but never assigned in __init__: Method `_on_realize` of class `OverlayCursor` reads `self._make_click_through`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41438, "scanner": "repobility-ast-engine", "fingerprint": "752731b666ace8e1fe96116208968cb6aa2710492cf5b171fd8509823894d83f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|752731b666ace8e1fe96116208968cb6aa2710492cf5b171fd8509823894d83f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/src/mcp/overlay-cursor.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.crawl_page` used but never assigned in __init__: Method `crawl_all` of class `CuaDocsCrawler` reads `self.crawl_page`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41430, "scanner": "repobility-ast-engine", "fingerprint": "78db5d9598bc3054df05ecdaa6b6a956c1053cb8381294c7eb61b1c4424eec06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78db5d9598bc3054df05ecdaa6b6a956c1053cb8381294c7eb61b1c4424eec06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.is_valid_url` used but never assigned in __init__: Method `crawl_all` of class `CuaDocsCrawler` reads `self.is_valid_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41429, "scanner": "repobility-ast-engine", "fingerprint": "c4dbfa0cd14254b0089a704067b2a1b311a289ad9844f3f8a8c1cb2550d1d9ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4dbfa0cd14254b0089a704067b2a1b311a289ad9844f3f8a8c1cb2550d1d9ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_categories` used but never assigned in __init__: Method `crawl_all` of class `CuaDocsCrawler` reads `self._get_categories`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41428, "scanner": "repobility-ast-engine", "fingerprint": "67c7c2dde9c38555e489d9a76363a84779512bdf53d0f52f1ff7afb5521c4634", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67c7c2dde9c38555e489d9a76363a84779512bdf53d0f52f1ff7afb5521c4634"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 231}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.normalize_url` used but never assigned in __init__: Method `crawl_all` of class `CuaDocsCrawler` reads `self.normalize_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41427, "scanner": "repobility-ast-engine", "fingerprint": "0caa1ad052fc4784351f086695e83816af91b027e039d8aca2d3ccab48c8476b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0caa1ad052fc4784351f086695e83816af91b027e039d8aca2d3ccab48c8476b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.save_page` used but never assigned in __init__: Method `crawl_page` of class `CuaDocsCrawler` reads `self.save_page`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41426, "scanner": "repobility-ast-engine", "fingerprint": "7ebcc99695303ca8bb45392fdf7223889ffb4ef640e97940a009dc7ee92d74ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ebcc99695303ca8bb45392fdf7223889ffb4ef640e97940a009dc7ee92d74ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.extract_path_info` used but never assigned in __init__: Method `crawl_page` of class `CuaDocsCrawler` reads `self.extract_path_info`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41425, "scanner": "repobility-ast-engine", "fingerprint": "a25d0a6aaa8d93dec4dc17d92267959a12a81f1daa11485b6779895890afa6df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a25d0a6aaa8d93dec4dc17d92267959a12a81f1daa11485b6779895890afa6df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.extract_links` used but never assigned in __init__: Method `crawl_page` of class `CuaDocsCrawler` reads `self.extract_links`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41424, "scanner": "repobility-ast-engine", "fingerprint": "d5291d05c591d2f540f15e431a5092d5f40b235f856bbedc5472d351602158d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5291d05c591d2f540f15e431a5092d5f40b235f856bbedc5472d351602158d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.is_valid_url` used but never assigned in __init__: Method `extract_links` of class `CuaDocsCrawler` reads `self.is_valid_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41423, "scanner": "repobility-ast-engine", "fingerprint": "6716d0a0d20fd83a5490cdd2d1cf2cf5fd9b3d3f0f10dd4d2bafd28058ce400b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6716d0a0d20fd83a5490cdd2d1cf2cf5fd9b3d3f0f10dd4d2bafd28058ce400b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.normalize_url` used but never assigned in __init__: Method `extract_links` of class `CuaDocsCrawler` reads `self.normalize_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41422, "scanner": "repobility-ast-engine", "fingerprint": "86ae28e09766df39ad3b457e5f8e6f5d1ace272082a99f97f02ebb5c418eefab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86ae28e09766df39ad3b457e5f8e6f5d1ace272082a99f97f02ebb5c418eefab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.urlretrieve` inside async function `test_pwa_install`: `urllib.request.urlretrieve` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41409, "scanner": "repobility-ast-engine", "fingerprint": "e4c3d5e0c00dbf6de615a364ac24d997fbb90ccf8afe02df04b0d402883620de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4c3d5e0c00dbf6de615a364ac24d997fbb90ccf8afe02df04b0d402883620de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_image_builder.py"}, "region": {"startLine": 379}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `test_multiple_packages` of class `TestLinuxPipInstall` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41408, "scanner": "repobility-ast-engine", "fingerprint": "80075e8e939f8fe3297eda6cfe66351f149c0f7caa93f308a5fc1ade7d7ec528", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80075e8e939f8fe3297eda6cfe66351f149c0f7caa93f308a5fc1ade7d7ec528"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_image_builder.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `test_single_package` of class `TestLinuxPipInstall` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41407, "scanner": "repobility-ast-engine", "fingerprint": "d77de614620a745de3660c66a3b09aee62fe1f4495eab2319121eddac5067d1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d77de614620a745de3660c66a3b09aee62fe1f4495eab2319121eddac5067d1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_image_builder.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `test_chained_calls` of class `TestLinuxAptInstall` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41406, "scanner": "repobility-ast-engine", "fingerprint": "aee3eec191472bf4b4e4f406d09c89755a8dcf1c027b4b8a15520a1fea15978f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aee3eec191472bf4b4e4f406d09c89755a8dcf1c027b4b8a15520a1fea15978f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_image_builder.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `test_multiple_packages` of class `TestLinuxAptInstall` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41405, "scanner": "repobility-ast-engine", "fingerprint": "0699d2a0926e01d3f52ee78239063b0434a0c1d9cc4684b3767354b862d6f25d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0699d2a0926e01d3f52ee78239063b0434a0c1d9cc4684b3767354b862d6f25d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_image_builder.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `test_single_package` of class `TestLinuxAptInstall` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41404, "scanner": "repobility-ast-engine", "fingerprint": "7b0aac517764e0bab84c71218a0257216da561334aae6ebc525c4f9a93405000", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b0aac517764e0bab84c71218a0257216da561334aae6ebc525c4f9a93405000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_image_builder.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `setup_method` of class `TestLinuxAptInstall` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 41403, "scanner": "repobility-ast-engine", "fingerprint": "784f029d76f6fdfd15b89cea8902581f8923ba7f3c25ecf7e46f8aa14a109e86", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|784f029d76f6fdfd15b89cea8902581f8923ba7f3c25ecf7e46f8aa14a109e86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_image_builder.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.urlretrieve` inside async function `test_android_pwa_install`: `urllib.request.urlretrieve` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41400, "scanner": "repobility-ast-engine", "fingerprint": "8396af653fb3f4ec3386f3327ee9da88366b794ce9c5fc7555b0430504bcf22f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8396af653fb3f4ec3386f3327ee9da88366b794ce9c5fc7555b0430504bcf22f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_image_builder_cloud.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.urlopen` inside async function `main`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41396, "scanner": "repobility-ast-engine", "fingerprint": "86267b93ea7d4c7872ee45149ead40df8267e70e479adb77d2ee548b3569e332", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86267b93ea7d4c7872ee45149ead40df8267e70e479adb77d2ee548b3569e332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/cold_start_benchmark.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `urllib.request.Request` inside async function `main`: `urllib.request.Request` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 41395, "scanner": "repobility-ast-engine", "fingerprint": "ad9ad3ad1dca5298ecce52f8abbec73990028e2be32ff9ab8131911f5bf4711a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad9ad3ad1dca5298ecce52f8abbec73990028e2be32ff9ab8131911f5bf4711a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/cold_start_benchmark.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_keypress_combination: Test function `test_keypress_combination` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41393, "scanner": "repobility-ast-engine", "fingerprint": "bbbd279bc7504dfdad80a32f0b930fdbf6d1d98c1fa86e5f8be41bbb3d8e39e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bbbd279bc7504dfdad80a32f0b930fdbf6d1d98c1fa86e5f8be41bbb3d8e39e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 511}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_keypress_single: Test function `test_keypress_single` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41392, "scanner": "repobility-ast-engine", "fingerprint": "bec85358660cee987396eb17f86a51542a51d1264e5c5783b004d4f7b8902df3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bec85358660cee987396eb17f86a51542a51d1264e5c5783b004d4f7b8902df3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 507}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_type: Test function `test_type` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41391, "scanner": "repobility-ast-engine", "fingerprint": "eaf56e759a22d5c4316a2029207ace2940c292335979075cd5ee7cd1c7896830", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eaf56e759a22d5c4316a2029207ace2940c292335979075cd5ee7cd1c7896830"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 503}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_drag: Test function `test_drag` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41390, "scanner": "repobility-ast-engine", "fingerprint": "452c716119a75acf4b3373d3d94b54dffe489464aa653ccac2f4437207564704", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|452c716119a75acf4b3373d3d94b54dffe489464aa653ccac2f4437207564704"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 488}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_mouse_down_and_up: Test function `test_mouse_down_and_up` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41389, "scanner": "repobility-ast-engine", "fingerprint": "eb50f6b022e137ef34e5319702a4ad4b3bfb236e01537570059225260a00e6ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb50f6b022e137ef34e5319702a4ad4b3bfb236e01537570059225260a00e6ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 482}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_scroll: Test function `test_scroll` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41388, "scanner": "repobility-ast-engine", "fingerprint": "43bcd77e299e31fac0941e4655f0fed52ec4e67e03dc1e661681a3eeda2133a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43bcd77e299e31fac0941e4655f0fed52ec4e67e03dc1e661681a3eeda2133a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 477}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_move: Test function `test_move` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41387, "scanner": "repobility-ast-engine", "fingerprint": "8b505e699fe6df1a154fa5c62a99027dd87005cb29d08914e3310b074cfc7948", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b505e699fe6df1a154fa5c62a99027dd87005cb29d08914e3310b074cfc7948"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 473}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_double_click: Test function `test_double_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41386, "scanner": "repobility-ast-engine", "fingerprint": "919ac908bd8e447a36bc2bdbb4f2e3dc48a819f029982f51adb1353f6337c427", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|919ac908bd8e447a36bc2bdbb4f2e3dc48a819f029982f51adb1353f6337c427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 468}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_right_click: Test function `test_right_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41385, "scanner": "repobility-ast-engine", "fingerprint": "154ca7c463d874d8a205cea20e923213daa5a7930d05ae2f9a661826f6ec4c39", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|154ca7c463d874d8a205cea20e923213daa5a7930d05ae2f9a661826f6ec4c39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 463}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_click: Test function `test_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41384, "scanner": "repobility-ast-engine", "fingerprint": "5969c583146c8dd7e0b0a3b610a4de3f719e8d144a975341aa6c32a1a4f60f7d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5969c583146c8dd7e0b0a3b610a4de3f719e8d144a975341aa6c32a1a4f60f7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 458}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_drag: Test function `test_drag` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41383, "scanner": "repobility-ast-engine", "fingerprint": "fd61eac0134bf5f3336f717fdec52b95ee3d22f4438980e9fc4c506f5ca6233a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd61eac0134bf5f3336f717fdec52b95ee3d22f4438980e9fc4c506f5ca6233a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 446}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_mouse_down_and_up: Test function `test_mouse_down_and_up` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41382, "scanner": "repobility-ast-engine", "fingerprint": "2c046f4db0d86a07c4a5b0281f8bab97705282b664c55b7065e1031f9da46a43", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c046f4db0d86a07c4a5b0281f8bab97705282b664c55b7065e1031f9da46a43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 440}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_scroll: Test function `test_scroll` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41381, "scanner": "repobility-ast-engine", "fingerprint": "e827c2ddd1758eaa0b0a9aac7658e162860a6af4a5554a4cc8e3041679672832", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e827c2ddd1758eaa0b0a9aac7658e162860a6af4a5554a4cc8e3041679672832"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_move: Test function `test_move` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41380, "scanner": "repobility-ast-engine", "fingerprint": "264ce3ad4b53c19e9aba1b46f3944b53641aeaa378d7169241ff563062f846b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|264ce3ad4b53c19e9aba1b46f3944b53641aeaa378d7169241ff563062f846b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 431}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_double_click: Test function `test_double_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41379, "scanner": "repobility-ast-engine", "fingerprint": "f737ca76e239d87508560df72d0f4605e6cb9956631354e960ce7f8a63c2e6bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f737ca76e239d87508560df72d0f4605e6cb9956631354e960ce7f8a63c2e6bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 426}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_right_click: Test function `test_right_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41378, "scanner": "repobility-ast-engine", "fingerprint": "c0eb245c18acf16969179a4f44ad0f1268b497128858cdfdb65295f0ec65c2ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c0eb245c18acf16969179a4f44ad0f1268b497128858cdfdb65295f0ec65c2ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 421}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_click: Test function `test_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41377, "scanner": "repobility-ast-engine", "fingerprint": "ea216baaf31d371a6776d0b5fddd239759384a37de69a3f2e948da6149d96b1c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ea216baaf31d371a6776d0b5fddd239759384a37de69a3f2e948da6149d96b1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 416}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_drag: Test function `test_drag` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41376, "scanner": "repobility-ast-engine", "fingerprint": "37f1f6552298dee7258a4af11af111228a381505135e865bfa2ff3c747c1f205", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|37f1f6552298dee7258a4af11af111228a381505135e865bfa2ff3c747c1f205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 404}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_mouse_down_and_up: Test function `test_mouse_down_and_up` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41375, "scanner": "repobility-ast-engine", "fingerprint": "490422481d3964c97930f8a882247fb5f76dca665c570acc738be0c4824307ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|490422481d3964c97930f8a882247fb5f76dca665c570acc738be0c4824307ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 398}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_scroll: Test function `test_scroll` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41374, "scanner": "repobility-ast-engine", "fingerprint": "0cbb15387148d1a2000b9fc23bccda6e34a1b0df1754b615cf49891b5441ea81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0cbb15387148d1a2000b9fc23bccda6e34a1b0df1754b615cf49891b5441ea81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 393}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_move: Test function `test_move` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41373, "scanner": "repobility-ast-engine", "fingerprint": "e671b6d0cf0e34e4226f51721be80d611f11effbe44b063893f39b8ea6119e54", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e671b6d0cf0e34e4226f51721be80d611f11effbe44b063893f39b8ea6119e54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 388}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_double_click: Test function `test_double_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41372, "scanner": "repobility-ast-engine", "fingerprint": "ad9137c58edaa0f39cc6eb54d8d9950593dade7fce942d82e6df24f1c3431c42", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad9137c58edaa0f39cc6eb54d8d9950593dade7fce942d82e6df24f1c3431c42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 383}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_right_click: Test function `test_right_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41371, "scanner": "repobility-ast-engine", "fingerprint": "c21efdbbb7941ae2e96d6173bc376cc6fa1944789393c22d784706247623dd9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c21efdbbb7941ae2e96d6173bc376cc6fa1944789393c22d784706247623dd9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_click: Test function `test_click` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41370, "scanner": "repobility-ast-engine", "fingerprint": "b205f699d7db044f9db6331ead9d0163f04f9fd958fbff5e9ad582a96947a262", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b205f699d7db044f9db6331ead9d0163f04f9fd958fbff5e9ad582a96947a262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 373}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_run_timeout: Test function `test_run_timeout` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 41369, "scanner": "repobility-ast-engine", "fingerprint": "41010959fe5e6205434db70faddbba51addb3dfae1f7ed6489948583ddbebaa6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|41010959fe5e6205434db70faddbba51addb3dfae1f7ed6489948583ddbebaa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interfaces.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 41348, "scanner": "repobility-threat-engine", "fingerprint": "54784dc48b1c6fc68e213f1218dc9da4e5d88453fa7f97fad2dd114520a26f64", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54784dc48b1c6fc68e213f1218dc9da4e5d88453fa7f97fad2dd114520a26f64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/playground.sh"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 41347, "scanner": "repobility-threat-engine", "fingerprint": "eb079975978904582582f6fb193ee2a1acd7a47cab96a16a60c333dbc4042206", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb079975978904582582f6fb193ee2a1acd7a47cab96a16a60c333dbc4042206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/playground-docker.sh"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 41346, "scanner": "repobility-threat-engine", "fingerprint": "71d04a0d103164eab946b24a4a88729728abb8cf8e78bba84de31c00b7a7995e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|71d04a0d103164eab946b24a4a88729728abb8cf8e78bba84de31c00b7a7995e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install-cli.sh"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 41345, "scanner": "repobility-threat-engine", "fingerprint": "001d16563b3164a7a696657532d16b2211f95450766a16f37acb2baa7ca1ac14", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|001d16563b3164a7a696657532d16b2211f95450766a16f37acb2baa7ca1ac14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docs-generators/runner.ts"}, "region": {"startLine": 214}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41332, "scanner": "repobility-threat-engine", "fingerprint": "3524037ab04d683ee0b4c373fd29170daa6bbad60db1220949c16179cf025145", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3524037ab04d683ee0b4c373fd29170daa6bbad60db1220949c16179cf025145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/middleware.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41331, "scanner": "repobility-threat-engine", "fingerprint": "d70c44ca5ddd94342b5c1167c864246a986ac4bc3bc210b1502c4c1bf256bfb8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d70c44ca5ddd94342b5c1167c864246a986ac4bc3bc210b1502c4c1bf256bfb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/crawl_docs.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41330, "scanner": "repobility-threat-engine", "fingerprint": "c50301beb571c93676ba6b24111dd8358108b1a5a1d26af9d9265aaa025ed86d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c50301beb571c93676ba6b24111dd8358108b1a5a1d26af9d9265aaa025ed86d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/check-links.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 5078, "scanner": "repobility-docker", "fingerprint": "46105eb8733a657886c8c835e6de06d696b343a150b3495af7697115e19ee2a8", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|46105eb8733a657886c8c835e6de06d696b343a150b3495af7697115e19ee2a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile.dev"}, "region": {"startLine": 187}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 5069, "scanner": "repobility-docker", "fingerprint": "c1e2a02e9547b70173f7e8255a1386ac74603c85ae8d0f9ef9679250019542c7", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c1e2a02e9547b70173f7e8255a1386ac74603c85ae8d0f9ef9679250019542c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/xfce/Dockerfile"}, "region": {"startLine": 187}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5056, "scanner": "repobility-docker", "fingerprint": "522e7c5efd61ddd0bcc9caad3c7aa96556d36811a5a022c423e1cc0cf346167c", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|522e7c5efd61ddd0bcc9caad3c7aa96556d36811a5a022c423e1cc0cf346167c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/qemu-docker/android/Dockerfile"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5045, "scanner": "repobility-docker", "fingerprint": "a4fcf903f2dc71818baddd3b5946510143edfd18dbb4a1ef1e9ad670625e5faf", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a4fcf903f2dc71818baddd3b5946510143edfd18dbb4a1ef1e9ad670625e5faf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 153}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5044, "scanner": "repobility-docker", "fingerprint": "9a08f7b2a20f3586b60afeb147069e18a945a5edf1946c83791cab08c4542709", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9a08f7b2a20f3586b60afeb147069e18a945a5edf1946c83791cab08c4542709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 146}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5043, "scanner": "repobility-docker", "fingerprint": "fd747f34a74677a0ca4f7dafe295162259433273411ea43f55c420757dbbad0b", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fd747f34a74677a0ca4f7dafe295162259433273411ea43f55c420757dbbad0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cuabot/Dockerfile"}, "region": {"startLine": 143}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 5030, "scanner": "repobility-docker", "fingerprint": "00138dc766a918f2b76ec834eb0b2ed23e72f18c4edc1500481fccdd7f072ce9", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|00138dc766a918f2b76ec834eb0b2ed23e72f18c4edc1500481fccdd7f072ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 5023, "scanner": "repobility-threat-engine", "fingerprint": "2504cea6fe1159faa584f542016ddfeef916d017faeb6393f9e05dd8461e75d8", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "cursor.execute(f\"", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|docs/scripts/modal_app.py|1231|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/modal_app.py"}, "region": {"startLine": 1231}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 41552, "scanner": "repobility-supply-chain", "fingerprint": "01893c885c8e4cd2120f47db58c0659da8a6f529e488fecd90873615623d0d0a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01893c885c8e4cd2120f47db58c0659da8a6f529e488fecd90873615623d0d0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-on-merge.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RELEASE_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 41551, "scanner": "repobility-supply-chain", "fingerprint": "1506f1fdbd3867948b250f6c25b969065f4a78c78f25c1d6f340e0c1d05185d5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1506f1fdbd3867948b250f6c25b969065f4a78c78f25c1d6f340e0c1d05185d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-on-merge.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RELEASE_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 41550, "scanner": "repobility-supply-chain", "fingerprint": "de81b514e22f3a738f381d90fa6fc36643f4834e9afb1496a95a4835fb30db47", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de81b514e22f3a738f381d90fa6fc36643f4834e9afb1496a95a4835fb30db47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-on-merge.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 41549, "scanner": "repobility-supply-chain", "fingerprint": "9748cbd9400c3246db4e946167aecccc269e2d5b29a9d4e35ae360f6a90247bc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9748cbd9400c3246db4e946167aecccc269e2d5b29a9d4e35ae360f6a90247bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-check-links.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41480, "scanner": "repobility-ast-engine", "fingerprint": "3d015c5fc681e414134627b1d17fbee28f0fedf82ad70aee56bd7afdd9155788", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d015c5fc681e414134627b1d17fbee28f0fedf82ad70aee56bd7afdd9155788"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/cua-sandbox/cua_sandbox/registry/manifest.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `http` used but not imported: The file uses `http.something(...)` but never imports `http`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41479, "scanner": "repobility-ast-engine", "fingerprint": "92e5f405797bee8af13f0925459c396c2a2ecf571de20ac3a7b288b3cbd330b2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|92e5f405797bee8af13f0925459c396c2a2ecf571de20ac3a7b288b3cbd330b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/cua-cli/cua_cli/commands/do.py"}, "region": {"startLine": 1281}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `http` used but not imported: The file uses `http.something(...)` but never imports `http`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41478, "scanner": "repobility-ast-engine", "fingerprint": "29e5c25df05bd27283006bade787ee90c88a682dbd164267278d42010203c152", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29e5c25df05bd27283006bade787ee90c88a682dbd164267278d42010203c152"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/cua-cli/cua_cli/commands/sandbox.py"}, "region": {"startLine": 876}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `http` used but not imported: The file uses `http.something(...)` but never imports `http`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41472, "scanner": "repobility-ast-engine", "fingerprint": "db9dd9bf298506d64eddede25a721a75597220339b35da859fc0290e513a97ab", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|db9dd9bf298506d64eddede25a721a75597220339b35da859fc0290e513a97ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer/computer/pty.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `re` used but not imported: The file uses `re.something(...)` but never imports `re`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41470, "scanner": "repobility-ast-engine", "fingerprint": "ef29d8e9f46254c8fc6fb26dd14689391603938366b06224063a6e99dacbdf4c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef29d8e9f46254c8fc6fb26dd14689391603938366b06224063a6e99dacbdf4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/diorama/draw.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41467, "scanner": "repobility-ast-engine", "fingerprint": "078ac96c71fde405e729d1e0da4653dae9587eb3d450a6d120a83fe518dd1965", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|078ac96c71fde405e729d1e0da4653dae9587eb3d450a6d120a83fe518dd1965"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/computer-server/computer_server/handlers/macos.py"}, "region": {"startLine": 463}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41466, "scanner": "repobility-ast-engine", "fingerprint": "c53435b526238e739ef2be26c8488a3421897fcbc04f4e1b8f1f98d8495f010d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c53435b526238e739ef2be26c8488a3421897fcbc04f4e1b8f1f98d8495f010d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/loops/fara/helpers.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41465, "scanner": "repobility-ast-engine", "fingerprint": "216f6d1de9f5495418547d4571a96bacabcda22a64fd9a9777038538b8a44548", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|216f6d1de9f5495418547d4571a96bacabcda22a64fd9a9777038538b8a44548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/loops/qwen35.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41464, "scanner": "repobility-ast-engine", "fingerprint": "8adae4a364852e47fade29e5f011b5f6e4b2c8948c60f18c38c78073346f844f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8adae4a364852e47fade29e5f011b5f6e4b2c8948c60f18c38c78073346f844f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/python/agent/cua_agent/loops/generic_vlm.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41458, "scanner": "repobility-ast-engine", "fingerprint": "6ee57e2d214e0f9e720f002b925525829ad84f212ddd4ef6cb47c428e2100144", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ee57e2d214e0f9e720f002b925525829ad84f212ddd4ef6cb47c428e2100144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/evaluators/metrics/gimp.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `http` used but not imported: The file uses `http.something(...)` but never imports `http`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41457, "scanner": "repobility-ast-engine", "fingerprint": "516bdffdd5fb5ded46869a57289f3477727c8e9f30a7c99903a6eaef752fcc9f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|516bdffdd5fb5ded46869a57289f3477727c8e9f30a7c99903a6eaef752fcc9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/tasks/winarena_adapter/evaluators/getters_async/file.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 41455, "scanner": "repobility-ast-engine", "fingerprint": "b0420c39a48c290baaed6f3594edf49f5472b785489a7b7d1b93d37b5c120522", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0420c39a48c290baaed6f3594edf49f5472b785489a7b7d1b93d37b5c120522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/cua-bench/cua_bench/cli/commands/trace.py"}, "region": {"startLine": 324}}}]}]}]}