{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `yugabyte_pycommon` has no version pin: Unpinned pip requirement means every fresh install ", "shortDescription": {"text": "[MINED124] requirements.txt: `yugabyte_pycommon` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproduc"}, "fullDescription": {"text": "Replace `yugabyte_pycommon` with `yugabyte_pycommon==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `ProcessFile` (list): `def ProcessFile(... = []/{}/set())` \u2014 Python's default val", "shortDescription": {"text": "[MINED109] Mutable default argument in `ProcessFile` (list): `def ProcessFile(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for e"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def ProcessFile(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB009", "name": "sitemap.xml is not valid XML", "shortDescription": {"text": "sitemap.xml is not valid XML"}, "fullDescription": {"text": "Regenerate sitemap.xml with valid XML and validate it before deploy."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `ts` image has no explicit tag", "shortDescription": {"text": "Compose service `ts` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `anon-how-to-pandocker` image uses the latest tag", "shortDescription": {"text": "Compose service `anon-how-to-pandocker` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC005", "name": "Compose service adds dangerous Linux capabilities", "shortDescription": {"text": "Compose service adds dangerous Linux capabilities"}, "fullDescription": {"text": "Drop all capabilities by default and add only narrowly required capabilities after review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC119", "name": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbo", "shortDescription": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "fullDescription": {"text": "Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only)."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC037", "name": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a", "shortDescription": {"text": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{\"a\":{\"a\":{\"a\":...10000 levels...}}}"}, "fullDescription": {"text": "Use `defusedxml.ElementTree` instead of `xml.etree.ElementTree` \u2014 it rejects deeply-nested + billion-laughs payloads.\nFor JSON: set a depth limit explicitly:\n  import json\n  data = json.loads(s)  # then validate structure depth manually\nFor YAML: always use `yaml.safe_load`. For recursive code over user input, add an explicit depth counter and bail at depth > 100."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `MakeRelativePathsInFlagsAbsolute` has cognitive complexity 19 (SonarSourc", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `MakeRelativePathsInFlagsAbsolute` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean ch"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 19."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED092", "name": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection.", "shortDescription": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED093", "name": "[MINED093] Java Sql Statement Concat: Statement.executeQuery with concat string = SQL injection.", "shortDescription": {"text": "[MINED093] Java Sql Statement Concat: Statement.executeQuery with concat string = SQL injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 40 more): Same pattern found in 40 additional files", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 120 more): Same pattern found in 120 a", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 120 more): Same pattern found in 120 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 4 more): Same pattern found in 4 additional files. Review", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `managed/byoc-api-proxy/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `managed/byo", "shortDescription": {"text": "[MINED134] Binary file `managed/byoc-api-proxy/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `managed/byoc-api-proxy/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (46,175 bytes) committed to a repo that otherwise has 12"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `pgxn/pgxn-tools` unpinned: `container/services image: pgxn/pgxn-tools` wit", "shortDescription": {"text": "[MINED126] Workflow container/services image `pgxn/pgxn-tools` unpinned: `container/services image: pgxn/pgxn-tools` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-ch"}, "fullDescription": {"text": "Replace with `pgxn/pgxn-tools@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `postgres:15` not pinned by digest: `FROM postgres:15` resolves the tag at build time. The re", "shortDescription": {"text": "[MINED118] Dockerfile FROM `postgres:15` not pinned by digest: `FROM postgres:15` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should"}, "fullDescription": {"text": "Replace with: `FROM postgres:15@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.5.0`: `.pre-commit", "shortDescription": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.5.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.5.0`. If `{rev}` is a branch or ve"}, "fullDescription": {"text": "Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_destructor: Test function `test_destructor` runs code but contains no assert / ex", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_destructor: Test function `test_destructor` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.__timeout` used but never assigned in __init__: Method `stop_services` of class `YBControl` reads `self", "shortDescription": {"text": "[MINED108] `self.__timeout` used but never assigned in __init__: Method `stop_services` of class `YBControl` reads `self.__timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the fi"}, "fullDescription": {"text": "Initialize `self.__timeout = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKC002", "name": "Compose service uses host networking", "shortDescription": {"text": "Compose service uses host networking"}, "fullDescription": {"text": "Use the default bridge network and explicit ports, or document and isolate the exceptional host requirement."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED008", "name": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let.", "shortDescription": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED002", "name": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check.", "shortDescription": {"text": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC088", "name": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM r", "shortDescription": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "fullDescription": {"text": "Remove the option. If self-signed certs are required, pin via RootCAs."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC080", "name": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-", "shortDescription": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "fullDescription": {"text": "Add `filter='data'` (Python \u2265 3.12) or manually validate member paths against `os.path.abspath`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED040", "name": "[MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes.", "shortDescription": {"text": "[MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_", "shortDescription": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `copy` used but not imported: The file uses `copy.something(...)` but never imports `copy`. T", "shortDescription": {"text": "[MINED107] Missing import: `copy` used but not imported: The file uses `copy.something(...)` but never imports `copy`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import copy` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1323"}, "properties": {"repository": "yugabyte/yugabyte-db", "repoUrl": "https://github.com/yugabyte/yugabyte-db", "branch": "master"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `yugabyte_pycommon` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135373, "scanner": "repobility-supply-chain", "fingerprint": "ec07ab34a1c691540e430fe1a59198fca08f89c9d4bb76ed584b07ac5ab14837", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec07ab34a1c691540e430fe1a59198fca08f89c9d4bb76ed584b07ac5ab14837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `wheel` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135372, "scanner": "repobility-supply-chain", "fingerprint": "5d6fb04d220764a428fa83ae5f219aafd364a19a4eec78f68dc47b2ea356f04e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d6fb04d220764a428fa83ae5f219aafd364a19a4eec78f68dc47b2ea356f04e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `watchdog` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135371, "scanner": "repobility-supply-chain", "fingerprint": "8fa8bbae19f59dbacf811c42896871da029be141306c5910b36d0d1f34ab1465", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fa8bbae19f59dbacf811c42896871da029be141306c5910b36d0d1f34ab1465"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `types-requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135370, "scanner": "repobility-supply-chain", "fingerprint": "d481621c34b694395d59823047f07b11a1941b38ae997a1a8151e5b336f385f8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d481621c34b694395d59823047f07b11a1941b38ae997a1a8151e5b336f385f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `types-psutil` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135369, "scanner": "repobility-supply-chain", "fingerprint": "fa686d4c11a5bc707d1ca23cfab01da02d1e004b752ef63d9a8822fca408c98c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa686d4c11a5bc707d1ca23cfab01da02d1e004b752ef63d9a8822fca408c98c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `sys-detection` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135368, "scanner": "repobility-supply-chain", "fingerprint": "f83d6e33c90145155acb3d07a8b85a05d38e68727f04b3cf5b0b0e230bc62a27", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f83d6e33c90145155acb3d07a8b85a05d38e68727f04b3cf5b0b0e230bc62a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `six` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135367, "scanner": "repobility-supply-chain", "fingerprint": "35d86e76ec16153f93c7e0cdab912d30031940f5151fa49253b03a42242caa1d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35d86e76ec16153f93c7e0cdab912d30031940f5151fa49253b03a42242caa1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `semantic-version` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135366, "scanner": "repobility-supply-chain", "fingerprint": "ad671854f8c1dc24e22fc94ae7744ed3b7447bedbbdc5a54e8897c5534a68655", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad671854f8c1dc24e22fc94ae7744ed3b7447bedbbdc5a54e8897c5534a68655"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `ruamel.yaml` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135365, "scanner": "repobility-supply-chain", "fingerprint": "2d7904c6736aef3332ba6e530675ce11a90c9c36183727e6f75841248cac33c8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d7904c6736aef3332ba6e530675ce11a90c9c36183727e6f75841248cac33c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pytest` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135364, "scanner": "repobility-supply-chain", "fingerprint": "099d22a649600b0b07ecf72494a4232a91747dbd639b4668a8df53e6d42f5727", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|099d22a649600b0b07ecf72494a4232a91747dbd639b4668a8df53e6d42f5727"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pygithub` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135363, "scanner": "repobility-supply-chain", "fingerprint": "dab7ca7259e421ca5c025f1906968defa8c07a2703d9c28df445d30e93124385", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dab7ca7259e421ca5c025f1906968defa8c07a2703d9c28df445d30e93124385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pycodestyle` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135362, "scanner": "repobility-supply-chain", "fingerprint": "bf1c95c838fbda46d5cbd30ad41a9b0068a6e5475ee0c1bd7923472bc9aa1f1f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf1c95c838fbda46d5cbd30ad41a9b0068a6e5475ee0c1bd7923472bc9aa1f1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `psutil` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135361, "scanner": "repobility-supply-chain", "fingerprint": "05f12bba1b186db1444d0ce408e9f0376d65e5a109e26684502526439cff255b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05f12bba1b186db1444d0ce408e9f0376d65e5a109e26684502526439cff255b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `packaging` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135360, "scanner": "repobility-supply-chain", "fingerprint": "8ce37952c81e72f0578f0afb37b4b0a4659dcd0b27d789013409f6240515088b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ce37952c81e72f0578f0afb37b4b0a4659dcd0b27d789013409f6240515088b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `overrides` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135359, "scanner": "repobility-supply-chain", "fingerprint": "a8d45c3887c45577f513d1dfb3fde675dd9e7cb2233b05288dd03fa183200c33", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8d45c3887c45577f513d1dfb3fde675dd9e7cb2233b05288dd03fa183200c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mypy` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135358, "scanner": "repobility-supply-chain", "fingerprint": "c4a2be0d53c8c89cfcd56cebbea65dde4d8dc58cd09618f1f5f8fa17a300e013", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4a2be0d53c8c89cfcd56cebbea65dde4d8dc58cd09618f1f5f8fa17a300e013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `llvm-installer` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135357, "scanner": "repobility-supply-chain", "fingerprint": "1bf376ed88f97a75943e3be17c7e782359c665798e532dd975eb22ca405db0ea", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bf376ed88f97a75943e3be17c7e782359c665798e532dd975eb22ca405db0ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `downloadutil` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135356, "scanner": "repobility-supply-chain", "fingerprint": "ed01f0e00722e9b8b012f1a08236c104b328a18937c43c09799a6d9590de5fc8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed01f0e00722e9b8b012f1a08236c104b328a18937c43c09799a6d9590de5fc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `distro` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135355, "scanner": "repobility-supply-chain", "fingerprint": "171b4887abd82252eec043e93d4ea98d3deafd7340b6ecf0ae9a89338b09f79c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|171b4887abd82252eec043e93d4ea98d3deafd7340b6ecf0ae9a89338b09f79c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `compiler-identification` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135354, "scanner": "repobility-supply-chain", "fingerprint": "f545909399ba49eebce2e63a28a17f4dcbf26e922a09a25146019a08678932fa", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f545909399ba49eebce2e63a28a17f4dcbf26e922a09a25146019a08678932fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `compiledb` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135353, "scanner": "repobility-supply-chain", "fingerprint": "dd07bd8363911fa920d2fcc74aed2793a7c3c1400e12897cf12037898f81038d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd07bd8363911fa920d2fcc74aed2793a7c3c1400e12897cf12037898f81038d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `codecheck` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135352, "scanner": "repobility-supply-chain", "fingerprint": "cec93c76b8172231362823432385c82dc09632cbd893631be2d6edba88baa2b0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cec93c76b8172231362823432385c82dc09632cbd893631be2d6edba88baa2b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `botocore` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135351, "scanner": "repobility-supply-chain", "fingerprint": "28d157f549568fe49bc290cbac26508d95a039573938eace0729b03c351c3591", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28d157f549568fe49bc290cbac26508d95a039573938eace0729b03c351c3591"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `boto` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135350, "scanner": "repobility-supply-chain", "fingerprint": "9145e0efda8bfb736f64bb4f6ac7a82b5075a06b9c82502f7fcd8ab3d974b828", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9145e0efda8bfb736f64bb4f6ac7a82b5075a06b9c82502f7fcd8ab3d974b828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `autorepr` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 135349, "scanner": "repobility-supply-chain", "fingerprint": "5642dc87b7b3d181314ade09436cc53b954083453802edc14b5a1916d789f644", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5642dc87b7b3d181314ade09436cc53b954083453802edc14b5a1916d789f644"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `ProcessFile` (list): `def ProcessFile(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135347, "scanner": "repobility-ast-engine", "fingerprint": "e7a39839f7ed4243c32cd6e0dcf1ee5a52cdbf287330817723396eb114763387", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7a39839f7ed4243c32cd6e0dcf1ee5a52cdbf287330817723396eb114763387"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lint/cpplint.py"}, "region": {"startLine": 6367}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `ProcessFileData` (list): `def ProcessFileData(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135346, "scanner": "repobility-ast-engine", "fingerprint": "a32ea92385d67184ba4b1ce42fdc60eadd2a7593a30e773ef1ad313ef9ef48c5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a32ea92385d67184ba4b1ce42fdc60eadd2a7593a30e773ef1ad313ef9ef48c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lint/cpplint.py"}, "region": {"startLine": 6234}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `ProcessLine` (list): `def ProcessLine(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135345, "scanner": "repobility-ast-engine", "fingerprint": "3bea6a8cab962aaa5aa20a22592cfffa67f05e0e288631e76b3b4fba39530541", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3bea6a8cab962aaa5aa20a22592cfffa67f05e0e288631e76b3b4fba39530541"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lint/cpplint.py"}, "region": {"startLine": 6083}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `process_pdf_data` (dict): `def process_pdf_data(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135331, "scanner": "repobility-ast-engine", "fingerprint": "1237ff81844a2b130845064269cfcfc0fd57a7a4135ec0904463b0bdd434cc9a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1237ff81844a2b130845064269cfcfc0fd57a7a4135ec0904463b0bdd434cc9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/pdf_processing/process_pdf.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `stream_partition_and_chunk` (dict): `def stream_partition_and_chunk(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135330, "scanner": "repobility-ast-engine", "fingerprint": "3df8aba9e869598aa29a50da29ba41cb54ab0207e3648e1374882ab18ea1f2a2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3df8aba9e869598aa29a50da29ba41cb54ab0207e3648e1374882ab18ea1f2a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/rag_pipeline/partition_chunk_pipeline.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `process_html_data` (dict): `def process_html_data(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135329, "scanner": "repobility-ast-engine", "fingerprint": "b77ed391f13a872f74f5bb154100c7670116e2263f3f324e980dc862069c3cab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b77ed391f13a872f74f5bb154100c7670116e2263f3f324e980dc862069c3cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/html_processing/process_html.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `sync_inline_thirdparty` (list): `def sync_inline_thirdparty(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135328, "scanner": "repobility-ast-engine", "fingerprint": "ec853be5681f1ddce0248b81f1e1abe310a1dcb9dc6604e851af08a2ca56255e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec853be5681f1ddce0248b81f1e1abe310a1dcb9dc6604e851af08a2ca56255e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/inline_thirdparty.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `set_env_on_spark_worker` (dict): `def set_env_on_spark_worker(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135327, "scanner": "repobility-ast-engine", "fingerprint": "2998b8bd653de3addfed0f3eab83f4f6b5c18144ec4b1ea163e6bb41cb4fa004", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2998b8bd653de3addfed0f3eab83f4f6b5c18144ec4b1ea163e6bb41cb4fa004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/yb_dist_tests.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `download_url` (list): `def download_url(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135325, "scanner": "repobility-ast-engine", "fingerprint": "d5b0c881e0e027550a044d5ab72e268780703339629b8870162114517e1c1e94", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5b0c881e0e027550a044d5ab72e268780703339629b8870162114517e1c1e94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/download_and_extract_archive.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135324, "scanner": "repobility-ast-engine", "fingerprint": "4aedb49bd00b011b5056d029e04660c1d086125fc665ec059d2abeb0404798ff", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4aedb49bd00b011b5056d029e04660c1d086125fc665ec059d2abeb0404798ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/lto.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `get_obj_paths_from_static_library` (list): `def get_obj_paths_from_static_library(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135323, "scanner": "repobility-ast-engine", "fingerprint": "bc2e16ad9e8081ce3810b9020d4a1925c11faa6ee2cb7832d828e1f2b4fe9916", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc2e16ad9e8081ce3810b9020d4a1925c11faa6ee2cb7832d828e1f2b4fe9916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/lto.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `init_spark_context` (list): `def init_spark_context(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135322, "scanner": "repobility-ast-engine", "fingerprint": "75d7c145e14228a0949c5ee7410310346a006d38d340c266fa9812fe1633fa6b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75d7c145e14228a0949c5ee7410310346a006d38d340c266fa9812fe1633fa6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/run_tests_on_spark.py"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135312, "scanner": "repobility-ast-engine", "fingerprint": "aa9b13114ad953e4f49dd5e8f48ce6373b555968351d467c924afef19a8c561f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa9b13114ad953e4f49dd5e8f48ce6373b555968351d467c924afef19a8c561f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/common/command.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135311, "scanner": "repobility-ast-engine", "fingerprint": "a10d42f4e752127494b6538a0f0c7ba9fe22ed1ee12a6b8f78ff482af3911bd6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a10d42f4e752127494b6538a0f0c7ba9fe22ed1ee12a6b8f78ff482af3911bd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/aws/utils.py"}, "region": {"startLine": 304}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135309, "scanner": "repobility-ast-engine", "fingerprint": "a19be648f498a5adf70997551e729a4a1eddf7065ce0b9a055d8ce59875653b3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a19be648f498a5adf70997551e729a4a1eddf7065ce0b9a055d8ce59875653b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/azure/method.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `create_or_update_vm` (list): `def create_or_update_vm(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135308, "scanner": "repobility-ast-engine", "fingerprint": "98f6961e00f92199da2afc6716272ebf4db205975857de1bf7c30d7f20e57450", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98f6961e00f92199da2afc6716272ebf4db205975857de1bf7c30d7f20e57450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/azure/utils.py"}, "region": {"startLine": 890}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `_create_instance` (list): `def _create_instance(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135307, "scanner": "repobility-ast-engine", "fingerprint": "b4a92cd0bba1a68fe7bf0936ea8207df3285909e4dc8f7da52d99df583e13c9c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4a92cd0bba1a68fe7bf0936ea8207df3285909e4dc8f7da52d99df583e13c9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/azure/utils.py"}, "region": {"startLine": 863}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `change_instance_type` (list): `def change_instance_type(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135306, "scanner": "repobility-ast-engine", "fingerprint": "0b8c301760c8ec5bd9542c96943c24611a505377c39141c5436677aa403444b6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b8c301760c8ec5bd9542c96943c24611a505377c39141c5436677aa403444b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/azure/utils.py"}, "region": {"startLine": 747}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `network` (dict): `def network(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135305, "scanner": "repobility-ast-engine", "fingerprint": "89ba85d0995923f42dbe956a5aa74cca1c671206b83605a9180d9659d8623205", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89ba85d0995923f42dbe956a5aa74cca1c671206b83605a9180d9659d8623205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/azure/utils.py"}, "region": {"startLine": 430}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135304, "scanner": "repobility-ast-engine", "fingerprint": "89e3e29f6a9ecfe939fd0e443aa05d293d5d51b535ca26b000ae34a5b52650df", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89e3e29f6a9ecfe939fd0e443aa05d293d5d51b535ca26b000ae34a5b52650df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/oci/cloud.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135303, "scanner": "repobility-ast-engine", "fingerprint": "0e28613d4c034ecf52c3eb3d99102f406195b818da3e1d55955169f98c4bc09e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e28613d4c034ecf52c3eb3d99102f406195b818da3e1d55955169f98c4bc09e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135302, "scanner": "repobility-ast-engine", "fingerprint": "baeae6d02e9e09bd8a150e4f309b78639d183c911ee8b77dc777b1c24441c5a0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|baeae6d02e9e09bd8a150e4f309b78639d183c911ee8b77dc777b1c24441c5a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135301, "scanner": "repobility-ast-engine", "fingerprint": "ccc3842e3a4618e074a373c5139be98a71dbe93036ce09e674317f2c897c6bee", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ccc3842e3a4618e074a373c5139be98a71dbe93036ce09e674317f2c897c6bee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135300, "scanner": "repobility-ast-engine", "fingerprint": "525295ba8a86cb254bb65fb5f8756a4d4a9fa7fc7ccf9812b1deda4f500d5ff2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|525295ba8a86cb254bb65fb5f8756a4d4a9fa7fc7ccf9812b1deda4f500d5ff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135299, "scanner": "repobility-ast-engine", "fingerprint": "b8199400625ae7f8a074f0f5c92a55e950f5e3c6601153a662fcb12229d6f96a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8199400625ae7f8a074f0f5c92a55e950f5e3c6601153a662fcb12229d6f96a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135298, "scanner": "repobility-ast-engine", "fingerprint": "bd4e75df1b40dc8ab44cf05d98e2cd951e19efe5d2b9fc38c4fcbd74a00fb157", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bd4e75df1b40dc8ab44cf05d98e2cd951e19efe5d2b9fc38c4fcbd74a00fb157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/utils/remote_shell.py"}, "region": {"startLine": 322}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135297, "scanner": "repobility-ast-engine", "fingerprint": "64c21aeb114bfda0b2c8402ca78f8ee900cd383b4d79a0451c069b8ae7416cb4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64c21aeb114bfda0b2c8402ca78f8ee900cd383b4d79a0451c069b8ae7416cb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/utils/remote_shell.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `promote_release` (list): `def promote_release(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135296, "scanner": "repobility-ast-engine", "fingerprint": "1a1ff58cb19d1b5412f852eac7483c81dc5c95ff2f98e6377492f8c510818e2b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1a1ff58cb19d1b5412f852eac7483c81dc5c95ff2f98e6377492f8c510818e2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/utils/replicated.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135294, "scanner": "repobility-ast-engine", "fingerprint": "3fe99b427be72c917a60260e7a96fa6f28f226c0f11e5727611b99c8240ad2a5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3fe99b427be72c917a60260e7a96fa6f28f226c0f11e5727611b99c8240ad2a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_backup.py"}, "region": {"startLine": 3650}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135293, "scanner": "repobility-ast-engine", "fingerprint": "1dd172c94d1f79f86b0f7540c76f11f029a179b891cfbd4005969bd9408d138e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1dd172c94d1f79f86b0f7540c76f11f029a179b891cfbd4005969bd9408d138e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_backup.py"}, "region": {"startLine": 2994}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135292, "scanner": "repobility-ast-engine", "fingerprint": "09bd61a7f35603782368ad0314e2826c39be4eb9f7e728da5b5d3fdf879681d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09bd61a7f35603782368ad0314e2826c39be4eb9f7e728da5b5d3fdf879681d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_backup.py"}, "region": {"startLine": 4121}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `run_ssh_cmd` (dict): `def run_ssh_cmd(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135291, "scanner": "repobility-ast-engine", "fingerprint": "0537a858a72958c55a947aefd0f75adafb1006d73e48750fc5c35dce66dfcb5f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0537a858a72958c55a947aefd0f75adafb1006d73e48750fc5c35dce66dfcb5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_backup.py"}, "region": {"startLine": 2298}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `run_tool` (dict): `def run_tool(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 135290, "scanner": "repobility-ast-engine", "fingerprint": "1f7738e2cbee9eb78149610107bed9ccdf0b07eb6a66e10c9cbc29c8b56eac1e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f7738e2cbee9eb78149610107bed9ccdf0b07eb6a66e10c9cbc29c8b56eac1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_backup.py"}, "region": {"startLine": 1788}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135289, "scanner": "repobility-ast-engine", "fingerprint": "7dfef621c1120b9fc8ff09a160ad7729cc6713329fd57b0e82a491249ce0b00d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7dfef621c1120b9fc8ff09a160ad7729cc6713329fd57b0e82a491249ce0b00d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_netprob.py"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135288, "scanner": "repobility-ast-engine", "fingerprint": "20748ef630a417a055c770dacb6893a2d23ea79722ba6d0a3f7cd18d18819f7f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20748ef630a417a055c770dacb6893a2d23ea79722ba6d0a3f7cd18d18819f7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_netprob.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135287, "scanner": "repobility-ast-engine", "fingerprint": "3f49f8a78708e444b6b2d7bc1a90bde0da98ac483db916457568d54fc690b6ae", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f49f8a78708e444b6b2d7bc1a90bde0da98ac483db916457568d54fc690b6ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_netprob.py"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135286, "scanner": "repobility-ast-engine", "fingerprint": "d3981aec46dd510d988098dce5d5c332bbda1fe2f903e56dbf81ff376fdfb230", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3981aec46dd510d988098dce5d5c332bbda1fe2f903e56dbf81ff376fdfb230"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/yb_platform_util.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135285, "scanner": "repobility-ast-engine", "fingerprint": "d2fe15d64f0999c70c1a23e64b5d4fe75fd16e73b7108522f9c3780f209f4ffe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2fe15d64f0999c70c1a23e64b5d4fe75fd16e73b7108522f9c3780f209f4ffe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/run_node_action.py"}, "region": {"startLine": 449}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135284, "scanner": "repobility-ast-engine", "fingerprint": "d3c47916c59b2cb41bc545bcea1e2fb31400c6c7c7b7a12ef1d0b3097640a39d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3c47916c59b2cb41bc545bcea1e2fb31400c6c7c7b7a12ef1d0b3097640a39d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/bin/run_node_action.py"}, "region": {"startLine": 431}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135283, "scanner": "repobility-ast-engine", "fingerprint": "0a3fe0bc00dc9b23dafb2afce5575dc5194c0b0e69921c5a727d319105fda441", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0a3fe0bc00dc9b23dafb2afce5575dc5194c0b0e69921c5a727d319105fda441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/ybops/node_agent/rpc.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135282, "scanner": "repobility-ast-engine", "fingerprint": "bb52f2249075d028748dd82415de072acfc2bd1fe47d422d84b2fbc94643e264", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bb52f2249075d028748dd82415de072acfc2bd1fe47d422d84b2fbc94643e264"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/ybops/node_agent/rpc.py"}, "region": {"startLine": 292}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135281, "scanner": "repobility-ast-engine", "fingerprint": "03611fd572944cf316cee50b300ebc24949756dd0b6c0209667cdf1c893eaa54", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|03611fd572944cf316cee50b300ebc24949756dd0b6c0209667cdf1c893eaa54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/ybops/node_agent/rpc.py"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135280, "scanner": "repobility-ast-engine", "fingerprint": "75a4d100d7edbfc7a66b92921f31fa9487df8fb2c9da600fd4fa3f8b2c29d89d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75a4d100d7edbfc7a66b92921f31fa9487df8fb2c9da600fd4fa3f8b2c29d89d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/ybops/node_agent/rpc.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135278, "scanner": "repobility-ast-engine", "fingerprint": "56fdaab4f634a84aa8d1187b78da7624d3463b429c26363a4d3ee797715fc961", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|56fdaab4f634a84aa8d1187b78da7624d3463b429c26363a4d3ee797715fc961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/k8s_ybc_parent.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 135251, "scanner": "repobility-ast-engine", "fingerprint": "d41f7438217456862da3523fdb3881cec9a47053ad20c97a1907258e87c3edd0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d41f7438217456862da3523fdb3881cec9a47053ad20c97a1907258e87c3edd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-support/lint.py"}, "region": {"startLine": 430}}}]}, {"ruleId": "WEB009", "level": "warning", "message": {"text": "sitemap.xml is not valid XML"}, "properties": {"repobilityId": 135250, "scanner": "repobility-web-presence", "fingerprint": "9e54fa7529c30d3c706fe47ba78dec41cecb15a00d9aff3ebcc452f55d7e2782", "category": "quality", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "XML parser could not parse sitemap content.", "evidence": {"rule_id": "WEB009", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|9e54fa7529c30d3c706fe47ba78dec41cecb15a00d9aff3ebcc452f55d7e2782"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/layouts/sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135248, "scanner": "repobility-journey-contract", "fingerprint": "3183746951d64f58f51328847b602fa0555f8166896dc80c3dd408027d880f12", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|managed/ui/src/routes.jsx|100|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/routes.jsx"}, "region": {"startLine": 100}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135247, "scanner": "repobility-journey-contract", "fingerprint": "f4015039cea353a667814e68c953f837b5c610aa651f1c084f374303e119051d", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|managed/ui/src/config.js|29|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/config.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135246, "scanner": "repobility-journey-contract", "fingerprint": "5c9f33cac7f8a5d41632edb286916e5b1b9fb072227d16bb51c4eefc175e6aa7", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|55|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/restore/GlobalRestoreModal.tsx"}, "region": {"startLine": 55}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135245, "scanner": "repobility-journey-contract", "fingerprint": "c0255d02ed5828535faebfa2bb2c23e6ec34de321b456b15ff354e320229d752", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|40|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/profile/UserProfileForm.jsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135244, "scanner": "repobility-journey-contract", "fingerprint": "71355bf7e5857530b7acf44d74ec97ad04b1ab0b389bd5ce30b5cbd61ad2dac7", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|24|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/common/forms/RegisterForm/RegisterFormContainer.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135243, "scanner": "repobility-journey-contract", "fingerprint": "820666d7d0751f7c7114837c840c3733c08fb43ad0377d1dde66e056a6f67879", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|28|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/common/forms/LoginForm/LoginFormContainer.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135242, "scanner": "repobility-journey-contract", "fingerprint": "0d0fc8a285db241a1b2eec487bd52310a87469edd51304e2efd1a9b969e545a0", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|855|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/actions/universe.js"}, "region": {"startLine": 855}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135241, "scanner": "repobility-journey-contract", "fingerprint": "23ecd461fccedddf885e03215b5c257107d36756e854cfdedd3f264fd3e55b15", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|216|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/actions/customers.js"}, "region": {"startLine": 216}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 135240, "scanner": "repobility-journey-contract", "fingerprint": "5cd49485e8925d7ccea7864b376fb1a5474c68ae22e2863084507fa8972751d0", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|212|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/actions/customers.js"}, "region": {"startLine": 212}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `ts` image has no explicit tag"}, "properties": {"repobilityId": 135237, "scanner": "repobility-docker", "fingerprint": "59b68bef4d7e40a1d159794ee5321455579f74a6de6976b6fbf03dca6db66e51", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "quay.io/yugabyte/yb-troubleshooting-service", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|59b68bef4d7e40a1d159794ee5321455579f74a6de6976b6fbf03dca6db66e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 135235, "scanner": "repobility-docker", "fingerprint": "ab689941b2b8f080be33c630edfc3871181b9cb77cd8ea9199123bfd905173a4", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ab689941b2b8f080be33c630edfc3871181b9cb77cd8ea9199123bfd905173a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `anon-how-to-pandocker` image uses the latest tag"}, "properties": {"repobilityId": 135233, "scanner": "repobility-docker", "fingerprint": "daa6f1fcc7c6a2854eb1e9f99b6debd2ee3b7981c4cd690271f25d984617ec7b", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "dalibo/pandocker:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|daa6f1fcc7c6a2854eb1e9f99b6debd2ee3b7981c4cd690271f25d984617ec7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docs/how-to/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 135231, "scanner": "repobility-docker", "fingerprint": "855f23f1c139954d5a34789d13717ed22a8f06a5e0c893f500433f87215299c5", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "PostgreSQL", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|855f23f1c139954d5a34789d13717ed22a8f06a5e0c893f500433f87215299c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `PostgreSQL` image has no explicit tag"}, "properties": {"repobilityId": 135228, "scanner": "repobility-docker", "fingerprint": "b2cdf6b94219c840f1dacf19333a1a8c2de93d16c3e82f12590291b74e347c70", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "registry.gitlab.com/dalibo/postgresql_anonymizer", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b2cdf6b94219c840f1dacf19333a1a8c2de93d16c3e82f12590291b74e347c70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `fake-gcs-server` image has no explicit tag"}, "properties": {"repobilityId": 135224, "scanner": "repobility-docker", "fingerprint": "22f9b999df20ba8ed4522a259d6bc6d531dd749dc6ec8a56019f14a0f1a2b260", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "tustvold/fake-gcs-server", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|22f9b999df20ba8ed4522a259d6bc6d531dd749dc6ec8a56019f14a0f1a2b260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `webdav` image has no explicit tag"}, "properties": {"repobilityId": 135222, "scanner": "repobility-docker", "fingerprint": "23ade4db1888e7177a26826b5ccf9ec6088129a56de0fc73d39bc47991fca986", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "rclone/rclone", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|23ade4db1888e7177a26826b5ccf9ec6088129a56de0fc73d39bc47991fca986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `azurite` image has no explicit tag"}, "properties": {"repobilityId": 135220, "scanner": "repobility-docker", "fingerprint": "b908c6ef57fe0647b277bd264a603510577951eedbdd6e60025c1a5ad566f2ab", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mcr.microsoft.com/azure-storage/azurite", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b908c6ef57fe0647b277bd264a603510577951eedbdd6e60025c1a5ad566f2ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 135219, "scanner": "repobility-docker", "fingerprint": "d57d689151348cc26ccbed59c941bacae9badd0818feee0d69fb91e61ba58853", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|d57d689151348cc26ccbed59c941bacae9badd0818feee0d69fb91e61ba58853", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `minio` image has no explicit tag"}, "properties": {"repobilityId": 135217, "scanner": "repobility-docker", "fingerprint": "e3b5db62c3f8003e39ac9ee4d6bdfe8903fd835b7f6384fab1d4814be673de8b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "minio/minio", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e3b5db62c3f8003e39ac9ee4d6bdfe8903fd835b7f6384fab1d4814be673de8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 135216, "scanner": "repobility-docker", "fingerprint": "9862af8b594f596b53aa38d191d1c0bd59fb7fc5cccb891e26070b3806de45f2", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "app", "dependency": "minio", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|9862af8b594f596b53aa38d191d1c0bd59fb7fc5cccb891e26070b3806de45f2", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC005", "level": "warning", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 135213, "scanner": "repobility-docker", "fingerprint": "e7bc24a6ac9534aac4170504bb2267213bb69c543dbc1a7b0b86d51ebaf89a15", "category": "docker", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["SYS_PTRACE"], "correlation_key": "fp|e7bc24a6ac9534aac4170504bb2267213bb69c543dbc1a7b0b86d51ebaf89a15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 135210, "scanner": "repobility-docker", "fingerprint": "492ad5462157b591d229fa22b5a9a4340e1dd245fa1d3126efa5d02a2e75c6c5", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./docker/postgresql.conf", "target": "/etc/postgresql/postgresql.conf", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|492ad5462157b591d229fa22b5a9a4340e1dd245fa1d3126efa5d02a2e75c6c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 135207, "scanner": "repobility-docker", "fingerprint": "d6636a79ddcdbcba7a0aeb9b77f6a1408ef17fca4d6a0beae9caf2b48b42fd7d", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|d6636a79ddcdbcba7a0aeb9b77f6a1408ef17fca4d6a0beae9caf2b48b42fd7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/drivers/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `nginx` image uses the latest tag"}, "properties": {"repobilityId": 135194, "scanner": "repobility-docker", "fingerprint": "da7efe5e9f4d979f927dffb6e83d57842b9bbba67f01501b30f5e74f3e2bd177", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "nginx:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|da7efe5e9f4d979f927dffb6e83d57842b9bbba67f01501b30f5e74f3e2bd177"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 135193, "scanner": "repobility-docker", "fingerprint": "223c2dd25ebac80f590adc198213b89dc435aedccd2cde52d18c2a4394c49d31", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|223c2dd25ebac80f590adc198213b89dc435aedccd2cde52d18c2a4394c49d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `postgres` image uses the latest tag"}, "properties": {"repobilityId": 135190, "scanner": "repobility-docker", "fingerprint": "f4b6084558fe5c9dc3f1c4de6f6771bf68cd9d243eebdc7904e0df5b82e861ce", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "postgres:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f4b6084558fe5c9dc3f1c4de6f6771bf68cd9d243eebdc7904e0df5b82e861ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `thirdparty-deps` image uses the latest tag"}, "properties": {"repobilityId": 135189, "scanner": "repobility-docker", "fingerprint": "578ec4b945bb65bc80e78b06b54136756d5bf24e72a912fb951d268b8c334455", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "quay.io/yugabyte/thirdparty-deps:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|578ec4b945bb65bc80e78b06b54136756d5bf24e72a912fb951d268b8c334455"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `yugabyte-base` image uses the latest tag"}, "properties": {"repobilityId": 135188, "scanner": "repobility-docker", "fingerprint": "16cef2fb536bfc8934334905f68635587dbe2aff711c76b31412b0a071ea826b", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "quay.io/yugabyte/base-image:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|16cef2fb536bfc8934334905f68635587dbe2aff711c76b31412b0a071ea826b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `yugaware` image uses the latest tag"}, "properties": {"repobilityId": 135184, "scanner": "repobility-docker", "fingerprint": "e9470b746a3f0d8d1575d9d445aec4e140774d0647e65c1b4fb427446fa20110", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "quay.io/yugabyte/yugaware:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e9470b746a3f0d8d1575d9d445aec4e140774d0647e65c1b4fb427446fa20110"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135181, "scanner": "repobility-docker", "fingerprint": "a09aeaade82303f2b07b3879da4e67f88a54df0654086d37164699b4222e2ba6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:17-jdk", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a09aeaade82303f2b07b3879da4e67f88a54df0654086d37164699b4222e2ba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135179, "scanner": "repobility-docker", "fingerprint": "f275d75c06bbedf04e5c21f07902b3e836a48a4d6b5121ddb38baf70039ef909", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "buildpack-deps:wheezy", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f275d75c06bbedf04e5c21f07902b3e836a48a4d6b5121ddb38baf70039ef909"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/yb/rocksdb/tools/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135178, "scanner": "repobility-docker", "fingerprint": "34c98be58cae0989c02bffe3045eccc3181d8ecab6cab50e45d7c5ac3bee83aa", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:$PG_MAJOR_VERSION", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|34c98be58cae0989c02bffe3045eccc3181d8ecab6cab50e45d7c5ac3bee83aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 135175, "scanner": "repobility-docker", "fingerprint": "7b5cf2c0d3e8361572eec70bc3623778c5264a2d8edd4262ad4aac890db0a8f0", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "golang:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7b5cf2c0d3e8361572eec70bc3623778c5264a2d8edd4262ad4aac890db0a8f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135174, "scanner": "repobility-docker", "fingerprint": "e63061716944201f49d3b85a470fac9c21df6ab0f842c59766614efdf6961156", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:$PG_MAJOR", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e63061716944201f49d3b85a470fac9c21df6ab0f842c59766614efdf6961156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgvector/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135171, "scanner": "repobility-docker", "fingerprint": "e6b0ad2a876b9fcc47b4704d2a63ea76a43fa3a5bd2f06b4d6dfd8eb617774f8", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:${pgtag:-alpine}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e6b0ad2a876b9fcc47b4704d2a63ea76a43fa3a5bd2f06b4d6dfd8eb617774f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgtap/test/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135163, "scanner": "repobility-docker", "fingerprint": "817b4aa65ce59b328ac6585a3f8e604d78bc9746e6c717420372602e18626611", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|817b4aa65ce59b328ac6585a3f8e604d78bc9746e6c717420372602e18626611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.debian_bullseye"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135161, "scanner": "repobility-docker", "fingerprint": "95c9457562e45242a2bf47d16023391c42349997ba6bb0fb73949581f5a446ea", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|95c9457562e45242a2bf47d16023391c42349997ba6bb0fb73949581f5a446ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.debian_bullseye"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135154, "scanner": "repobility-docker", "fingerprint": "93e4e87844e34c93e9e162d88de4bc41457b895d77560691830079aa2eb982d2", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|93e4e87844e34c93e9e162d88de4bc41457b895d77560691830079aa2eb982d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgaudit/test/Dockerfile.debian"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135152, "scanner": "repobility-docker", "fingerprint": "6e8bbde91d1291fabf50b6f8b685e42aea3ab837c62108bca17dda1c9f06d14a", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6e8bbde91d1291fabf50b6f8b685e42aea3ab837c62108bca17dda1c9f06d14a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgaudit/test/Dockerfile.debian"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135150, "scanner": "repobility-docker", "fingerprint": "1a5acf4c7b678bcc104c349d4f9dd65f3acb50310a11285a4dc9d70c8337868f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1a5acf4c7b678bcc104c349d4f9dd65f3acb50310a11285a4dc9d70c8337868f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135147, "scanner": "repobility-docker", "fingerprint": "4978e562be6e8ca97a3922f5b24788478f5efada56e99c09a1e8451bd818ac39", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4978e562be6e8ca97a3922f5b24788478f5efada56e99c09a1e8451bd818ac39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 135143, "scanner": "repobility-docker", "fingerprint": "e9c993ffba3966f25b05f1e84e5112fe3e9febe880db284b54b9e4b7c54c2a59", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "postgres_base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e9c993ffba3966f25b05f1e84e5112fe3e9febe880db284b54b9e4b7c54c2a59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135141, "scanner": "repobility-docker", "fingerprint": "8c7a013512c3554cf41d3e52e2481a7dc1c9f459f295bc504b6f780412603f78", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8c7a013512c3554cf41d3e52e2481a7dc1c9f459f295bc504b6f780412603f78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/docker/Dockerfile.dev"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135140, "scanner": "repobility-docker", "fingerprint": "dd9a6997a3a029b78884f8dde2511e6f0b57dfc7dd94f0a09ed261b434fb3f07", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:15", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dd9a6997a3a029b78884f8dde2511e6f0b57dfc7dd94f0a09ed261b434fb3f07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/docker/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135135, "scanner": "repobility-docker", "fingerprint": "7fb4e58b5862982c9649bdb42a46845234d5e11ac304ff0e65f3358032d4b2e3", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7fb4e58b5862982c9649bdb42a46845234d5e11ac304ff0e65f3358032d4b2e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/documentdb/.github/containers/Build-Ubuntu/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 135132, "scanner": "repobility-docker", "fingerprint": "005dda6848cb8a23e66c034b394eb51b1aba985dae6f334397cde16f5e64b62c", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|005dda6848cb8a23e66c034b394eb51b1aba985dae6f334397cde16f5e64b62c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/documentdb/.devcontainer/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135130, "scanner": "repobility-docker", "fingerprint": "629a92c99e4b8e13da317b3842ffe08d9cae5768c0b44a46ed5568c0a972a483", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:focal", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|629a92c99e4b8e13da317b3842ffe08d9cae5768c0b44a46ed5568c0a972a483"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/dpkg/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135127, "scanner": "repobility-docker", "fingerprint": "7bf14d361c85b18e2d562db8ef10db546cfcef688f1d3ed70dfb82bca617a42a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:focal", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7bf14d361c85b18e2d562db8ef10db546cfcef688f1d3ed70dfb82bca617a42a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/dev/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135124, "scanner": "repobility-docker", "fingerprint": "de023877b2eaeae2c8933ea87634507eeaa8a6c62741fd9d4485ee56ed091487", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:focal", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|de023877b2eaeae2c8933ea87634507eeaa8a6c62741fd9d4485ee56ed091487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 135120, "scanner": "repobility-docker", "fingerprint": "02e2ec2955c7d3ceac463ac14d1813cd7aa77407b5bdbe61d4dd0b9d471d8018", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "golang:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|02e2ec2955c7d3ceac463ac14d1813cd7aa77407b5bdbe61d4dd0b9d471d8018"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135118, "scanner": "repobility-docker", "fingerprint": "e12c345fb7f3ac1fcc26f7dd7a59a06fd62ed0540bb6a80dea767b9894437758", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "almalinux:8", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e12c345fb7f3ac1fcc26f7dd7a59a06fd62ed0540bb6a80dea767b9894437758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/yba-installer/integrationtests/resources/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135117, "scanner": "repobility-docker", "fingerprint": "3eea83a8122069911eb122f2c6cc01492afc4c233c0108534c4d4cac18be7339", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3eea83a8122069911eb122f2c6cc01492afc4c233c0108534c4d4cac18be7339"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135116, "scanner": "repobility-docker", "fingerprint": "e30a5b91c58fe4892993b36eb9d91ddadc48f8e8eef8808315170f086ca0ba19", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "quay.io/pypa/manylinux_2_28_x86_64", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e30a5b91c58fe4892993b36eb9d91ddadc48f8e8eef8808315170f086ca0ba19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/pex/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 135113, "scanner": "repobility-docker", "fingerprint": "64a019d026b36dc273e4f37d1eac5599028bf181c6dc9e26f2b6af54a4084460", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "quay.io/pypa/manylinux_2_28_x86_64", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|64a019d026b36dc273e4f37d1eac5599028bf181c6dc9e26f2b6af54a4084460"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/pex/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 135110, "scanner": "repobility-docker", "fingerprint": "7768193b4bc26e9693e93821c6887b8fd3b265d198bc7927b6ce35095a266473", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "centos/python-38-centos7", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7768193b4bc26e9693e93821c6887b8fd3b265d198bc7927b6ce35095a266473"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135106, "scanner": "repobility-docker", "fingerprint": "2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "yugabyteci/yb_build_infra_almalinux9_x86_64:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 135105, "scanner": "repobility-docker", "fingerprint": "bbd38051b2dc47e73a84392e13492ddeca1516d025dc1039492cd7ed9ecc41b1", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "yugabyteci/yb_build_infra_almalinux9_x86_64:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbd38051b2dc47e73a84392e13492ddeca1516d025dc1039492cd7ed9ecc41b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135104, "scanner": "repobility-docker", "fingerprint": "7388bd6c3fa0a648c403f1361b59d5d2b0f10c9ba4aeb6e6ecc3065d38377a3b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "yugabyteci/yb_build_infra_almalinux9_x86_64:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7388bd6c3fa0a648c403f1361b59d5d2b0f10c9ba4aeb6e6ecc3065d38377a3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cursor/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 135103, "scanner": "repobility-docker", "fingerprint": "2f382713e6fa5e310b349509d83c845f8376d44730e82a4dba27b40626a2888e", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "yugabyteci/yb_build_infra_almalinux9_x86_64:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2f382713e6fa5e310b349509d83c845f8376d44730e82a4dba27b40626a2888e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cursor/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 135102, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 135101, "scanner": "repobility-docker", "fingerprint": "3701b144f1566f107a415e12b144c3b2b35964705b3ae29f0346271e2846f1b4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "yugabyteci/yb_build_infra_almalinux9_x86_64:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3701b144f1566f107a415e12b144c3b2b35964705b3ae29f0346271e2846f1b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 135100, "scanner": "repobility-docker", "fingerprint": "58be92178f569e22c5e7458a281cd873439b418c7a2934a01276d0944e7ddade", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "yugabyteci/yb_build_infra_almalinux9_x86_64:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|58be92178f569e22c5e7458a281cd873439b418c7a2934a01276d0944e7ddade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 135099, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "sample/sportsdb_inserts.sql", "size_mb": 14.7}, {"path": "src/postgres/third-party-extensions/pg_stat_monitor/scripts/data_2.sql", "size_mb": 8.0}, {"path": "src/postgres/third-party-extensions/pg_stat_monitor/scripts/data_1.sql", "size_mb": 8.0}, {"path": "sample/orders.sql", "size_mb": 3.4}, {"path": "sample/chinook_songs.sql", "size_mb": 1.7}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR015", "level": "warning", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 135098, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": false, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": ".git/objects/pack/pack-5398f68e834a99b7d97309f192e54bea19f5c6cb.pack", "size_mb": 241.8}, {"path": ".git/objects/pack/pack-b30957e7f808b2e7775d2359d4cdf3eb05d5d26d.pack", "size_mb": 104.3}, {"path": "src/postgres/third-party-extensions/postgresql-hll/sql/data/cumulative_add_comprehensive_promotion.csv", "size_mb": 24.1}, {"path": "src/postgres/third-party-extensions/postgresql-hll/sql/data/cumulative_add_cardinality_correction.csv", "size_mb": 15.2}, {"path": "sample/sportsdb_inserts.sql", "size_mb": 14.7}], "included_files": 32655, "context_size_mb": 1163.9, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 135097, "scanner": "repobility-agent-runtime", "fingerprint": "f1f69195c5b45c22ba7e4f3fa6f7bc3619a31372aed37357053a8084426da611", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f1f69195c5b45c22ba7e4f3fa6f7bc3619a31372aed37357053a8084426da611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/configure_clockbound.sh"}, "region": {"startLine": 245}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 135068, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3eea9dcde3086f1bf67e6bcc4426da090181e96db5148437bc06c398482dd1e0", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "backup", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|3eea9dcde3086f1bf67e6bcc4426da090181e96db5148437bc06c398482dd1e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/db/migration/default_/postgres/V417__Add_First_Snapshot_Time_Backup.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 135067, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9314c864517c0d5a8dc5e2aee3a8aab47027847fcd4a046182d01b3353d774f9", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|9314c864517c0d5a8dc5e2aee3a8aab47027847fcd4a046182d01b3353d774f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/db/migration/default_/postgres/V195__DB_Encryption_Update.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 135066, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90f0ffecfdc5905bf0c5c330c4adf675391cce322d4a609f886f059061aa41e8", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|90f0ffecfdc5905bf0c5c330c4adf675391cce322d4a609f886f059061aa41e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/db/migration/default_/common/V289__Universe_Details_Arch_Update.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 135065, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94dba30d4d94af63d7ae9b655f72c7ca256b1508ff9ca3a7741d78fafb62fbb1", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|94dba30d4d94af63d7ae9b655f72c7ca256b1508ff9ca3a7741d78fafb62fbb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/db/migration/default_/common/V160__Provider_Config_Encryption_Update.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 135059, "scanner": "repobility-ai-code-hygiene", "fingerprint": "046c649fb84d028b10c1b5a2035d47d711ed7e499084ee74493b0cac8119f267", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "copy", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "src/postgres/src/include/optimizer/geqo.h", "correlation_key": "fp|046c649fb84d028b10c1b5a2035d47d711ed7e499084ee74493b0cac8119f267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/src/include/optimizer/geqo_copy.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 135057, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b52ce919deb3fc0868db786527a4cdb18f5d9f9f5a3762baf2d0c33c76e638a", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "rewrite", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "src/postgres/src/backend/utils/adt/tsquery.c", "correlation_key": "fp|1b52ce919deb3fc0868db786527a4cdb18f5d9f9f5a3762baf2d0c33c76e638a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/src/backend/utils/adt/tsquery_rewrite.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 135040, "scanner": "repobility-threat-engine", "fingerprint": "946196bc631bf9133d04d60f18439dee147ee0e5484f4c8d81f06c42d5d1dff8", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWD = \"<redacted>\"", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|passwd redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/controllers/handlers/LdapUniverseSyncHandler.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC119", "level": "warning", "message": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "properties": {"repobilityId": 135038, "scanner": "repobility-threat-engine", "fingerprint": "0ec15bef0873350eb0b33ad977f1a4af2a626b40dbb2ac625b4863766ccfeb91", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".setReadable(true, false)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC119", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|193|sec119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/utils/FileUtils.java"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 135037, "scanner": "repobility-threat-engine", "fingerprint": "79f5eff25924136ffea8e439dfe62818e8d2f69ef68b2a6727f23fe012b00bca", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|199|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/models/FileData.java"}, "region": {"startLine": 199}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 135036, "scanner": "repobility-threat-engine", "fingerprint": "eb278e7e8a752e1d59663a8479c396507e02defa396f0b7f29aad4f8f45d9228", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|275|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/utils/FileUtils.java"}, "region": {"startLine": 275}}}]}, {"ruleId": "SEC037", "level": "warning", "message": {"text": "[SEC037] Uncontrolled Recursion \u2014 stack/depth exhaustion: Parsing arbitrary-depth user input (XML, JSON, YAML) without a depth limit, or recursive function over user-controlled structure. Attacker sends `{\"a\":{\"a\":{\"a\":...10000 levels...}}}` to blow the stack. Real CVEs: CVE-2019-16935 (Python xmlrpc), CVE-2020-25659 (PyYAML before 5.4). CWE-674/1325."}, "properties": {"repobilityId": 135032, "scanner": "repobility-threat-engine", "fingerprint": "7073b4e28250cf9d70d77e6daeaf1c9077504c66625a561b0a340263067e026d", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC037", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7073b4e28250cf9d70d77e6daeaf1c9077504c66625a561b0a340263067e026d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/ConfigHelper.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 134986, "scanner": "repobility-threat-engine", "fingerprint": "c053b6fd15f5611a8954190693e6dbc3b890f5ee8528406a5089f790d573b35c", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "os.popen(", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|61|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 134981, "scanner": "repobility-threat-engine", "fingerprint": "a8dcfbc784611fde3396fd407a6db523e6fbf7e6e70d22f21b1103f3041283a1", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "api_key = \"<redacted>\"", "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|api_key redacted", "duplicate_count": 1, "duplicate_rule_ids": ["SEC002"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["71837d04dc64ebbc01dd03d6546a9e42712141e93e0199a0b7e1fe76209513b6", "a8dcfbc784611fde3396fd407a6db523e6fbf7e6e70d22f21b1103f3041283a1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/api-examples/python-simple/create-universe.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 134976, "scanner": "repobility-threat-engine", "fingerprint": "3360d78a18c18bd8035635d717bb29a4aa56b2d82121edf0ad5d368154a017f2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|43|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-sample/src/main/java/org/yb/YbSqlUtil.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 134975, "scanner": "repobility-threat-engine", "fingerprint": "74403e9147fe84ff12e88dc2f0a6f04bb662c7bf492fe5ab3098e2855ec31ca9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|32|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-sample/src/main/java/org/yb/SimpleScan.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 134974, "scanner": "repobility-threat-engine", "fingerprint": "2e21219729afd2a26b055e0a52c7391e826babccd1bc7a7ac55f575dbef0d24f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|34|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-sample/src/main/java/org/yb/LargeScan.java"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 134968, "scanner": "repobility-threat-engine", "fingerprint": "568385c85f4a88a03f31acdea7751f07a91f1c7338677f4268879ad7f6f3e713", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOG.info(\"Using \" + INPUT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|568385c85f4a88a03f31acdea7751f07a91f1c7338677f4268879ad7f6f3e713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-loadtester/src/main/java/com/yugabyte/sample/apps/CassandraSparkKeyValueCopy.java"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 134967, "scanner": "repobility-threat-engine", "fingerprint": "92f50edb560cf447b95375200fd67b278ed670725fb91726ff1bbbe2b8076dba", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOG.info(\"Using wordcount_input_file: \" + input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92f50edb560cf447b95375200fd67b278ed670725fb91726ff1bbbe2b8076dba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cql-4x/src/main/java/com/yugabyte/sample/apps/CassandraSparkWordCount.java"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 134966, "scanner": "repobility-threat-engine", "fingerprint": "66daab94d503f543abe0e5c5d5d617a19fd01a13c6560b2bcfa0293ab3a80cee", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "LOG.info(\"Using \" + INPUT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66daab94d503f543abe0e5c5d5d617a19fd01a13c6560b2bcfa0293ab3a80cee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cql-4x/src/main/java/com/yugabyte/sample/apps/CassandraSparkKeyValueCopy.java"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 134934, "scanner": "repobility-threat-engine", "fingerprint": "e6e2130309277e74e3309eccf0ec50d469bba293371a86894cb013d54eb40749", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|98|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/PrometheusConfigManager.java"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 134933, "scanner": "repobility-threat-engine", "fingerprint": "20f4534da037ec9674178955bacf658f0d6612ff02c75bda7d486c6c935025dc", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|107|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/ConfigHelper.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 134932, "scanner": "repobility-threat-engine", "fingerprint": "badc62fb4049cafea8d770eb5fc696e7813ba6f8e28d1e691dce3aa412be7e40", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|54|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-support/stabilize_auto_flags_list.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `MakeRelativePathsInFlagsAbsolute` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, for=2, if=6, nested_bonus=9."}, "properties": {"repobilityId": 134924, "scanner": "repobility-threat-engine", "fingerprint": "a608bbad4670c19bbbbfd57ecdcc1a1efd9bf2c6d429e8e27b53a720b90c4dc3", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "MakeRelativePathsInFlagsAbsolute", "breakdown": {"if": 6, "for": 2, "break": 2, "nested_bonus": 9}, "complexity": 19, "correlation_key": "fp|a608bbad4670c19bbbbfd57ecdcc1a1efd9bf2c6d429e8e27b53a720b90c4dc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ycm_extra_conf.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135239, "scanner": "repobility-docker", "fingerprint": "fb155957007cf877a267d80a4bf1d37f6a74676198aadae3c454a5b8500ed100", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fb155957007cf877a267d80a4bf1d37f6a74676198aadae3c454a5b8500ed100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135238, "scanner": "repobility-docker", "fingerprint": "3d32e724639248ebc564acb66da68a5e98d871242b8f5dfb80a495429395b800", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3d32e724639248ebc564acb66da68a5e98d871242b8f5dfb80a495429395b800"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 135236, "scanner": "repobility-docker", "fingerprint": "3ceed905c0d145f05b4584240942b6073ed47167eac462e315ab203890cd891b", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "postgres", "variables": ["POSTGRES_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|3ceed905c0d145f05b4584240942b6073ed47167eac462e315ab203890cd891b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 135232, "scanner": "repobility-docker", "fingerprint": "2cd474cf4d2b62e0f59f54522ce29c4965385c9b1e035187df606f436420b086", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "PostgreSQL", "variables": ["POSTGRES_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|2cd474cf4d2b62e0f59f54522ce29c4965385c9b1e035187df606f436420b086"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135227, "scanner": "repobility-docker", "fingerprint": "e68a6a0e54bf21731c41be26a7739773367015f916d17264ae743157616ac230", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e68a6a0e54bf21731c41be26a7739773367015f916d17264ae743157616ac230"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgtap/test/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135226, "scanner": "repobility-docker", "fingerprint": "72c067570e17108e5f8352cb1c57cc1d3bf8215c00941afc1a41957fd0d92211", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|72c067570e17108e5f8352cb1c57cc1d3bf8215c00941afc1a41957fd0d92211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgtap/test/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135215, "scanner": "repobility-docker", "fingerprint": "4ccba47cb6e36d3d07866ea084f5b7c1815f3c6ce90bbf48c58ec7b98b136e6e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4ccba47cb6e36d3d07866ea084f5b7c1815f3c6ce90bbf48c58ec7b98b136e6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135214, "scanner": "repobility-docker", "fingerprint": "171149d2dab05fcdf675984f759e06709e6603a8aa9235a102a9da8ec0a3de10", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|171149d2dab05fcdf675984f759e06709e6603a8aa9235a102a9da8ec0a3de10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 135211, "scanner": "repobility-docker", "fingerprint": "313633548155712d1bf0ed4ec84392b12b9da53cb4d859de89fd1efcec9ee0a7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|313633548155712d1bf0ed4ec84392b12b9da53cb4d859de89fd1efcec9ee0a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135209, "scanner": "repobility-docker", "fingerprint": "7ccb3497420db8b3a73b196820e8752298306830b4ece58fdfa200715d7be6b6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "db", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7ccb3497420db8b3a73b196820e8752298306830b4ece58fdfa200715d7be6b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 135208, "scanner": "repobility-docker", "fingerprint": "6a7d55e6f0b285830d79951f3976c8422070ae6200fbcc6735e3f622f4d1a0d9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|6a7d55e6f0b285830d79951f3976c8422070ae6200fbcc6735e3f622f4d1a0d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/drivers/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135205, "scanner": "repobility-docker", "fingerprint": "fab058afe0469d6642337581136dfac54d7971f04569e5760fe43cd62f8c8808", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "db", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fab058afe0469d6642337581136dfac54d7971f04569e5760fe43cd62f8c8808"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/drivers/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135204, "scanner": "repobility-docker", "fingerprint": "108568cc1c4b84636dce4b3f234bbd6d7c12db93eabe4a7959029bee8c042143", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "openldapr", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|108568cc1c4b84636dce4b3f234bbd6d7c12db93eabe4a7959029bee8c042143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135203, "scanner": "repobility-docker", "fingerprint": "f215621734c8f9301f9279a002ef64e4537973b530735725a12ab5b4076e6de9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "openldapr", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f215621734c8f9301f9279a002ef64e4537973b530735725a12ab5b4076e6de9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135202, "scanner": "repobility-docker", "fingerprint": "ba54563ddfa20c11fc38daf3ffc0490e075800883f2108c7c5aa8772aca9ee56", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dpkg", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ba54563ddfa20c11fc38daf3ffc0490e075800883f2108c7c5aa8772aca9ee56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135201, "scanner": "repobility-docker", "fingerprint": "69d66f2ab914c8c64aad1951769230e10b375c18b39dc474ecd52d1fee1b266a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "dpkg", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|69d66f2ab914c8c64aad1951769230e10b375c18b39dc474ecd52d1fee1b266a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135200, "scanner": "repobility-docker", "fingerprint": "6507e18b195b26e9d9d8e63ab315f54b40fdce0f086e7c334be4263c5b6dc486", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6507e18b195b26e9d9d8e63ab315f54b40fdce0f086e7c334be4263c5b6dc486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135199, "scanner": "repobility-docker", "fingerprint": "3c8ce76696662d7ca78db964bbd5da00626de335d71f587f281bfe0799b027b3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3c8ce76696662d7ca78db964bbd5da00626de335d71f587f281bfe0799b027b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135198, "scanner": "repobility-docker", "fingerprint": "e53e9fc1050ea6571bd58d9b46324ad4d025fb6754dd2344ebb005fc01b884ab", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "odyssey", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e53e9fc1050ea6571bd58d9b46324ad4d025fb6754dd2344ebb005fc01b884ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135197, "scanner": "repobility-docker", "fingerprint": "9ed33bcf9486b4293b44771125faa66ee6eabfa638fe0c4168640400544fa896", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "odyssey", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9ed33bcf9486b4293b44771125faa66ee6eabfa638fe0c4168640400544fa896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135196, "scanner": "repobility-docker", "fingerprint": "33a80f01830796aaf284ebc854bb22e632da16f85b704dc93a4dc9fd31584475", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "prometheus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|33a80f01830796aaf284ebc854bb22e632da16f85b704dc93a4dc9fd31584475"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135195, "scanner": "repobility-docker", "fingerprint": "86f2e67d30d7e394d743ebdef2f146de5cdc5a2ad9be6b1af22d594def48fc5b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "prometheus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|86f2e67d30d7e394d743ebdef2f146de5cdc5a2ad9be6b1af22d594def48fc5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 135187, "scanner": "repobility-docker", "fingerprint": "8f63bc343b233ac6b933d3b688597bea66d4ba212e7ea6be7ff1a42cb3a7cd9c", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "yugaware", "dependency": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|8f63bc343b233ac6b933d3b688597bea66d4ba212e7ea6be7ff1a42cb3a7cd9c", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 135186, "scanner": "repobility-docker", "fingerprint": "a71a175c9bbc5351fc1bfb8360bccb53aa3ab4140c782b8b235b5396bcb197d5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "yugaware", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a71a175c9bbc5351fc1bfb8360bccb53aa3ab4140c782b8b235b5396bcb197d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 135185, "scanner": "repobility-docker", "fingerprint": "fe5694c01d425636da4eb015f7cd6c18b816ac4826134445eacee4ec092f04d0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "yugaware", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fe5694c01d425636da4eb015f7cd6c18b816ac4826134445eacee4ec092f04d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135164, "scanner": "repobility-docker", "fingerprint": "96b79385b29d2b2458c983de56ea7b2f072e3bc9577abcc0dc826a57dcc4d0ae", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|96b79385b29d2b2458c983de56ea7b2f072e3bc9577abcc0dc826a57dcc4d0ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.debian_bullseye"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135162, "scanner": "repobility-docker", "fingerprint": "18ae24a06c22a33f5f959fcabbf4c547ace5ae808bb9ad8e09960c60540730ca", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|18ae24a06c22a33f5f959fcabbf4c547ace5ae808bb9ad8e09960c60540730ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.debian_bullseye"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135155, "scanner": "repobility-docker", "fingerprint": "12033f06a1e84f5971ba923a9f5a7a7748baa320d324cc50690209d9e68d5397", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|12033f06a1e84f5971ba923a9f5a7a7748baa320d324cc50690209d9e68d5397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgaudit/test/Dockerfile.debian"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135153, "scanner": "repobility-docker", "fingerprint": "fb90dcd35feae82c81ee77f95ee6ef80f368beccaf82be6b8799772efd94caca", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fb90dcd35feae82c81ee77f95ee6ef80f368beccaf82be6b8799772efd94caca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgaudit/test/Dockerfile.debian"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135149, "scanner": "repobility-docker", "fingerprint": "19709e26f071704b0e3c491d8420c420ac93c1ee41b920d0b0a8ca9dc6eaf6ee", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|19709e26f071704b0e3c491d8420c420ac93c1ee41b920d0b0a8ca9dc6eaf6ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135148, "scanner": "repobility-docker", "fingerprint": "92185494d9f022880cbc23aefa176c78ebb1e6f26bb910e26378684dcc06c6e2", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|92185494d9f022880cbc23aefa176c78ebb1e6f26bb910e26378684dcc06c6e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135146, "scanner": "repobility-docker", "fingerprint": "18c16c883ca34685956cb42bb8df2979f2d6ff4c410245fc2acf26ca0b4ebe60", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|18c16c883ca34685956cb42bb8df2979f2d6ff4c410245fc2acf26ca0b4ebe60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/Dockerfile"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135145, "scanner": "repobility-docker", "fingerprint": "7e890bfb63199da56fd8dd5596a3b20aa9f324d5473f76b6a58f4f6f592a194c", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7e890bfb63199da56fd8dd5596a3b20aa9f324d5473f76b6a58f4f6f592a194c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/Dockerfile"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135144, "scanner": "repobility-docker", "fingerprint": "88ff39b8892e0b79e4d3862e726af301b2126762fc9cb58cd508d4ca00624001", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|88ff39b8892e0b79e4d3862e726af301b2126762fc9cb58cd508d4ca00624001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135139, "scanner": "repobility-docker", "fingerprint": "757d3f605d3c9577c5b149769dd1801a189cf1f99d0ee13c07366daaed139212", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|757d3f605d3c9577c5b149769dd1801a189cf1f99d0ee13c07366daaed139212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/docker/Dockerfile"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135137, "scanner": "repobility-docker", "fingerprint": "3abfe3f26aee27c1d87edf8a5abc49680cada6be11bba818bba03a2bf010c676", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3abfe3f26aee27c1d87edf8a5abc49680cada6be11bba818bba03a2bf010c676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/docker/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135136, "scanner": "repobility-docker", "fingerprint": "4c9ca974073f2786e4f35286c40405ebe15cd42efaba44d2df62a44a466c0e8e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4c9ca974073f2786e4f35286c40405ebe15cd42efaba44d2df62a44a466c0e8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/documentdb/.github/containers/Build-Ubuntu/Dockerfile"}, "region": {"startLine": 99}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135134, "scanner": "repobility-docker", "fingerprint": "6126e04bd6b24fdb4e7589a5cfbd805117455a7b3539e0636a8ab19783142197", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6126e04bd6b24fdb4e7589a5cfbd805117455a7b3539e0636a8ab19783142197"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/documentdb/.github/containers/Build-Ubuntu/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135133, "scanner": "repobility-docker", "fingerprint": "18cf3b85e39b14ac55a217785f31ea546e571f87e130ee6f219b6b1e43e7fa73", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|18cf3b85e39b14ac55a217785f31ea546e571f87e130ee6f219b6b1e43e7fa73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/documentdb/.devcontainer/Dockerfile"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 135131, "scanner": "repobility-docker", "fingerprint": "c6d1a1a7e98fcdfa56b06601ab3d0bb46fdeecb7dab11a028bda617a135a06de", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c6d1a1a7e98fcdfa56b06601ab3d0bb46fdeecb7dab11a028bda617a135a06de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/documentdb/.devcontainer/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135129, "scanner": "repobility-docker", "fingerprint": "ebf41c88d3dcd75d29718bf08d0eb654802b0b6d30b55943cd74d71dc4b3638d", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ebf41c88d3dcd75d29718bf08d0eb654802b0b6d30b55943cd74d71dc4b3638d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/dpkg/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135126, "scanner": "repobility-docker", "fingerprint": "57b430e137891a936582db6fc97ac89885b9d108d22e6764f20256dadfef4b04", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|57b430e137891a936582db6fc97ac89885b9d108d22e6764f20256dadfef4b04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/dev/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135125, "scanner": "repobility-docker", "fingerprint": "29d7e27167ba60686c3d46429e59c9f26e45109ce3563437714d3775ea7b95bb", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|29d7e27167ba60686c3d46429e59c9f26e45109ce3563437714d3775ea7b95bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/dev/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135122, "scanner": "repobility-docker", "fingerprint": "2a66aa8f7a356b77fafa91e21ffab5829dcc1981865c902a3f905fc405dd9d7d", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2a66aa8f7a356b77fafa91e21ffab5829dcc1981865c902a3f905fc405dd9d7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 135121, "scanner": "repobility-docker", "fingerprint": "c98a191869b09388b626bbd84faf8052db5b281682c60db4f3925f430b66cb1b", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98a191869b09388b626bbd84faf8052db5b281682c60db4f3925f430b66cb1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 135114, "scanner": "repobility-docker", "fingerprint": "74295fc02c98f57516fc0cded76cc38a9cb3ace0c8807bac6c18627a5f9589d6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|74295fc02c98f57516fc0cded76cc38a9cb3ace0c8807bac6c18627a5f9589d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/pex/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 135109, "scanner": "repobility-docker", "fingerprint": "8391dd4e80697f860ae222eb409c4d2cc0466fc94ee4d3b3156d49cd51fd7685", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8391dd4e80697f860ae222eb409c4d2cc0466fc94ee4d3b3156d49cd51fd7685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/yugabyte/Dockerfile"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 135096, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6069ff0b61c5142b52bcc79134bbed35df1fd5abb8157607a992c877ca3d191b", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "PTUpdateStmt", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "src/yb/yql/cql/ql/ptree/ptree_fwd.h", "correlation_key": "fp|6069ff0b61c5142b52bcc79134bbed35df1fd5abb8157607a992c877ca3d191b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/yb/yql/cql/ql/ptree/pt_update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135095, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4516f66eedc60877e6f2719d1e5d802b10ea84841676c2d455f7cb7de1347c4a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AddNamespaceToXClusterReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|4516f66eedc60877e6f2719d1e5d802b10ea84841676c2d455f7cb7de1347c4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/XClusterRemoveNamespaceFromOutboundReplicationGroupResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135094, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d37d228fd3672021876fb016f7fe07a20c1b5beec9cd98f321596822450cf206", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AlterUniverseReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|d37d228fd3672021876fb016f7fe07a20c1b5beec9cd98f321596822450cf206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/XClusterFailoverResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135093, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed258c0dcefe705106a75fa31455cbc1cfd674ba1a68bdea5a0654b5d28a3d01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AddNamespaceToXClusterReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|ed258c0dcefe705106a75fa31455cbc1cfd674ba1a68bdea5a0654b5d28a3d01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/XClusterDeleteOutboundReplicationGroupResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135092, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b9bb3186fd8564f7389a51214998cb37472c386fbca6e6fc1cbb27c46887164", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AddNamespaceToXClusterReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|7b9bb3186fd8564f7389a51214998cb37472c386fbca6e6fc1cbb27c46887164"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/XClusterCreateOutboundReplicationGroupResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135091, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58592726e8abc3b7dee591b8312ba45ebef42bda19a53ee23194f1933b101d1f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AddNamespaceToXClusterReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|58592726e8abc3b7dee591b8312ba45ebef42bda19a53ee23194f1933b101d1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/XClusterAddNamespaceToOutboundReplicationGroupResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135090, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78cc513f603685a3586a12e237f83839c3e7ba96e711fe0f3ef4def91a5b7566", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/DeleteSnapshotResponse.java", "duplicate_line": 10, "correlation_key": "fp|78cc513f603685a3586a12e237f83839c3e7ba96e711fe0f3ef4def91a5b7566"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/UpgradeYsqlResponse.java"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135089, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2779ecbb784386a7ebb508672f2bcfbdd4efe6a500a3a5d994c09e1d41a36b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/FinalizeYsqlMajorCatalogUpgradeResponse.java", "duplicate_line": 8, "correlation_key": "fp|e2779ecbb784386a7ebb508672f2bcfbdd4efe6a500a3a5d994c09e1d41a36b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/StartYsqlMajorCatalogUpgradeResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135088, "scanner": "repobility-ai-code-hygiene", "fingerprint": "122fb071e2883afddda2fa2d1940999be41b24282dce77877bd476b1a2d68093", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AlterUniverseReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|122fb071e2883afddda2fa2d1940999be41b24282dce77877bd476b1a2d68093"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/SetupUniverseReplicationResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "171f8e4d809a4be7ae623419397430fe27e14399ad34f7930a910ef50f3eb17c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AlterUniverseReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|171f8e4d809a4be7ae623419397430fe27e14399ad34f7930a910ef50f3eb17c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/SetUniverseReplicationEnabledResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "307ba1144144a477e488c202734041fb6b1691c71966948b9db1142ec005bd10", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AlterUniverseReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|307ba1144144a477e488c202734041fb6b1691c71966948b9db1142ec005bd10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/SetPreferredZonesResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8de95c808b851489daf8b74006997c6fef46d36d61069ce324e7eb0dc72c7627", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/FinalizeYsqlMajorCatalogUpgradeResponse.java", "duplicate_line": 8, "correlation_key": "fp|8de95c808b851489daf8b74006997c6fef46d36d61069ce324e7eb0dc72c7627"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/RollbackYsqlMajorCatalogVersionResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "899077d7b628121ade9a5ecebde3ed370b0807876851656712f00fdd63554e14", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/PromoteAutoFlagsResponse.java", "duplicate_line": 15, "correlation_key": "fp|899077d7b628121ade9a5ecebde3ed370b0807876851656712f00fdd63554e14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/RollbackAutoFlagsResponse.java"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b113b4f46facd4aac0295a4ade11a052dd4cd481bb3c1792f4f1b9c027243e6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AreLeadersOnPreferredOnlyResponse.java", "duplicate_line": 8, "correlation_key": "fp|6b113b4f46facd4aac0295a4ade11a052dd4cd481bb3c1792f4f1b9c027243e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/LeaderStepDownResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135082, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63c63ef5e87ef05b07edc7c712900204be94d77f78e4f250adc2a2ee75c275ff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/FinalizeYsqlMajorCatalogUpgradeResponse.java", "duplicate_line": 11, "correlation_key": "fp|63c63ef5e87ef05b07edc7c712900204be94d77f78e4f250adc2a2ee75c275ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/IsYsqlMajorCatalogUpgradeDoneResponse.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135081, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d91ee94b22a064a9f3870ec17b14ad49f245d7e535d9033be14ff21c896efd7a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AreLeadersOnPreferredOnlyResponse.java", "duplicate_line": 6, "correlation_key": "fp|d91ee94b22a064a9f3870ec17b14ad49f245d7e535d9033be14ff21c896efd7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/IsLoadBalancedResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135080, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e05ec1916bb6f581cfa681e6968ba64e9f124cebbd82ab2802dbbff083a7305c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/FinalizeYsqlMajorCatalogUpgradeResponse.java", "duplicate_line": 11, "correlation_key": "fp|e05ec1916bb6f581cfa681e6968ba64e9f124cebbd82ab2802dbbff083a7305c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/IsInitDbDoneResponse.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55c4e10876abf871d467fcd322440fe413d0fa5e6b9a72c2459a211cd61782fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/IsAlterXClusterReplicationDoneResponse.java", "duplicate_line": 11, "correlation_key": "fp|55c4e10876abf871d467fcd322440fe413d0fa5e6b9a72c2459a211cd61782fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/IsCreateXClusterReplicationDoneResponse.java"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd9515d37c5787f04790969fa603f9753c712a317278298cce29d471ed80cc49", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/FinalizeYsqlMajorCatalogUpgradeResponse.java", "duplicate_line": 11, "correlation_key": "fp|dd9515d37c5787f04790969fa603f9753c712a317278298cce29d471ed80cc49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/GetYsqlMajorCatalogUpgradeStateResponse.java"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d98d35ebd1d7afe51d46b6f6dc413206c9bb9e61366777c0aec8a5aa1814903", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/GetLeaderBlacklistPercentRequest.java", "duplicate_line": 23, "correlation_key": "fp|2d98d35ebd1d7afe51d46b6f6dc413206c9bb9e61366777c0aec8a5aa1814903"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/GetLoadMovePercentRequest.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b125af7e2d2a05838a796c0dc489ea9e043e4d713cf0e0d8fdd4a7fc7d36a6b8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/DeleteSnapshotResponse.java", "duplicate_line": 8, "correlation_key": "fp|b125af7e2d2a05838a796c0dc489ea9e043e4d713cf0e0d8fdd4a7fc7d36a6b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/DeleteSnapshotScheduleResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "596dda7f019b41e7c3a542f2c57e6827bfea783759c78763473a8ead16869c3e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AddNamespaceToXClusterReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|596dda7f019b41e7c3a542f2c57e6827bfea783759c78763473a8ead16869c3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/CreateXClusterReplicationResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1752159e44b00fa4636c03e263806f98bc196334cb66f30b9f1fb6111d80e1ad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AreLeadersOnPreferredOnlyResponse.java", "duplicate_line": 7, "correlation_key": "fp|1752159e44b00fa4636c03e263806f98bc196334cb66f30b9f1fb6111d80e1ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/CreateKeyspaceResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4f3c8184d69a4025805e2a0328dcbc9cfe35b621dea07bd907b741c713d8eec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AddNamespaceToXClusterReplicationResponse.java", "duplicate_line": 8, "correlation_key": "fp|c4f3c8184d69a4025805e2a0328dcbc9cfe35b621dea07bd907b741c713d8eec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/ChangeXClusterRoleResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "110673deb19b6f16c4ee91ece3b1095f49f4ddc6848670844caead8e4a68dbb8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AreLeadersOnPreferredOnlyResponse.java", "duplicate_line": 7, "correlation_key": "fp|110673deb19b6f16c4ee91ece3b1095f49f4ddc6848670844caead8e4a68dbb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/ChangeMasterClusterConfigResponse.java"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67a157224170fcbdf477ae4984006363f6b9186b4d7eed20ab1ea8facd35951f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AreLeadersOnPreferredOnlyResponse.java", "duplicate_line": 7, "correlation_key": "fp|67a157224170fcbdf477ae4984006363f6b9186b4d7eed20ab1ea8facd35951f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/ChangeLoadBalancerStateResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135070, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f285144711e301c8f748419e9c14153594783dd9fb15d45cc9ea3410d40b53f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-client/src/main/java/org/yb/client/AreLeadersOnPreferredOnlyResponse.java", "duplicate_line": 8, "correlation_key": "fp|7f285144711e301c8f748419e9c14153594783dd9fb15d45cc9ea3410d40b53f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/ChangeConfigResponse.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 135069, "scanner": "repobility-ai-code-hygiene", "fingerprint": "589522050a3e0881ecebd5314132aaa7959ad731d7d989cfb70c49156b982f4b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "java/yb-cdc/src/main/java/org/yb/cdc/util/Checkpoint.java", "duplicate_line": 47, "correlation_key": "fp|589522050a3e0881ecebd5314132aaa7959ad731d7d989cfb70c49156b982f4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-client/src/main/java/org/yb/client/CdcSdkCheckpoint.java"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135064, "scanner": "repobility-ai-code-hygiene", "fingerprint": "986a2b72467da80b136cfc8b3d5ce5da078f3c91b0b0d1806f86af5f587e64af", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|986a2b72467da80b136cfc8b3d5ce5da078f3c91b0b0d1806f86af5f587e64af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yugabyted-ui/apiserver/cmd/server/handlers/api_backup.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135063, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f8dc5f3d03bed1a1909bd4d433c39ff7563ccb7aee3ae196ba82e5e27e479ad", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6f8dc5f3d03bed1a1909bd4d433c39ff7563ccb7aee3ae196ba82e5e27e479ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/yb/yql/pggate/pg_update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135062, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88a270bcbb0a18ffd8b611325e5c13f930d5e3597e6ea64076f9356c55423641", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|88a270bcbb0a18ffd8b611325e5c13f930d5e3597e6ea64076f9356c55423641"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/yb/yql/cql/ql/ptree/pt_update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135061, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfed20dbce75f19919e202885ae416a0615bcd6a274cd96fd675bd72bd92d8f6", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cfed20dbce75f19919e202885ae416a0615bcd6a274cd96fd675bd72bd92d8f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/documentdb/pg_documentdb/src/update/bson_update.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135060, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9bccbc8fece5915579d1427a5ecb67be22f7fedd9911954807f3dc831fe312ee", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9bccbc8fece5915579d1427a5ecb67be22f7fedd9911954807f3dc831fe312ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/documentdb/pg_documentdb/include/update/bson_update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135058, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a882012ebafbfb7b9fc73350b4404f06af49bd88c7ce8b5e90f1208aa5d7222", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "rewrite", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8a882012ebafbfb7b9fc73350b4404f06af49bd88c7ce8b5e90f1208aa5d7222"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/src/include/catalog/pg_rewrite.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135056, "scanner": "repobility-ai-code-hygiene", "fingerprint": "01892ea639693ed563500358931230f2671aba7a898ff2e72750f382188a4547", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|01892ea639693ed563500358931230f2671aba7a898ff2e72750f382188a4547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/src/backend/optimizer/geqo/geqo_copy.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135055, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61d67c69c5d9e51f2719f9ffec2f0cb41ac12d71ab418cb26ed2abdb86f548ab", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|61d67c69c5d9e51f2719f9ffec2f0cb41ac12d71ab418cb26ed2abdb86f548ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/db/migration/default_/postgres/V417__Add_First_Snapshot_Time_Backup.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135054, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4d07dd2c44294e83363bfb21538a3aa4912da0f7823cbd2030b70587035dba4a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|4d07dd2c44294e83363bfb21538a3aa4912da0f7823cbd2030b70587035dba4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/db/migration/default_/postgres/V195__DB_Encryption_Update.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4695e631c54468e3ca038a3455cde1d238cbee1313f3a4a417d6f86d2ec5ad71", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|4695e631c54468e3ca038a3455cde1d238cbee1313f3a4a417d6f86d2ec5ad71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/db/migration/default_/common/V289__Universe_Details_Arch_Update.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 135052, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b0a52406f1db7c5d8fac3bd76be697e5947f46db591f6aefd9c70622d9afe9c", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6b0a52406f1db7c5d8fac3bd76be697e5947f46db591f6aefd9c70622d9afe9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/db/migration/default_/common/V160__Provider_Config_Encryption_Update.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 135014, "scanner": "repobility-threat-engine", "fingerprint": "cae4e6e38eeb9f7316185dbb9da9ce71560e08905d774fc68545523830b76989", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Chmod(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cae4e6e38eeb9f7316185dbb9da9ce71560e08905d774fc68545523830b76989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/ynp/config/setup_logger.go"}, "region": {"startLine": 61}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 135013, "scanner": "repobility-threat-engine", "fingerprint": "7284ee8cd97fc4771c9dcd88b873c1440928955058656baf402fa63873833277", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Setenv(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7284ee8cd97fc4771c9dcd88b873c1440928955058656baf402fa63873833277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/task/module/download_setup_package.go"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 134951, "scanner": "repobility-threat-engine", "fingerprint": "cd74cf605648220dbe09a90faaf1bc3e82ee7aafd9ada7492d0f5297b95f0416", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\", index=\" + index +\n      \", key=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd74cf605648220dbe09a90faaf1bc3e82ee7aafd9ada7492d0f5297b95f0416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cdc/src/main/java/org/yb/cdc/util/Checkpoint.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 134950, "scanner": "repobility-threat-engine", "fingerprint": "435af30f40aaf3d16552bd25db2c25103442c067321549b5bf38f7ac816f9a2f", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Polling table: \" + table + \" tablet: \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|435af30f40aaf3d16552bd25db2c25103442c067321549b5bf38f7ac816f9a2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cdc/src/main/java/org/yb/cdc/ConcurrentPoller.java"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 134949, "scanner": "repobility-threat-engine", "fingerprint": "5cbc52e7814ca0fa1c05804ccddb8b55755c4420a46f8d1c1c024c96c498c179", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'yb-demo-'+z+'.svc.cluster.local'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5cbc52e7814ca0fa1c05804ccddb8b55755c4420a46f8d1c1c024c96c498c179"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud/kubernetes/yb-multiregion-k8s-setup.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `GetCompilationInfoForFile` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=3, nested_bonus=6, recursion=2."}, "properties": {"repobilityId": 134925, "scanner": "repobility-threat-engine", "fingerprint": "97731c77ded79cf8af1d42ebed57be0f2d5581a44312d11cbab85ca0ccd5a31f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "GetCompilationInfoForFile", "breakdown": {"if": 3, "for": 1, "recursion": 2, "nested_bonus": 6}, "complexity": 12, "correlation_key": "fp|97731c77ded79cf8af1d42ebed57be0f2d5581a44312d11cbab85ca0ccd5a31f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ycm_extra_conf.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=8, nested_bonus=1, or=1, ternary=2."}, "properties": {"repobilityId": 134923, "scanner": "repobility-threat-engine", "fingerprint": "07010204456a5df3fdfed0b31dc46c752829407701a51b61ea087859b88fd2a3", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 8, "or": 1, "for": 1, "ternary": 2, "nested_bonus": 1}, "complexity": 13, "correlation_key": "fp|07010204456a5df3fdfed0b31dc46c752829407701a51b61ea087859b88fd2a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/oss_commit_tracker.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 135176, "scanner": "repobility-docker", "fingerprint": "e4a3d2901050669bb21b1f2d85408948495131111f07f0b25dc7f0903f5e9485", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "postgres:$PG_MAJOR_VERSION", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e4a3d2901050669bb21b1f2d85408948495131111f07f0b25dc7f0903f5e9485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 135172, "scanner": "repobility-docker", "fingerprint": "9ac612d778dd2b1d089a8388bc8a342a137a1e4dd13f838b8720eca138736a56", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "postgres:$PG_MAJOR", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9ac612d778dd2b1d089a8388bc8a342a137a1e4dd13f838b8720eca138736a56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgvector/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 135170, "scanner": "repobility-docker", "fingerprint": "7d389eba38476cea15c577a92be7c3b089291e4b1c18a9fbe7a0cab9a2b7ec7b", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "postgres:${pgtag:-alpine}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|7d389eba38476cea15c577a92be7c3b089291e4b1c18a9fbe7a0cab9a2b7ec7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgtap/test/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 135167, "scanner": "repobility-docker", "fingerprint": "12a89f27477c7899c58f3b07bf45f64119407e0721d040a04c984a12a940b026", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "fedora:${FEDORA_VER}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|12a89f27477c7899c58f3b07bf45f64119407e0721d040a04c984a12a940b026"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.fedora"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 135156, "scanner": "repobility-docker", "fingerprint": "aa8894fd2c5001744bb988d2cc56b6830a2192cad249f10944c1b977dc1732ed", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "postgres:${PG_MAJOR_VER}-alpine3.21", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|aa8894fd2c5001744bb988d2cc56b6830a2192cad249f10944c1b977dc1732ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.alpine"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 135108, "scanner": "repobility-docker", "fingerprint": "edd10c8752ecf9dc6df9b57520551063d5da94f9bccc14aafd436db67f0ccb41", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|edd10c8752ecf9dc6df9b57520551063d5da94f9bccc14aafd436db67f0ccb41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/yugabyte/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 135107, "scanner": "repobility-docker", "fingerprint": "d4033ff53e14c1c585d1e36bc4269b219063146c909242bba74abf0774f919e4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASE_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d4033ff53e14c1c585d1e36bc4269b219063146c909242bba74abf0774f919e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/images/yugabyte/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 135051, "scanner": "repobility-threat-engine", "fingerprint": "729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 135050, "scanner": "repobility-threat-engine", "fingerprint": "55321a0087330f93c341b43191f8f174c58a3f1dae3f07afea022bba9ac48beb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55321a0087330f93c341b43191f8f174c58a3f1dae3f07afea022bba9ac48beb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/backupv2/components/advancedRestore/AdvancedRestoreNewModal.tsx"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 135049, "scanner": "repobility-threat-engine", "fingerprint": "79b08c12c253f33d0f72ea8297728432e2f6048bee8dbc50de6e9e38ce9f8667", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79b08c12c253f33d0f72ea8297728432e2f6048bee8dbc50de6e9e38ce9f8667"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/backupv2/components/BackupDeleteModal.tsx"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 135048, "scanner": "repobility-threat-engine", "fingerprint": "278982192828ed683553eb4371fd5806bbf6993038865fe0f8bf85df548c4eb5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|278982192828ed683553eb4371fd5806bbf6993038865fe0f8bf85df548c4eb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/backupv2/common/BackupUtils.tsx"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 135047, "scanner": "repobility-threat-engine", "fingerprint": "5d461e29038676ba7a89e2a32748309886f87c4a192c1c759efcc3abd6b7f6a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d461e29038676ba7a89e2a32748309886f87c4a192c1c759efcc3abd6b7f6a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/Authenticated/AuthenticatedComponent.jsx"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 135046, "scanner": "repobility-threat-engine", "fingerprint": "87a25b5d2136cb25a9c0e8ca888d0ef9def52d4db675882cc34d89f0fea209d1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|87a25b5d2136cb25a9c0e8ca888d0ef9def52d4db675882cc34d89f0fea209d1", "aggregated_count": 20}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 135045, "scanner": "repobility-threat-engine", "fingerprint": "37d6c3be1e3c31eb42b73b52962f3bfa3a4a76b424fd63aa642edf3701d681c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37d6c3be1e3c31eb42b73b52962f3bfa3a4a76b424fd63aa642edf3701d681c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/advanced/ConfigData.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 135044, "scanner": "repobility-threat-engine", "fingerprint": "b23524b1652785488cdc89480f509d72b8881da167ab1c9f1de3c627028a9b44", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b23524b1652785488cdc89480f509d72b8881da167ab1c9f1de3c627028a9b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/administration/Administration.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 135043, "scanner": "repobility-threat-engine", "fingerprint": "bd1ec23368b41f91ed5b37ae1bba1d49435f706469595fc2165cadef794d8ee7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bd1ec23368b41f91ed5b37ae1bba1d49435f706469595fc2165cadef794d8ee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/actions/xClusterReplication.ts"}, "region": {"startLine": 322}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 135042, "scanner": "repobility-threat-engine", "fingerprint": "8f595bfb4fc956e2f07ab0394b2c10542ad299925351024e0707d2d134aa0132", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f595bfb4fc956e2f07ab0394b2c10542ad299925351024e0707d2d134aa0132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/models/configs/validators/ProviderFieldsValidator.java"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 135041, "scanner": "repobility-threat-engine", "fingerprint": "10d9e5c569e18d87a7cec76d1c7681ff1bf44e5692a0e129832671999ee04ab3", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password='<redacted>'", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/models/helpers/telemetry/AuthCredentials.java"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC031", "level": "none", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 135039, "scanner": "repobility-threat-engine", "fingerprint": "b962ce9cd6357f14533a35da20e304e627c9e6a7dce4912b942629e4c8440103", "category": "redos", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"match": "Pattern.compile(\"^.*_test.*$\", CASE_INSENSITIVE),\n          Pattern.compile(\"^.*test_.*$\", CASE_INSE", "reason": "Safe pattern 'test\\b' detected on same line", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|b962ce9cd6357f14533a35da20e304e627c9e6a7dce4912b942629e4c8440103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/controllers/handlers/GFlagsValidationHandler.java"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED093", "level": "none", "message": {"text": "[MINED093] Java Sql Statement Concat: Statement.executeQuery with concat string = SQL injection."}, "properties": {"repobilityId": 135035, "scanner": "repobility-threat-engine", "fingerprint": "e25b8599eca32f349e91b368c265a2295dbdc95cbd4bf66049f641571691ec80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-sql-statement-concat", "owasp": null, "cwe_ids": ["CWE-89"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348155+00:00", "triaged_in_corpus": 20, "observations_count": 136, "ai_coder_pattern_id": 129}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e25b8599eca32f349e91b368c265a2295dbdc95cbd4bf66049f641571691ec80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/YBAUpgradePrecheck.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 135031, "scanner": "repobility-threat-engine", "fingerprint": "d410d7684cb319402ce56a2d8fe13d342406d7e0f17915269adc20d26608ee8b", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d410d7684cb319402ce56a2d8fe13d342406d7e0f17915269adc20d26608ee8b"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 135030, "scanner": "repobility-threat-engine", "fingerprint": "1980330bdce9f85e020e37783e3aabfc46ea85cacf73dc7704cd75cfd1593aa7", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|113|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/CloudUtil.java"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 135029, "scanner": "repobility-threat-engine", "fingerprint": "1e19613c7825216f4577a3bf0e4f06e68be1c990cc5586d9eec39730c31ffe3e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|65|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/commissioner/PerfAdvisorNodeManager.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 135028, "scanner": "repobility-threat-engine", "fingerprint": "2665de6adf3bbd8803a5f6fde22a706fc0a2599730e4888825e0cd0ff99f48ae", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|62|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/cloud/azu/AZUResourceGroupApiClient.java"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 135027, "scanner": "repobility-threat-engine", "fingerprint": "2ca570bc65e8bb7aae5240d55c1ce72a4f85bfbc115f2599a403387b46bb7ecd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ca570bc65e8bb7aae5240d55c1ce72a4f85bfbc115f2599a403387b46bb7ecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/scripts/openapi_format_install.sh"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 135026, "scanner": "repobility-threat-engine", "fingerprint": "72b2261638b6f34d874d22758df4c1da2af02432e297d143a730c245e819f3d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72b2261638b6f34d874d22758df4c1da2af02432e297d143a730c245e819f3d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/scripts/openapi_format.sh"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 135025, "scanner": "repobility-threat-engine", "fingerprint": "df51c53f8f0a2b6c69f8dfc72a61914a00d833be61818df168c751adc0dd47fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df51c53f8f0a2b6c69f8dfc72a61914a00d833be61818df168c751adc0dd47fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/project/UIRunHook.scala"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 135024, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 135023, "scanner": "repobility-threat-engine", "fingerprint": "11c92dc47d57e311bd6db43091606ce88a1221740386f62df123c19d9d4109a9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11c92dc47d57e311bd6db43091606ce88a1221740386f62df123c19d9d4109a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/backupv2/components/advancedRestore/generalConfigurations/GeneralConfigurations.tsx"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 135022, "scanner": "repobility-threat-engine", "fingerprint": "b643e9c8af563161a2678c23e752188548e0a3c3c8b973184d603bc0b6a6d87d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b643e9c8af563161a2678c23e752188548e0a3c3c8b973184d603bc0b6a6d87d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/backupv2/components/AssignBackupStorageConfig.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 135021, "scanner": "repobility-threat-engine", "fingerprint": "03c48291719583c57c6c72fbbd2f3523aad0093be2a86fa6835bf10419d1ec4f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03c48291719583c57c6c72fbbd2f3523aad0093be2a86fa6835bf10419d1ec4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/project/UIRunHook.scala"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 135012, "scanner": "repobility-threat-engine", "fingerprint": "5b1cabf7a791b77c7fc5bfa05795b9ee2924995a8203f26cdbafaf54eee5cd0b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5b1cabf7a791b77c7fc5bfa05795b9ee2924995a8203f26cdbafaf54eee5cd0b", "aggregated_count": 6}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 135008, "scanner": "repobility-threat-engine", "fingerprint": "693afed598ce68420584822a475be17b0bd6edfebad6dc961711abd15af435a5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|693afed598ce68420584822a475be17b0bd6edfebad6dc961711abd15af435a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/task/task_manager.go"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 135007, "scanner": "repobility-threat-engine", "fingerprint": "64b44767813fc5f206c4cf50e90b4d997dada5dd7430202b0f045d5e11a9b2a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64b44767813fc5f206c4cf50e90b4d997dada5dd7430202b0f045d5e11a9b2a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/server/main.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 135006, "scanner": "repobility-threat-engine", "fingerprint": "537939c16c37080b51999e17b8ad02e42658df05cf9b994440b6e17bf2ff30ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|537939c16c37080b51999e17b8ad02e42658df05cf9b994440b6e17bf2ff30ca", "aggregated_count": 3}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 135005, "scanner": "repobility-threat-engine", "fingerprint": "2b73af56786a522f1f75fe7d7fabee4e2b5af8da99a48b1f193afa97b70f5dd0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b73af56786a522f1f75fe7d7fabee4e2b5af8da99a48b1f193afa97b70f5dd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/cmd/cli/main.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 135004, "scanner": "repobility-threat-engine", "fingerprint": "5e013fa2a4f80c4555240be16a8eebd87f6940c55b4540cc95d4c0378d87261e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e013fa2a4f80c4555240be16a8eebd87f6940c55b4540cc95d4c0378d87261e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/task/shell_task.go"}, "region": {"startLine": 287}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 135003, "scanner": "repobility-threat-engine", "fingerprint": "ec75fe64b853d489d79aec19026aef96dd092f370ba2ec6d99ef83d4472bd581", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec75fe64b853d489d79aec19026aef96dd092f370ba2ec6d99ef83d4472bd581"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/executor/task_executor.go"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 134999, "scanner": "repobility-threat-engine", "fingerprint": "7f2d6d59cbe7894dfe3a7b339026aec55039f00ff23040a911eddbc37a7272a1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7f2d6d59cbe7894dfe3a7b339026aec55039f00ff23040a911eddbc37a7272a1", "aggregated_count": 10}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 134998, "scanner": "repobility-threat-engine", "fingerprint": "4834b6ad7f5c435a4f0a274a6621f80d7f208ec6773b0ddf588d3e6d36c3b727", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4834b6ad7f5c435a4f0a274a6621f80d7f208ec6773b0ddf588d3e6d36c3b727"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/commissioner/tasks/subtasks/CheckLeaderlessTablets.java"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 134997, "scanner": "repobility-threat-engine", "fingerprint": "604a703c15c6e306d670b92cecd7aeb467efb46bf3aacb96a6890190eb4b07e0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|604a703c15c6e306d670b92cecd7aeb467efb46bf3aacb96a6890190eb4b07e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/commissioner/tasks/subtasks/CheckFollowerLag.java"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 134996, "scanner": "repobility-threat-engine", "fingerprint": "c63e9bfd9c3b5e9864bcb95eed6a6bfe8d0bf17747281aea224af300548f021f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c63e9bfd9c3b5e9864bcb95eed6a6bfe8d0bf17747281aea224af300548f021f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker/nginx/nginx.conf"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 134995, "scanner": "repobility-threat-engine", "fingerprint": "071faa49b332adbc380ddcd9f265553327a073f9feef1a0601786ad2d39f61ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|071faa49b332adbc380ddcd9f265553327a073f9feef1a0601786ad2d39f61ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/pex/pexEnvTest.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 134993, "scanner": "repobility-threat-engine", "fingerprint": "9677a3b6ed7636b291e3fd7742ba497d10cea769969ab61b2c82c47db1466020", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9677a3b6ed7636b291e3fd7742ba497d10cea769969ab61b2c82c47db1466020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/utils/replicated.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 134991, "scanner": "repobility-threat-engine", "fingerprint": "063abbc1a988e6c8b43781a2091a8af2089bfaa08444dfc3e5781c1eafa01559", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|063abbc1a988e6c8b43781a2091a8af2089bfaa08444dfc3e5781c1eafa01559"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 120 more): Same pattern found in 120 additional files. Review if needed."}, "properties": {"repobilityId": 134985, "scanner": "repobility-threat-engine", "fingerprint": "9fdbc698df9af321128218721e621b7cc5d64aa6e2fef6c9e0f6072c0cae6a07", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 120 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 120 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9fdbc698df9af321128218721e621b7cc5d64aa6e2fef6c9e0f6072c0cae6a07"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 134977, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 134973, "scanner": "repobility-threat-engine", "fingerprint": "a94b57aa8b6448bde8f185a7ff12e74f49478deea3b108b641b1741028712bab", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a94b57aa8b6448bde8f185a7ff12e74f49478deea3b108b641b1741028712bab", "aggregated_count": 2}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 134972, "scanner": "repobility-threat-engine", "fingerprint": "fe2a8786d6362e770a5548d0bef2d985b400f1502e9d5d60ca5e7a14e95abb78", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe2a8786d6362e770a5548d0bef2d985b400f1502e9d5d60ca5e7a14e95abb78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/PrometheusConfigManager.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 134971, "scanner": "repobility-threat-engine", "fingerprint": "843a6ab85549c96f7559559a9eace85fddcf06a1aac322ede54c2b06eaaff6fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|843a6ab85549c96f7559559a9eace85fddcf06a1aac322ede54c2b06eaaff6fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/byoc-api-proxy/src/main/java/com/yugabyte/ByocApiProxy/config/PollerInfrastructureConfig.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 134970, "scanner": "repobility-threat-engine", "fingerprint": "a1ae21b1b5701eedaeee5c1b590b88456e358ceb111bf65288dc0528ba59831a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a1ae21b1b5701eedaeee5c1b590b88456e358ceb111bf65288dc0528ba59831a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cql-4x/src/main/java/com/yugabyte/sample/common/SimpleLoadGenerator.java"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC034", "level": "none", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 134969, "scanner": "repobility-threat-engine", "fingerprint": "ef1de2b205a575342e12c9f71cad0f292ab32e48606665e0a711fdbfede1d1af", "category": "log_injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ef1de2b205a575342e12c9f71cad0f292ab32e48606665e0a711fdbfede1d1af"}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 134965, "scanner": "repobility-threat-engine", "fingerprint": "6051ea758843b6ed68b455d709042d2268cab1c99d8af234e1c6a7fbf59c516d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6051ea758843b6ed68b455d709042d2268cab1c99d8af234e1c6a7fbf59c516d", "aggregated_count": 3}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 134964, "scanner": "repobility-threat-engine", "fingerprint": "a44d0e60a8e0b03e35fd97e6bbb1c253d8bc7097eeb5ccd480e50a7cfa0a1ff4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a44d0e60a8e0b03e35fd97e6bbb1c253d8bc7097eeb5ccd480e50a7cfa0a1ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cdc/src/main/java/org/yb/cdc/ConcurrentPoller.java"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 134963, "scanner": "repobility-threat-engine", "fingerprint": "f16b25756dcf77cc2a7f6493552392116e35400ec1ef886a082bb1187550efb8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f16b25756dcf77cc2a7f6493552392116e35400ec1ef886a082bb1187550efb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cdc/src/main/java/org/yb/cdc/ConcurrentLogConnector.java"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 134962, "scanner": "repobility-threat-engine", "fingerprint": "ba48853f5d6564dce8706b683e269b85d7211f4c0835496c4fc2b13385c7bebb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba48853f5d6564dce8706b683e269b85d7211f4c0835496c4fc2b13385c7bebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cdc/src/main/java/org/yb/cdc/CDCConsoleSubscriber.java"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 134961, "scanner": "repobility-threat-engine", "fingerprint": "0bfeddcc126ead5e3043def6d954b9598bc593dd53f7b4ba3fb35a6a59ee530d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0bfeddcc126ead5e3043def6d954b9598bc593dd53f7b4ba3fb35a6a59ee530d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cdc/src/main/java/org/yb/cdc/ConcurrentPoller.java"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 134960, "scanner": "repobility-threat-engine", "fingerprint": "2c2f571cc9da6f28ebc7f83eb6c7c9a4d6f530f00e0ea7a04aa13dd760f4f02d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c2f571cc9da6f28ebc7f83eb6c7c9a4d6f530f00e0ea7a04aa13dd760f4f02d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cdc/src/main/java/org/yb/cdc/ConcurrentLogConnector.java"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 134959, "scanner": "repobility-threat-engine", "fingerprint": "f554b4b05410d7cb8ac3018c6553850fbad6c382f0203cbc28bd5e30966025e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f554b4b05410d7cb8ac3018c6553850fbad6c382f0203cbc28bd5e30966025e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cdc/src/main/java/org/yb/cdc/CDCConsoleSubscriber.java"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 134958, "scanner": "repobility-threat-engine", "fingerprint": "2232438d4bdad19fc3f64c2fdf78fdbc885ac0b47991a25a1b2f970ef2e6b8a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2232438d4bdad19fc3f64c2fdf78fdbc885ac0b47991a25a1b2f970ef2e6b8a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/components/advanced/RuntimeConfig/RuntimeConfigContainer.tsx"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 134957, "scanner": "repobility-threat-engine", "fingerprint": "04a7edb501198f6353db54c02815da4d071ebe47161c2d9ab3b68988580ea011", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04a7edb501198f6353db54c02815da4d071ebe47161c2d9ab3b68988580ea011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/install.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 134956, "scanner": "repobility-threat-engine", "fingerprint": "3beb2e3faa84042b9bc324c3d7e2891584e24ad2fd661b5094fba8d1dd7c175a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3beb2e3faa84042b9bc324c3d7e2891584e24ad2fd661b5094fba8d1dd7c175a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/dependencies.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 134955, "scanner": "repobility-threat-engine", "fingerprint": "2e9a9c80456251c23411aa5c37bb3a9afdc1b23912f976eae7b5fc6f4627922b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e9a9c80456251c23411aa5c37bb3a9afdc1b23912f976eae7b5fc6f4627922b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/common/base.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 134954, "scanner": "repobility-threat-engine", "fingerprint": "728d131d1a08b1cb750895ee4b042184d041e3dc2400306d41f8a97a6bede5eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|728d131d1a08b1cb750895ee4b042184d041e3dc2400306d41f8a97a6bede5eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud/kubernetes/yb-multiregion-k8s-setup.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 68 more): Same pattern found in 68 additional files. Review if needed."}, "properties": {"repobilityId": 134952, "scanner": "repobility-threat-engine", "fingerprint": "a0cd485d7b5d4581a32259d392f70855a35627958ef433cd0242a84eff8b64e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 68 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 68 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0cd485d7b5d4581a32259d392f70855a35627958ef433cd0242a84eff8b64e9"}}}, {"ruleId": "MINED018", "level": "none", "message": {"text": "[MINED018] Unsafe Deserialization Pickle (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 134947, "scanner": "repobility-threat-engine", "fingerprint": "e1b9798c912e66a374afd6bbef62963cfcb7c6bd83e05060ee3a6445d5724671", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e1b9798c912e66a374afd6bbef62963cfcb7c6bd83e05060ee3a6445d5724671", "aggregated_count": 4}}}, {"ruleId": "SEC116", "level": "none", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 134943, "scanner": "repobility-threat-engine", "fingerprint": "8b1d3eb32425b0a20f682c2d8110ebd905f7bb5f05848f4950b2c349fa74454f", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8b1d3eb32425b0a20f682c2d8110ebd905f7bb5f05848f4950b2c349fa74454f"}}}, {"ruleId": "SEC079", "level": "none", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 134939, "scanner": "repobility-threat-engine", "fingerprint": "77101c529f92a39d66d4e8f1fb9e605bd04a7421048e6d6003a71c4bd16912c8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|77101c529f92a39d66d4e8f1fb9e605bd04a7421048e6d6003a71c4bd16912c8"}}}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 134935, "scanner": "repobility-threat-engine", "fingerprint": "6b9012b015659a27ec0bbe8afd468bee08a378d979c58fbaddfe79ffff5aaca6", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6b9012b015659a27ec0bbe8afd468bee08a378d979c58fbaddfe79ffff5aaca6"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 134931, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 134926, "scanner": "repobility-threat-engine", "fingerprint": "79d352d73437ebd7dfb28aea2dab6bd7823e8d3a3a6573567ca5ec0771ab478c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 8, "or": 1, "for": 1, "ternary": 2, "nested_bonus": 1}, "aggregated": true, "complexity": 13, "correlation_key": "fp|79d352d73437ebd7dfb28aea2dab6bd7823e8d3a3a6573567ca5ec0771ab478c", "aggregated_count": 13}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `managed/byoc-api-proxy/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `managed/byoc-api-proxy/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (46,175 bytes) committed to a repo that otherwise has 12226 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 135443, "scanner": "repobility-supply-chain", "fingerprint": "1446b83af8bc1ae16e714deb8e837412cb9c986cc1d5117a4acb2a46a746e144", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1446b83af8bc1ae16e714deb8e837412cb9c986cc1d5117a4acb2a46a746e144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/byoc-api-proxy/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `managed/lint/google-java-format-1.17.0-all-deps.jar` committed in source repo: `managed/lint/google-java-format-1.17.0-all-deps.jar` is a .jar binary (3,511,287 bytes) committed to a repo that otherwise has 12226 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 135442, "scanner": "repobility-supply-chain", "fingerprint": "e3bc9c14f179c57ff5f14d5eaa0c72858f9f2bae268a7be4648b9e0070d54482", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3bc9c14f179c57ff5f14d5eaa0c72858f9f2bae268a7be4648b9e0070d54482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/lint/google-java-format-1.17.0-all-deps.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `troubleshoot/backend/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `troubleshoot/backend/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (63,721 bytes) committed to a repo that otherwise has 12226 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 135441, "scanner": "repobility-supply-chain", "fingerprint": "182747d153bba63e208767dfe96db43e81215c5e44495674521657d3134b752f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|182747d153bba63e208767dfe96db43e81215c5e44495674521657d3134b752f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgxn/pgxn-tools` unpinned: `container/services image: pgxn/pgxn-tools` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 135440, "scanner": "repobility-supply-chain", "fingerprint": "f03b73c7590946596ad81907019d1784a6d1f3739b91a0382c1cc40e3627cdce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f03b73c7590946596ad81907019d1784a6d1f3739b91a0382c1cc40e3627cdce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgtap/.github/workflows/release.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgxn/pgxn-tools` unpinned: `container/services image: pgxn/pgxn-tools` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 135439, "scanner": "repobility-supply-chain", "fingerprint": "2ae801dd3607bec34ef6ab5ff36a41dbb96aa547d43b701f750ae5aa889d74b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ae801dd3607bec34ef6ab5ff36a41dbb96aa547d43b701f750ae5aa889d74b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgtap/.github/workflows/test.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `postgres:15` not pinned by digest: `FROM postgres:15` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135434, "scanner": "repobility-supply-chain", "fingerprint": "5d01a3720b251929330de825c3795774dbbe4cb38ab7c02830b181e5db884114", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d01a3720b251929330de825c3795774dbbe4cb38ab7c02830b181e5db884114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/docker/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `postgres:15` not pinned by digest: `FROM postgres:15` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135433, "scanner": "repobility-supply-chain", "fingerprint": "9155ab57b73937fdb41dbb95920b4ebf3f1901ffea328abd365b97237a1a563c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9155ab57b73937fdb41dbb95920b4ebf3f1901ffea328abd365b97237a1a563c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/docker/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bullseye` not pinned by digest: `FROM debian:bullseye` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135432, "scanner": "repobility-supply-chain", "fingerprint": "71a664a58d6db34ab510b37ad38bc48627f36ec0d7055fe299bb3f68644e52e2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71a664a58d6db34ab510b37ad38bc48627f36ec0d7055fe299bb3f68644e52e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.debian_bullseye"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `amazonlinux:2` not pinned by digest: `FROM amazonlinux:2` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135431, "scanner": "repobility-supply-chain", "fingerprint": "39fa37c26e3c97dd20405c40441ee165d828c0e6a0aa12d49708a2b4ffcec6b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39fa37c26e3c97dd20405c40441ee165d828c0e6a0aa12d49708a2b4ffcec6b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.amazon_2"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:latest` not pinned by digest: `FROM golang:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135430, "scanner": "repobility-supply-chain", "fingerprint": "770d93bb8e28427eb2baf36c237c87669751dd05df307f8b8d6a64078d5e9d0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|770d93bb8e28427eb2baf36c237c87669751dd05df307f8b8d6a64078d5e9d0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135424, "scanner": "repobility-supply-chain", "fingerprint": "edc3071e2d86c62b8dda35853f274384dfe7885c84ebf746406689133f406b90", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edc3071e2d86c62b8dda35853f274384dfe7885c84ebf746406689133f406b90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-16-pgdg-package.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v2`: `uses: actions/upload-artifact@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135423, "scanner": "repobility-supply-chain", "fingerprint": "79916979a41e733e9f03a5c919fd5b7866290ac7b9575a0101fabbe5dae52d8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79916979a41e733e9f03a5c919fd5b7866290ac7b9575a0101fabbe5dae52d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-15-build.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v2`: `uses: actions/upload-artifact@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135422, "scanner": "repobility-supply-chain", "fingerprint": "dd92f1fe63da5968846c66d7220d32d3c82ecb88305c04677072c8f6256002a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd92f1fe63da5968846c66d7220d32d3c82ecb88305c04677072c8f6256002a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-15-build.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135421, "scanner": "repobility-supply-chain", "fingerprint": "393ab9b3217b7164831a748d802213255f6459078e96a5c646ddc05983c1078e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|393ab9b3217b7164831a748d802213255f6459078e96a5c646ddc05983c1078e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-15-build.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135420, "scanner": "repobility-supply-chain", "fingerprint": "e74f77c89ec9b5776e293cfe111852e9668ea4356a1af8b450fc7dd9691cb054", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e74f77c89ec9b5776e293cfe111852e9668ea4356a1af8b450fc7dd9691cb054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-15-build.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v2`: `uses: actions/upload-artifact@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135419, "scanner": "repobility-supply-chain", "fingerprint": "6cf341127bed81bb1586c57ab29432ebbbe4d5e766d27ac161612b35a7859603", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6cf341127bed81bb1586c57ab29432ebbbe4d5e766d27ac161612b35a7859603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-13-ppg-package.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135418, "scanner": "repobility-supply-chain", "fingerprint": "6c203d1375bd82fc2dc5c8a848796d2b14f3bbe0f892136722d25c9070470b68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c203d1375bd82fc2dc5c8a848796d2b14f3bbe0f892136722d25c9070470b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-13-ppg-package.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v2`: `uses: actions/upload-artifact@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135417, "scanner": "repobility-supply-chain", "fingerprint": "bdee2dec6711a806971c145f831adab569895572b488668edc9181c3c6a665dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bdee2dec6711a806971c145f831adab569895572b488668edc9181c3c6a665dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-16-build.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v2`: `uses: actions/upload-artifact@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135416, "scanner": "repobility-supply-chain", "fingerprint": "417f854e9f5c15f3937fb4c99c3efaf8fc35a1e71f88c06b4e74cf001f079320", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|417f854e9f5c15f3937fb4c99c3efaf8fc35a1e71f88c06b4e74cf001f079320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-16-build.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135415, "scanner": "repobility-supply-chain", "fingerprint": "2175550673e4b2f9885d053f9cfc39cbe55461fb6d41f6b14a1aa2d69da8d31b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2175550673e4b2f9885d053f9cfc39cbe55461fb6d41f6b14a1aa2d69da8d31b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-16-build.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135414, "scanner": "repobility-supply-chain", "fingerprint": "59499ef44dee2469897fddc28ed7861f03401a04cc7e0881c224c6fa988118dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59499ef44dee2469897fddc28ed7861f03401a04cc7e0881c224c6fa988118dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-16-build.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v2`: `uses: actions/upload-artifact@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135413, "scanner": "repobility-supply-chain", "fingerprint": "87cec59f4b15c9d674a26f11220493f0b93f999d552595d54cc9c7a3a488aa8e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87cec59f4b15c9d674a26f11220493f0b93f999d552595d54cc9c7a3a488aa8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-16-ppg-package.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135412, "scanner": "repobility-supply-chain", "fingerprint": "25913d508da37543a3a7adb4019572b36c54a1ba2324442d0c9b25e44695fdbc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25913d508da37543a3a7adb4019572b36c54a1ba2324442d0c9b25e44695fdbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-16-ppg-package.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135411, "scanner": "repobility-supply-chain", "fingerprint": "8ae486b17edb3adc585f34431cccfd29ce8ce16bac0b5eeba982ab19310f20f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ae486b17edb3adc585f34431cccfd29ce8ce16bac0b5eeba982ab19310f20f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgaudit/.github/workflows/test.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:jammy` not pinned by digest: `FROM ubuntu:jammy` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135410, "scanner": "repobility-supply-chain", "fingerprint": "578751fb177fdcb1d8ad019cd225e0158cfa570cd92262efd04402e3615f5f49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|578751fb177fdcb1d8ad019cd225e0158cfa570cd92262efd04402e3615f5f49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgaudit/test/Dockerfile.debian"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rockylinux/rockylinux:8` not pinned by digest: `FROM rockylinux/rockylinux:8` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135409, "scanner": "repobility-supply-chain", "fingerprint": "6c937062c94e70d8ec2e8eb122619d349ca2b4c43362e84ca3fdb108d5966802", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c937062c94e70d8ec2e8eb122619d349ca2b4c43362e84ca3fdb108d5966802"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgaudit/test/Dockerfile.rhel"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.5.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.5.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 135408, "scanner": "repobility-supply-chain", "fingerprint": "36d902781deb3b29f26b0a78faba79f6a72b98f88004740fd33ea38628c40e67", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36d902781deb3b29f26b0a78faba79f6a72b98f88004740fd33ea38628c40e67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/.pre-commit-config.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `fnkr/github-action-ghr` pinned to mutable ref `@v1`: `uses: fnkr/github-action-ghr@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135407, "scanner": "repobility-supply-chain", "fingerprint": "81230fa0919b99c49e97c17d02d3ef2405f727ca4be2649239291968300e244e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81230fa0919b99c49e97c17d02d3ef2405f727ca4be2649239291968300e244e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/.github/workflows/cmake.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135406, "scanner": "repobility-supply-chain", "fingerprint": "56f64840eac85df8f54aa5b4bb3e8c6bf07e426b3e7e570ae81ab746ed30fe2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56f64840eac85df8f54aa5b4bb3e8c6bf07e426b3e7e570ae81ab746ed30fe2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/.github/workflows/cmake.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `RafikFarhad/clang-format-github-action` pinned to mutable ref `@v1.0.1`: `uses: RafikFarhad/clang-format-github-action@v1.0.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135405, "scanner": "repobility-supply-chain", "fingerprint": "b127df6e1db24544ea1b558678b8f1d3ecd1b5fa1019ef9f4104f0d9bd01a7fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b127df6e1db24544ea1b558678b8f1d3ecd1b5fa1019ef9f4104f0d9bd01a7fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/.github/workflows/clang-format.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135404, "scanner": "repobility-supply-chain", "fingerprint": "145b8382de8b6143cc19fc12fc600cf7d0936aca4ffee60e0fc21bc7b9927342", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|145b8382de8b6143cc19fc12fc600cf7d0936aca4ffee60e0fc21bc7b9927342"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/.github/workflows/clang-format.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v2`: `uses: actions/cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135403, "scanner": "repobility-supply-chain", "fingerprint": "50eebd2e30d52b89ed00b7965396ee73369411115bd834d03e98b90d01c48b71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50eebd2e30d52b89ed00b7965396ee73369411115bd834d03e98b90d01c48b71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/.github/workflows/coverity.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135402, "scanner": "repobility-supply-chain", "fingerprint": "db89e01fc60c8602f35aaed30eb031d6598d6e37772fc5c4f1f6327ad5a59cd8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db89e01fc60c8602f35aaed30eb031d6598d6e37772fc5c4f1f6327ad5a59cd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/.github/workflows/coverity.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:focal` not pinned by digest: `FROM ubuntu:focal` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135401, "scanner": "repobility-supply-chain", "fingerprint": "6b52cb607ee1b67184e1ea0600efe356e71ceda0c747320200413d3c01ec69b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b52cb607ee1b67184e1ea0600efe356e71ceda0c747320200413d3c01ec69b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/dev/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:focal` not pinned by digest: `FROM ubuntu:focal` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135400, "scanner": "repobility-supply-chain", "fingerprint": "d7fda142c0fea8e1cb90d9b3529323af6cf52c940f330a9711a620b6d16ab11d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7fda142c0fea8e1cb90d9b3529323af6cf52c940f330a9711a620b6d16ab11d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/dpkg/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:focal` not pinned by digest: `FROM ubuntu:focal` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135399, "scanner": "repobility-supply-chain", "fingerprint": "03612310b64c3134cf72c1b27417476e4f167cb2169cc2347d2c8d3b3bb4df7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03612310b64c3134cf72c1b27417476e4f167cb2169cc2347d2c8d3b3bb4df7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:latest` not pinned by digest: `FROM golang:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135398, "scanner": "repobility-supply-chain", "fingerprint": "fc41f3ba3a0b9fadf9974a058789647a81a2a827bf00b3c55844527fa3e8b425", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc41f3ba3a0b9fadf9974a058789647a81a2a827bf00b3c55844527fa3e8b425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.13` not pinned by digest: `FROM alpine:3.13` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135397, "scanner": "repobility-supply-chain", "fingerprint": "a614b9eb1b45ea533d687c3df47520299cc6c8fdeea1ea6e6f03f4fba3cba239", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a614b9eb1b45ea533d687c3df47520299cc6c8fdeea1ea6e6f03f4fba3cba239"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yugabyted-ui/apiserver/conf/templates/go-echo-server/Dockerfile.mustache"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.16-alpine3.13` not pinned by digest: `FROM golang:1.16-alpine3.13` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135396, "scanner": "repobility-supply-chain", "fingerprint": "9f89c7aa118fd08fe0c934b71b31bd2f7b278f53bbd3775de0365eeb72f8964a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f89c7aa118fd08fe0c934b71b31bd2f7b278f53bbd3775de0365eeb72f8964a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yugabyted-ui/apiserver/conf/templates/go-echo-server/Dockerfile.mustache"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.13` not pinned by digest: `FROM alpine:3.13` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135395, "scanner": "repobility-supply-chain", "fingerprint": "31aba9d16a515f92bd39aa9b38eb05aa868cc61e42b83b9f8f72e9d42287ff1b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31aba9d16a515f92bd39aa9b38eb05aa868cc61e42b83b9f8f72e9d42287ff1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yugabyted-ui/apiserver/cmd/server/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.16-alpine3.13` not pinned by digest: `FROM golang:1.16-alpine3.13` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135394, "scanner": "repobility-supply-chain", "fingerprint": "19bf395c822521a35b04279fa2015da22ae2e605725f0db67b19584b02e678dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19bf395c822521a35b04279fa2015da22ae2e605725f0db67b19584b02e678dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yugabyted-ui/apiserver/cmd/server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135393, "scanner": "repobility-supply-chain", "fingerprint": "2313c92e78bb6489008486c86980202f4e7a1d2ac721181d8f87d1deeccae3c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2313c92e78bb6489008486c86980202f4e7a1d2ac721181d8f87d1deeccae3c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/oss-commit-tracker.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135392, "scanner": "repobility-supply-chain", "fingerprint": "f34e20fc9dbc40f139861caafac35595094cdea74f6567cacdb4f79e6772997f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f34e20fc9dbc40f139861caafac35595094cdea74f6567cacdb4f79e6772997f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/oss-commit-tracker.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135391, "scanner": "repobility-supply-chain", "fingerprint": "2f557dcd7a03fad75369de937ae64068020f181130785e4b6f73246e8110e7a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f557dcd7a03fad75369de937ae64068020f181130785e4b6f73246e8110e7a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/yugabyted-test.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v2`: `uses: actions/setup-python@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135390, "scanner": "repobility-supply-chain", "fingerprint": "872beda9589894a216c33de7f621dc75042d680775869660689a84c60f6e39b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|872beda9589894a216c33de7f621dc75042d680775869660689a84c60f6e39b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/yugabyted-test.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 135384, "scanner": "repobility-supply-chain", "fingerprint": "f32aacfcefff0000ae2b50d73b62dd93b493c24c5f2c64bd3530770d9219e9fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f32aacfcefff0000ae2b50d73b62dd93b493c24c5f2c64bd3530770d9219e9fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-lint.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11.14-slim-trixie` not pinned by digest: `FROM python:3.11.14-slim-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135383, "scanner": "repobility-supply-chain", "fingerprint": "c5cb03e65ac2e53fa4e11ef3b23f03878c3c97373046c79992494260db67090f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c5cb03e65ac2e53fa4e11ef3b23f03878c3c97373046c79992494260db67090f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `almalinux:8` not pinned by digest: `FROM almalinux:8` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135382, "scanner": "repobility-supply-chain", "fingerprint": "b43c0ce64491a91f57ed24aadaf37e28218407486bad54b37ffd12f0fb031e18", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b43c0ce64491a91f57ed24aadaf37e28218407486bad54b37ffd12f0fb031e18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/yba-installer/integrationtests/resources/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/pypa/manylinux_2_28_x86_64 (no tag)` not pinned by digest: `FROM quay.io/pypa/manylinux_2_28_x86_64 (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135381, "scanner": "repobility-supply-chain", "fingerprint": "6d38909015d4dc79eb03dc5d1b820f87f7d613125e16367ced6d59970cd13c0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6d38909015d4dc79eb03dc5d1b820f87f7d613125e16367ced6d59970cd13c0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/pex/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:alpine` not pinned by digest: `FROM node:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135380, "scanner": "repobility-supply-chain", "fingerprint": "784517c8f56723387ed60001b0abde755e19163c51b264cfaab08636fb125a93", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|784517c8f56723387ed60001b0abde755e19163c51b264cfaab08636fb125a93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `centos/python-38-centos7 (no tag)` not pinned by digest: `FROM centos/python-38-centos7 (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135379, "scanner": "repobility-supply-chain", "fingerprint": "2709b44484b2ba70407bec15403e0397b6269f6223ed08f58daa270716930e3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2709b44484b2ba70407bec15403e0397b6269f6223ed08f58daa270716930e3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:17-jdk` not pinned by digest: `FROM eclipse-temurin:17-jdk` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135378, "scanner": "repobility-supply-chain", "fingerprint": "8284ce31c52c610cda50b528cec6c3c2683e4e8bfcc51ad959c0ea9e61c9f15c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8284ce31c52c610cda50b528cec6c3c2683e4e8bfcc51ad959c0ea9e61c9f15c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:17-jdk` not pinned by digest: `FROM eclipse-temurin:17-jdk` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135377, "scanner": "repobility-supply-chain", "fingerprint": "374f55f002d48498d1e10dd167211961d4be1ac94d61ae8f77778a4cdcfe99f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|374f55f002d48498d1e10dd167211961d4be1ac94d61ae8f77778a4cdcfe99f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `yugabyteci/yb_build_infra_almalinux9_x86_64:latest` not pinned by digest: `FROM yugabyteci/yb_build_infra_almalinux9_x86_64:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135376, "scanner": "repobility-supply-chain", "fingerprint": "7146318b1c4a48bb2df9396aee359794e21812c81350580bc89cf30149fb582e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7146318b1c4a48bb2df9396aee359794e21812c81350580bc89cf30149fb582e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `yugabyteci/yb_build_infra_almalinux9_x86_64:latest` not pinned by digest: `FROM yugabyteci/yb_build_infra_almalinux9_x86_64:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135375, "scanner": "repobility-supply-chain", "fingerprint": "f2408b6163dbd3256f6fdcdb9db5503faf150e93d08b3542a94411ab0af90a53", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2408b6163dbd3256f6fdcdb9db5503faf150e93d08b3542a94411ab0af90a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `yugabyteci/yb_build_infra_almalinux9_x86_64:latest` not pinned by digest: `FROM yugabyteci/yb_build_infra_almalinux9_x86_64:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 135374, "scanner": "repobility-supply-chain", "fingerprint": "6e1c3bdd1bbf47ba8fdcdfeb51363e568ae2b03faa4b0a7acb1d5b62e753b165", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e1c3bdd1bbf47ba8fdcdfeb51363e568ae2b03faa4b0a7acb1d5b62e753b165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cursor/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_destructor: Test function `test_destructor` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135343, "scanner": "repobility-ast-engine", "fingerprint": "ec781e813d44cb9493648706f8b4b3798e804478716c309c4fa3a381ae153cdd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec781e813d44cb9493648706f8b4b3798e804478716c309c4fa3a381ae153cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_yugabytedb_vector_store.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_close_connections: Test function `test_close_connections` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135342, "scanner": "repobility-ast-engine", "fingerprint": "48349fe98968b4cdf793bbd6bfc3dcdd52dd141d58aea849879c3507f18793d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48349fe98968b4cdf793bbd6bfc3dcdd52dd141d58aea849879c3507f18793d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_yugabytedb_vector_store.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ingest_document_vector_store_exception: Test function `test_ingest_document_vector_store_exception` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135341, "scanner": "repobility-ast-engine", "fingerprint": "ad3f66605fb1d9ce24d2550d95bd8f030a8447ef9d6099a63825e93937bc884b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad3f66605fb1d9ce24d2550d95bd8f030a8447ef9d6099a63825e93937bc884b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_rag_handler.py"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ingest_document_embedding_exception: Test function `test_ingest_document_embedding_exception` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135340, "scanner": "repobility-ast-engine", "fingerprint": "36f9266a468cd672ae7275988953cd7670e8ac443d103ce873c1fd0dd11ffb70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|36f9266a468cd672ae7275988953cd7670e8ac443d103ce873c1fd0dd11ffb70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_rag_handler.py"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ingest_document_pipeline_exception: Test function `test_ingest_document_pipeline_exception` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135339, "scanner": "repobility-ast-engine", "fingerprint": "592319b52dbb374a451f5529195c36fad05281bc02ff492150f733d0f175073d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|592319b52dbb374a451f5529195c36fad05281bc02ff492150f733d0f175073d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_rag_handler.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ingest_document_missing_dimensions: Test function `test_ingest_document_missing_dimensions` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135338, "scanner": "repobility-ast-engine", "fingerprint": "a24d2f214f61b4f4848e15f38966e18afe31e438933cc052592091b3b853a931", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a24d2f214f61b4f4848e15f38966e18afe31e438933cc052592091b3b853a931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_rag_handler.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ingest_document_missing_model: Test function `test_ingest_document_missing_model` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135337, "scanner": "repobility-ast-engine", "fingerprint": "1ead5aea72ab0c1bb5c6a9df4d352d169c9055af5ab75e57eca98a48890fadc5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ead5aea72ab0c1bb5c6a9df4d352d169c9055af5ab75e57eca98a48890fadc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_rag_handler.py"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_chunk_invalid_json_args: Test function `test_chunk_invalid_json_args` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135336, "scanner": "repobility-ast-engine", "fingerprint": "84a7db9e71931de5a5fb6498c34bb7de80d9b2d15fde56e6ae3e1d1050f26fd2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84a7db9e71931de5a5fb6498c34bb7de80d9b2d15fde56e6ae3e1d1050f26fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_chunk.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_chunk_unknown_splitter: Test function `test_chunk_unknown_splitter` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135335, "scanner": "repobility-ast-engine", "fingerprint": "8b931cb5241dfbacefb24632a0b524f910e0d95881a874809ce81968e90f0e35", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b931cb5241dfbacefb24632a0b524f910e0d95881a874809ce81968e90f0e35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_chunk.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_read_s3_file_error: Test function `test_read_s3_file_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135334, "scanner": "repobility-ast-engine", "fingerprint": "a04f47af44e6755fa3d3ca7ba5e0994396d28ea7f728cd6c41a0413744355fe4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a04f47af44e6755fa3d3ca7ba5e0994396d28ea7f728cd6c41a0413744355fe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_pipeline_comprehensive.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_read_local_file_nonexistent: Test function `test_read_local_file_nonexistent` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135333, "scanner": "repobility-ast-engine", "fingerprint": "f18334c7c4e0ae5ddec8378f8d17a0c071b30f6d00e912fa0b797a29b52e96cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f18334c7c4e0ae5ddec8378f8d17a0c071b30f6d00e912fa0b797a29b52e96cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_pipeline_comprehensive.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_error_handling_in_pipeline: Test function `test_error_handling_in_pipeline` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135332, "scanner": "repobility-ast-engine", "fingerprint": "1c6437a2d837584d25746303a862a41f9fd62491e21d7476f5365fe328a28395", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c6437a2d837584d25746303a862a41f9fd62491e21d7476f5365fe328a28395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/tests/test_integration.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_analyze_test_results: Test function `test_analyze_test_results` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135326, "scanner": "repobility-ast-engine", "fingerprint": "311c3e2e9b876764f97cf481c9a338889ab78c23e41265d8242c70bb2e9a730e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|311c3e2e9b876764f97cf481c9a338889ab78c23e41265d8242c70bb2e9a730e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/test_analyze_test_results.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_proto_deps_validity: Test function `test_proto_deps_validity` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135321, "scanner": "repobility-ast-engine", "fingerprint": "de182f034a23017ba0b2e8a1633634b411fdbbeb8de9b0a716d581de3c01c772", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de182f034a23017ba0b2e8a1633634b411fdbbeb8de9b0a716d581de3c01c772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/dependency_graph.py"}, "region": {"startLine": 598}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_flex_bison: Test function `test_flex_bison` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135320, "scanner": "repobility-ast-engine", "fingerprint": "46d33867c32ff07ca484db73993493f5dcf59922f080c1a77e9294ae332dcb53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|46d33867c32ff07ca484db73993493f5dcf59922f080c1a77e9294ae332dcb53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/dependency_graph.py"}, "region": {"startLine": 590}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_bulk_load_tool: Test function `test_bulk_load_tool` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135319, "scanner": "repobility-ast-engine", "fingerprint": "2cacba0df96eb18314aca99c08ddaf7eeea5e02a9a8c4d1eeee0a6e7ae4b772f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2cacba0df96eb18314aca99c08ddaf7eeea5e02a9a8c4d1eeee0a6e7ae4b772f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/dependency_graph.py"}, "region": {"startLine": 581}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_catalog_manager: Test function `test_catalog_manager` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135318, "scanner": "repobility-ast-engine", "fingerprint": "eea06735d2da02444157764ce4eb35bb98a35bd74b699de47bd88cce841ac262", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eea06735d2da02444157764ce4eb35bb98a35bd74b699de47bd88cce841ac262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/dependency_graph.py"}, "region": {"startLine": 575}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_call_home: Test function `test_call_home` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135317, "scanner": "repobility-ast-engine", "fingerprint": "49965c3c04444a2c7f388aaff1e22c0e739724602d710a2f30c53a98865eb4c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49965c3c04444a2c7f388aaff1e22c0e739724602d710a2f30c53a98865eb4c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/dependency_graph.py"}, "region": {"startLine": 564}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_yb_admin: Test function `test_yb_admin` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135316, "scanner": "repobility-ast-engine", "fingerprint": "f988567259018f14e0d2e664eca136a08ce65662a01a41122c80179869637129", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f988567259018f14e0d2e664eca136a08ce65662a01a41122c80179869637129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/dependency_graph.py"}, "region": {"startLine": 557}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_tablet_server_main: Test function `test_tablet_server_main` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135315, "scanner": "repobility-ast-engine", "fingerprint": "89afbf4c0edf7fc58aa4ec5f86b20159bb0831f9f1ea829fb660e58d58d7959d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89afbf4c0edf7fc58aa4ec5f86b20159bb0831f9f1ea829fb660e58d58d7959d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/dependency_graph.py"}, "region": {"startLine": 546}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_master_main: Test function `test_master_main` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135314, "scanner": "repobility-ast-engine", "fingerprint": "ea16e02b08a18c888b6d40bcae60b4a82577282347e5165b6f82e69ff0779503", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ea16e02b08a18c888b6d40bcae60b4a82577282347e5165b6f82e69ff0779503"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/dependency_graph.py"}, "region": {"startLine": 538}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_java_test_log_rewrite: Test function `test_java_test_log_rewrite` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135313, "scanner": "repobility-ast-engine", "fingerprint": "9ca86a1a5d4c1e296cd862a2b592562fda7f980b71eb30517a11be699da9c1de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ca86a1a5d4c1e296cd862a2b592562fda7f980b71eb30517a11be699da9c1de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/yugabyte/test_rewrite_test_log.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_file_readable: Test function `test_file_readable` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135310, "scanner": "repobility-ast-engine", "fingerprint": "fdd0fe6614fd12c1d33027bb61f37f85da7cebf240eca3ad536f991a8328eae7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fdd0fe6614fd12c1d33027bb61f37f85da7cebf240eca3ad536f991a8328eae7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/cloud/onprem/method.py"}, "region": {"startLine": 281}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_main_parses_args_when_not_initialized: Test function `test_main_parses_args_when_not_initialized` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135295, "scanner": "repobility-ast-engine", "fingerprint": "97803d50421c2ac3cdc516a2e73ceffb84bfea3f2766adc91830c389e3e6be4f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97803d50421c2ac3cdc516a2e73ceffb84bfea3f2766adc91830c389e3e6be4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/tests/add_superadmin/test_add_superadmin_user.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_cluster: Test function `test_cluster` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 135277, "scanner": "repobility-ast-engine", "fingerprint": "9e62322dfe5d19963db76675e9ba325c139f625c76a50f62ebd22aa292b483d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9e62322dfe5d19963db76675e9ba325c139f625c76a50f62ebd22aa292b483d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/test_bsopt.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__timeout` used but never assigned in __init__: Method `stop_services` of class `YBControl` reads `self.__timeout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135276, "scanner": "repobility-ast-engine", "fingerprint": "e80e9e2b578ec387d335721eaa0fd3e4aa4c7b69053f77d795307a34bc494a95", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e80e9e2b578ec387d335721eaa0fd3e4aa4c7b69053f77d795307a34bc494a95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_help` used but never assigned in __init__: Method `error` of class `YbArgumentParser` reads `self.print_help`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135275, "scanner": "repobility-ast-engine", "fingerprint": "31657bd8a8bd00b8bd9855ef193457ec00c25a68cc8e13f44341caaa7800e4f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|31657bd8a8bd00b8bd9855ef193457ec00c25a68cc8e13f44341caaa7800e4f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 397}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__execute` used but never assigned in __init__: Method `execute` of class `RollTask` reads `self.__execute`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135274, "scanner": "repobility-ast-engine", "fingerprint": "a8a9a39bf13952124b01684399715a75d4cea32e17147475c59aebae01988775", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a8a9a39bf13952124b01684399715a75d4cea32e17147475c59aebae01988775"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 368}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__execute` used but never assigned in __init__: Method `execute` of class `RollTask` reads `self.__execute`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135273, "scanner": "repobility-ast-engine", "fingerprint": "6a0e885701a5fbe72ff26456550177715803536a2bd5e0796eed497ceea19fb9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6a0e885701a5fbe72ff26456550177715803536a2bd5e0796eed497ceea19fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 370}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__call_list` used but never assigned in __init__: Method `__do_work` of class `StopProcedure` reads `self.__call_list`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135272, "scanner": "repobility-ast-engine", "fingerprint": "7b722f337d1a57a3e21b5340506edb8aa7918aa3374eb8bd5a6c3101178ae6b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b722f337d1a57a3e21b5340506edb8aa7918aa3374eb8bd5a6c3101178ae6b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__call_stop` used but never assigned in __init__: Method `__do_work` of class `StopProcedure` reads `self.__call_stop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135271, "scanner": "repobility-ast-engine", "fingerprint": "1cb91254dff1b7732a035f165ef3d34cb00a58210bd9aa245a1f21c4ee815415", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1cb91254dff1b7732a035f165ef3d34cb00a58210bd9aa245a1f21c4ee815415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 262}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__call_list` used but never assigned in __init__: Method `__do_work` of class `StopProcedure` reads `self.__call_list`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135270, "scanner": "repobility-ast-engine", "fingerprint": "4cf77ae9767f5899ac0c7695803c096de4867d45591872b141c125660d7fc9e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4cf77ae9767f5899ac0c7695803c096de4867d45591872b141c125660d7fc9e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 251}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__call_stop` used but never assigned in __init__: Method `__do_work` of class `StopProcedure` reads `self.__call_stop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135269, "scanner": "repobility-ast-engine", "fingerprint": "8d424efecc6ec6c0b3aa7b32bc5f394edf5aa73397d78ed7bfabdf7209d8a4fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8d424efecc6ec6c0b3aa7b32bc5f394edf5aa73397d78ed7bfabdf7209d8a4fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__launch` used but never assigned in __init__: Method `__call_list` of class `StopProcedure` reads `self.__launch`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135268, "scanner": "repobility-ast-engine", "fingerprint": "90347665538bc96dba4d6e9391ed425f1c0d1ae66b2728aa4c5629860e27d12f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|90347665538bc96dba4d6e9391ed425f1c0d1ae66b2728aa4c5629860e27d12f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__launch` used but never assigned in __init__: Method `__call_stop` of class `StopProcedure` reads `self.__launch`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135267, "scanner": "repobility-ast-engine", "fingerprint": "2e2020036f3422f933cf9b52e6aa04540044f24969f9512799f61769c6d4cf49", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e2020036f3422f933cf9b52e6aa04540044f24969f9512799f61769c6d4cf49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__do_work` used but never assigned in __init__: Method `check` of class `StopProcedure` reads `self.__do_work`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135266, "scanner": "repobility-ast-engine", "fingerprint": "1e8c2a9212f61d0ff9d8ba4cfcba6d3b56894280a71fdf11fe8ee13bff4cd541", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e8c2a9212f61d0ff9d8ba4cfcba6d3b56894280a71fdf11fe8ee13bff4cd541"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.describe` used but never assigned in __init__: Method `check` of class `CopyProcedure` reads `self.describe`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135265, "scanner": "repobility-ast-engine", "fingerprint": "3391d62b52a53f158762dca0b5c55af99e3398e5c1aae0a7ea9df193073c6d7c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3391d62b52a53f158762dca0b5c55af99e3398e5c1aae0a7ea9df193073c6d7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.launch_simple` used but never assigned in __init__: Method `execute_everywhere` of class `ClusterManager` reads `self.launch_simple`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135264, "scanner": "repobility-ast-engine", "fingerprint": "352d507cb63d2cd5aafca39a76f2db98d8b6bf964743da048e43c224c912e45e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|352d507cb63d2cd5aafca39a76f2db98d8b6bf964743da048e43c224c912e45e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.service_hosts` used but never assigned in __init__: Method `execute_service_commands` of class `ClusterManager` reads `self.service_hosts`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135263, "scanner": "repobility-ast-engine", "fingerprint": "92188068327a10c0e8f1a39e9508287a7489023e30f71ddfb290e9d95a338169", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|92188068327a10c0e8f1a39e9508287a7489023e30f71ddfb290e9d95a338169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.launch_simple` used but never assigned in __init__: Method `execute_service_commands` of class `ClusterManager` reads `self.launch_simple`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135262, "scanner": "repobility-ast-engine", "fingerprint": "dbd40b31fcffa57bf0917aae7d980b66b979ccab9cc19e4e6b7817d92fb9cc16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dbd40b31fcffa57bf0917aae7d980b66b979ccab9cc19e4e6b7817d92fb9cc16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.service_hosts` used but never assigned in __init__: Method `launch_at_service` of class `ClusterManager` reads `self.service_hosts`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135261, "scanner": "repobility-ast-engine", "fingerprint": "558fa355d495ea90909c36d0e70f993e7af8c5a354ab6d17848398190056612c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|558fa355d495ea90909c36d0e70f993e7af8c5a354ab6d17848398190056612c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.launch_simple` used but never assigned in __init__: Method `launch_at_service` of class `ClusterManager` reads `self.launch_simple`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135260, "scanner": "repobility-ast-engine", "fingerprint": "285f7566b713d36e394be04d67e9de135f67c17f2d9a6e80781d0b670e31aba0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|285f7566b713d36e394be04d67e9de135f67c17f2d9a6e80781d0b670e31aba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/ybcontrol.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parse_stack_line` used but never assigned in __init__: Method `parse_heap_file` of class `YBProf` reads `self.parse_stack_line`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135259, "scanner": "repobility-ast-engine", "fingerprint": "013b705214c82077bdb24a6266cf440a399ab9cc8659761239cd2f25d7ccd621", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|013b705214c82077bdb24a6266cf440a399ab9cc8659761239cd2f25d7ccd621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/yb-prof.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parse_header_line` used but never assigned in __init__: Method `parse_heap_file` of class `YBProf` reads `self.parse_header_line`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135258, "scanner": "repobility-ast-engine", "fingerprint": "0074946ba8a8f2ce28f6760d1ff63b66aa2b178a17c88ec30260987b81c7065e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0074946ba8a8f2ce28f6760d1ff63b66aa2b178a17c88ec30260987b81c7065e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/yb-prof.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_records` used but never assigned in __init__: Method `parse_heap_file` of class `YBProf` reads `self.print_records`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135257, "scanner": "repobility-ast-engine", "fingerprint": "f95d0a4f1f6d1334e23d156ddba322e826fd0fa37858eb7c652924e591329b5f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f95d0a4f1f6d1334e23d156ddba322e826fd0fa37858eb7c652924e591329b5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/yb-prof.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_records` used but never assigned in __init__: Method `parse_heap_file` of class `YBProf` reads `self.print_records`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135256, "scanner": "repobility-ast-engine", "fingerprint": "3b9ef4a6d4c2aaa132d1e1857eb91e3b1e6383f8b1b2f219a9edd1b4e8296e05", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b9ef4a6d4c2aaa132d1e1857eb91e3b1e6383f8b1b2f219a9edd1b4e8296e05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/yb-prof.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.symbolize_all` used but never assigned in __init__: Method `parse_heap_file` of class `YBProf` reads `self.symbolize_all`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135255, "scanner": "repobility-ast-engine", "fingerprint": "aaa5b4cf82e8b89be46ae3a6d0d97c28fb7ef7bdbfcf93443a00eb8989aa6185", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aaa5b4cf82e8b89be46ae3a6d0d97c28fb7ef7bdbfcf93443a00eb8989aa6185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/yb-prof.py"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.symbolize` used but never assigned in __init__: Method `symbolize_all` of class `YBProf` reads `self.symbolize`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135254, "scanner": "repobility-ast-engine", "fingerprint": "7e776242f564ceac9f300fd2f03b3ab8428717b5a611f64d538c327a531ea5cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e776242f564ceac9f300fd2f03b3ab8428717b5a611f64d538c327a531ea5cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/yb-prof.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.symbolize` used but never assigned in __init__: Method `symbolize_all` of class `YBProf` reads `self.symbolize`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135253, "scanner": "repobility-ast-engine", "fingerprint": "4e5cfab8dc6c30db7e5dc0d5e2fadb0a1e0fd9549c5893db137f10080270f51e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e5cfab8dc6c30db7e5dc0d5e2fadb0a1e0fd9549c5893db137f10080270f51e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/yb-prof.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parse_heap_file` used but never assigned in __init__: Method `invoke_heap_profile_handler` of class `YBProf` reads `self.parse_heap_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 135252, "scanner": "repobility-ast-engine", "fingerprint": "108028f876a0195ad5922eb758e202f1173b865a71aeef0e662930fadebc8000", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|108028f876a0195ad5922eb758e202f1173b865a71aeef0e662930fadebc8000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bin/yb-prof.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 135249, "scanner": "repobility-journey-contract", "fingerprint": "52ff43e19a1542fb79116c27b4a19f29bf4d206dd63b2ef0d434b918f3bde4be", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|79|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 6}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/ui/src/redesign/features/rbac/common/RbacApiPermValidator.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 135234, "scanner": "repobility-docker", "fingerprint": "a346391df1e46445a6f703ba9137d85df66fb53fffb0deb40524e6b2f872539b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5434:5432", "target": "5432", "host_ip": "", "published": "5434"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|a346391df1e46445a6f703ba9137d85df66fb53fffb0deb40524e6b2f872539b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 135230, "scanner": "repobility-docker", "fingerprint": "c56967159441d6f41722fe41dc14a1af0eed081f46a86848ac232a25c8120770", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "PostgreSQL", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|c56967159441d6f41722fe41dc14a1af0eed081f46a86848ac232a25c8120770", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 135229, "scanner": "repobility-docker", "fingerprint": "69acfd0643f1fcbb858eb5c95bb494e74dcfbfd1ac982c4b0342ec789a5a6f3f", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "54322:5432", "target": "5432", "host_ip": "", "published": "54322"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "PostgreSQL", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|69acfd0643f1fcbb858eb5c95bb494e74dcfbfd1ac982c4b0342ec789a5a6f3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 135225, "scanner": "repobility-docker", "fingerprint": "3f976e56aebaa5cf5ce3344c532a7231d493e8ca0888ee2dbe44137be9296eba", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "fake-gcs-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3f976e56aebaa5cf5ce3344c532a7231d493e8ca0888ee2dbe44137be9296eba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 135223, "scanner": "repobility-docker", "fingerprint": "4f8485cf3076434179965dd7b8b0d7aec6408f842157cf971b19fb93dc00f75f", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "webdav", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4f8485cf3076434179965dd7b8b0d7aec6408f842157cf971b19fb93dc00f75f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 135221, "scanner": "repobility-docker", "fingerprint": "80c8d31ff14851aa7979f6735e2492439ef08cea1ffb7a9407300e8948b78eb6", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "azurite", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|80c8d31ff14851aa7979f6735e2492439ef08cea1ffb7a9407300e8948b78eb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 135218, "scanner": "repobility-docker", "fingerprint": "e05084cf66ff1f6ad6058cbe56e58fc433dd44f99e28919ff23d78eed5d88379", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "minio", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e05084cf66ff1f6ad6058cbe56e58fc433dd44f99e28919ff23d78eed5d88379"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 135212, "scanner": "repobility-docker", "fingerprint": "7b96d0a3e9206a9cc61819739f57ff3f110e09d6432dd470941dfc3c5c5831cd", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7b96d0a3e9206a9cc61819739f57ff3f110e09d6432dd470941dfc3c5c5831cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 135192, "scanner": "repobility-docker", "fingerprint": "f108da14dcf7a4e0ebc2a73bfb2f5362b68803a1337efb746096e99818d30253", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5433:5432", "target": "5432", "host_ip": "", "published": "5433"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|f108da14dcf7a4e0ebc2a73bfb2f5362b68803a1337efb746096e99818d30253"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135183, "scanner": "repobility-docker", "fingerprint": "88fff6f577d4379bbeeac39ec7ae10bc81e25701b9b9f47aa0d62382884c9366", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|88fff6f577d4379bbeeac39ec7ae10bc81e25701b9b9f47aa0d62382884c9366"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yugabyted-ui/apiserver/conf/templates/go-echo-server/Dockerfile.mustache"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135182, "scanner": "repobility-docker", "fingerprint": "2929bfe4a9fd19d31d0e8e4c63e6a29961c90e1456312374d07e9a91384cff5c", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2929bfe4a9fd19d31d0e8e4c63e6a29961c90e1456312374d07e9a91384cff5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "yugabyted-ui/apiserver/cmd/server/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135180, "scanner": "repobility-docker", "fingerprint": "f1dde2af9d3592d81532f979a63c91f363546a6412fd66ff5ea26d4b2e1bd859", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f1dde2af9d3592d81532f979a63c91f363546a6412fd66ff5ea26d4b2e1bd859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "troubleshoot/backend/docker/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135177, "scanner": "repobility-docker", "fingerprint": "c3b55541f2d5165db002f74b11cb601c6f3c705f6e07fe6b93ebe408b2d52578", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c3b55541f2d5165db002f74b11cb601c6f3c705f6e07fe6b93ebe408b2d52578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/postgresql_anonymizer/docker/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135173, "scanner": "repobility-docker", "fingerprint": "7e353ad7c1711b80958561fee5c736c7942e81b25bb786cc8b6d225ba78e67cf", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7e353ad7c1711b80958561fee5c736c7942e81b25bb786cc8b6d225ba78e67cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgvector/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 135169, "scanner": "repobility-docker", "fingerprint": "7e14e3d82fb1d4db860718dd38897cf5cfb39c090677302d9f67dbcf9d6094a5", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7e14e3d82fb1d4db860718dd38897cf5cfb39c090677302d9f67dbcf9d6094a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.fedora"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135168, "scanner": "repobility-docker", "fingerprint": "a620d4130b0719b5c8e5349ab808baa7e7939dd38067308015703d54693517da", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|a620d4130b0719b5c8e5349ab808baa7e7939dd38067308015703d54693517da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.fedora"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 135166, "scanner": "repobility-docker", "fingerprint": "39b1cadbe381555408b2a4bd0831eb0c0c095c1b97535cc4a45f336446127e10", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|39b1cadbe381555408b2a4bd0831eb0c0c095c1b97535cc4a45f336446127e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.debian_bullseye"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135165, "scanner": "repobility-docker", "fingerprint": "0e917afe2eb425e9502f6fd37b691b5a0fc3752d5f799c981261c355ac864897", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0e917afe2eb425e9502f6fd37b691b5a0fc3752d5f799c981261c355ac864897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.debian_bullseye"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 135160, "scanner": "repobility-docker", "fingerprint": "d0f6b60591c91ef1cb2b46a9f5ef6d6f13dc8333c4c839d372815fdee17637e5", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d0f6b60591c91ef1cb2b46a9f5ef6d6f13dc8333c4c839d372815fdee17637e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.amazon_2"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135159, "scanner": "repobility-docker", "fingerprint": "8a15abca34bad225dffc7be0b17f0d9977e5ad82c237ee97f218d9ce44cb16dd", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8a15abca34bad225dffc7be0b17f0d9977e5ad82c237ee97f218d9ce44cb16dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.amazon_2"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 135158, "scanner": "repobility-docker", "fingerprint": "bdc454284b2eab0d7e39fe55e157d5398a034e87d786db1f9045f316e34ed7f1", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bdc454284b2eab0d7e39fe55e157d5398a034e87d786db1f9045f316e34ed7f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.alpine"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135157, "scanner": "repobility-docker", "fingerprint": "183a4464c40ed685730d2f61eab522218bfc2b22c39d5ab7d80657ac9ba5ab7c", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|183a4464c40ed685730d2f61eab522218bfc2b22c39d5ab7d80657ac9ba5ab7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pgrx/.github/docker/Dockerfile.alpine"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 135151, "scanner": "repobility-docker", "fingerprint": "d0062d4d1f465a00b6a365081c928b431ddeb8512da2c02fb6c01af4fc9a0b18", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d0062d4d1f465a00b6a365081c928b431ddeb8512da2c02fb6c01af4fc9a0b18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.devcontainer/Dockerfile"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135142, "scanner": "repobility-docker", "fingerprint": "2154c9961ab606cab85433fd5283eff0c042b4666994bec9245d7ac8b5482a84", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2154c9961ab606cab85433fd5283eff0c042b4666994bec9245d7ac8b5482a84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/docker/Dockerfile.dev"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135138, "scanner": "repobility-docker", "fingerprint": "ab30d5e0ffa5d396520faac98817b0995f029e05758e35054a03120abd68f135", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ab30d5e0ffa5d396520faac98817b0995f029e05758e35054a03120abd68f135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/docker/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135128, "scanner": "repobility-docker", "fingerprint": "acd39200a439ebe76fd228c0f723827eb20abf6fde5c76742f3ec8fbc29d31b6", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|acd39200a439ebe76fd228c0f723827eb20abf6fde5c76742f3ec8fbc29d31b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/dpkg/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135123, "scanner": "repobility-docker", "fingerprint": "04ae3dc5a81e56d9652e56f8415114f3fd82017b5ce4120fe34141ff449cb859", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|04ae3dc5a81e56d9652e56f8415114f3fd82017b5ce4120fe34141ff449cb859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/odyssey/docker/Dockerfile"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135119, "scanner": "repobility-docker", "fingerprint": "955e0e9ff041b55403e841b44250d1969532bdf6b4f2192f5bc038f6306038d2", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|955e0e9ff041b55403e841b44250d1969532bdf6b4f2192f5bc038f6306038d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ai/rag_agent/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135115, "scanner": "repobility-docker", "fingerprint": "8d768b6b0848ad9ca1bd06ea30db1b78d9d6ace1c0d3c9e6a7615710a76069d7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8d768b6b0848ad9ca1bd06ea30db1b78d9d6ace1c0d3c9e6a7615710a76069d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/pex/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 135112, "scanner": "repobility-docker", "fingerprint": "842a39db7863b77dccce92413f815ac745971d187bfe4df76c67434d81b04745", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|842a39db7863b77dccce92413f815ac745971d187bfe4df76c67434d81b04745"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 135111, "scanner": "repobility-docker", "fingerprint": "df01d972ef8ad85953590eedd103d28480f4080f6c6fcf8846f193967b12dbca", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|df01d972ef8ad85953590eedd103d28480f4080f6c6fcf8846f193967b12dbca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 135020, "scanner": "repobility-threat-engine", "fingerprint": "f3269085561ea8489a946798c6ed1c3c58e333eaec16e9a5412690cc08a30131", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3269085561ea8489a946798c6ed1c3c58e333eaec16e9a5412690cc08a30131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/project/UIRunHook.scala"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED002", "level": "error", "message": {"text": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check."}, "properties": {"repobilityId": 135019, "scanner": "repobility-threat-engine", "fingerprint": "409fbe6790bcc151759e54527cb1799654442bf76e8add45e9cb7ebe11908b89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "correlation_key": "fp|409fbe6790bcc151759e54527cb1799654442bf76e8add45e9cb7ebe11908b89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/project/UIRunHook.scala"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 135018, "scanner": "repobility-threat-engine", "fingerprint": "a4ca8a8499351461024964994aaa53befbb9a6159160762aec749fc01f7d240d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4ca8a8499351461024964994aaa53befbb9a6159160762aec749fc01f7d240d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/ynp/yba/request.go"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC088", "level": "error", "message": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "properties": {"repobilityId": 135017, "scanner": "repobility-threat-engine", "fingerprint": "7045462c8d92895b79cc5f3ac3e90d07caad514a33da8c193b69c20bdc28c1fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "InsecureSkipVerify: true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC088", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7045462c8d92895b79cc5f3ac3e90d07caad514a33da8c193b69c20bdc28c1fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/ynp/yba/request.go"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 135016, "scanner": "repobility-threat-engine", "fingerprint": "722aefe9ef57be47ac71a9ede4a422633015a0403283a9595742788bf3e6c9da", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tarfile.extractfile(member)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|722aefe9ef57be47ac71a9ede4a422633015a0403283a9595742788bf3e6c9da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/yb_release.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 135015, "scanner": "repobility-threat-engine", "fingerprint": "0a5a5fe585f65b8eeebdc206364a7a9d3f544382ccba95df8ec1c5327e3f2ca8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a5a5fe585f65b8eeebdc206364a7a9d3f544382ccba95df8ec1c5327e3f2ca8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/task/module/shell.go"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 135011, "scanner": "repobility-threat-engine", "fingerprint": "7aa851f70d7cffb4d053a9fe70d87121107a2091e51b08e534970081b4d6058c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7aa851f70d7cffb4d053a9fe70d87121107a2091e51b08e534970081b4d6058c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/task/module/systemd.go"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 135010, "scanner": "repobility-threat-engine", "fingerprint": "c439ca43671bc3613a9c76a4237e5315a99cc019f154bd89704839ccc877765f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c439ca43671bc3613a9c76a4237e5315a99cc019f154bd89704839ccc877765f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/task/install_otel_collector.go"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 135009, "scanner": "repobility-threat-engine", "fingerprint": "94e600094c39c51d4447436bbb65aa917adc5bf1a9bb2d0882672df07dd0f27d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94e600094c39c51d4447436bbb65aa917adc5bf1a9bb2d0882672df07dd0f27d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/task/configure_server.go"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 135002, "scanner": "repobility-threat-engine", "fingerprint": "79974f56217291a21433e0339a9baaa00f93d4608f0dedde44bfd3d09413cbb3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79974f56217291a21433e0339a9baaa00f93d4608f0dedde44bfd3d09413cbb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/cmd/cli/main.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 135001, "scanner": "repobility-threat-engine", "fingerprint": "e5666381fdb324c878f0db282a10bd5cc696c16feadb4335de750ec936a78beb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e5666381fdb324c878f0db282a10bd5cc696c16feadb4335de750ec936a78beb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/server/panic_handler.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 135000, "scanner": "repobility-threat-engine", "fingerprint": "3a8276636d0aa9b6b43cbedb971ef020a3c1bf79a8488300ae7fa51bf6500e92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a8276636d0aa9b6b43cbedb971ef020a3c1bf79a8488300ae7fa51bf6500e92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/executor/task_executor.go"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 134992, "scanner": "repobility-threat-engine", "fingerprint": "95065ca4e97830ddc4fd0931c6b01ca13886602f8c0d1b9ca92e613ea65975f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95065ca4e97830ddc4fd0931c6b01ca13886602f8c0d1b9ca92e613ea65975f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/utils/replicated.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 134990, "scanner": "repobility-threat-engine", "fingerprint": "8f4538e980ab107b3aa057f16af8cb9fc5ba214238f4d612f9efdb6ff0d23ad3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f4538e980ab107b3aa057f16af8cb9fc5ba214238f4d612f9efdb6ff0d23ad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/api/v2/mappers/UniverseRespDecorator.java"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 134989, "scanner": "repobility-threat-engine", "fingerprint": "8eeb327c756402c83d1cf0c54aa04e91b6581e28ecbb856fc085717bac2e41cf", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8eeb327c756402c83d1cf0c54aa04e91b6581e28ecbb856fc085717bac2e41cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/api/v2/handlers/MetricsHandler.java"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 134988, "scanner": "repobility-threat-engine", "fingerprint": "25b476ab21db1d78800cabf25b6fddb032b5dca3a27a13df1cfce516cad38a89", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(self._get_request_endpoint", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|25b476ab21db1d78800cabf25b6fddb032b5dca3a27a13df1cfce516cad38a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/utils/replicated.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 134987, "scanner": "repobility-threat-engine", "fingerprint": "30df8a591e174798656e363219c46e444f465024477bdbddf40a01003e1bd8c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30df8a591e174798656e363219c46e444f465024477bdbddf40a01003e1bd8c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 134984, "scanner": "repobility-threat-engine", "fingerprint": "3e9f4f87071a9079e80e6c7e260c533ed12859a430f27bbd962a1f23873c5c63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "config.Update(util.PlatformCertsUpgradeKey, upgradeInfo.CertDir)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3e9f4f87071a9079e80e6c7e260c533ed12859a430f27bbd962a1f23873c5c63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/server/state_handler.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 134983, "scanner": "repobility-threat-engine", "fingerprint": "313235a60760a5a386422581c6ff413e9e15c39b56c8b3b16776cd1c4be3b42e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "config.Update(util.CustomerIdKey, sessionInfo.CustomerId)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|313235a60760a5a386422581c6ff413e9e15c39b56c8b3b16776cd1c4be3b42e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/app/server/handler.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 134982, "scanner": "repobility-threat-engine", "fingerprint": "c9ec56712d3391e1fd9e5818247f0d32f8ea8791a834479e83f2e93bf125df45", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "node_details_common.update(communication_ports)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9ec56712d3391e1fd9e5818247f0d32f8ea8791a834479e83f2e93bf125df45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/api-examples/python-simple/create-universe.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 134980, "scanner": "repobility-threat-engine", "fingerprint": "c5e5a904d4bdbceced0a9273682126dc45dda207ae77ba6415a4ff60cb8e3509", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c5e5a904d4bdbceced0a9273682126dc45dda207ae77ba6415a4ff60cb8e3509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/ynp/executor.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 134979, "scanner": "repobility-threat-engine", "fingerprint": "765426ee16990a6a0dd9838d53089b7aa839bad862a15c997124a4fd7c25e4b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|765426ee16990a6a0dd9838d53089b7aa839bad862a15c997124a4fd7c25e4b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-sample/src/main/java/org/yb/YbSqlUtil.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 134978, "scanner": "repobility-threat-engine", "fingerprint": "92548f3f0db2ae3493e1f2a0c0fbac2d74e9273d37af5e72b254d0d6fcb219ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(stmt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92548f3f0db2ae3493e1f2a0c0fbac2d74e9273d37af5e72b254d0d6fcb219ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-sample/src/main/java/org/yb/LargeScan.java"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 134953, "scanner": "repobility-threat-engine", "fingerprint": "9c0756e586bdcbc1ce455645454bcc528b2d5fd2b16c7b180d699dca1f9ce629", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c0756e586bdcbc1ce455645454bcc528b2d5fd2b16c7b180d699dca1f9ce629"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cloud/kubernetes/yb-multiregion-k8s-setup.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED040", "level": "error", "message": {"text": "[MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes."}, "properties": {"repobilityId": 134948, "scanner": "repobility-threat-engine", "fingerprint": "945a75c735002b83fc9e5f59322ef67e12bd2272550634012528056691863bfa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-yaml-load-unsafe", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347991+00:00", "triaged_in_corpus": 15, "observations_count": 1487, "ai_coder_pattern_id": 120}, "scanner": "repobility-threat-engine", "correlation_key": "fp|945a75c735002b83fc9e5f59322ef67e12bd2272550634012528056691863bfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-support/stabilize_auto_flags_list.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 134930, "scanner": "repobility-threat-engine", "fingerprint": "923acf19617c6d37a196ce751fe2d578d3c3a2e176701054395e49d7bdc13e2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|923acf19617c6d37a196ce751fe2d578d3c3a2e176701054395e49d7bdc13e2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java/yb-cql-4x/src/main/java/com/yugabyte/sample/common/SimpleLoadGenerator.java"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 134929, "scanner": "repobility-threat-engine", "fingerprint": "181d491685b031372991d2727d5b13805cfb15b718cfd4c485efaa7a97c2a030", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|181d491685b031372991d2727d5b13805cfb15b718cfd4c485efaa7a97c2a030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-support/invoke_thirdparty_build.sh"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 134928, "scanner": "repobility-threat-engine", "fingerprint": "b6e9d57837c0518cabd8f1cdbf5a7665e1a9ec75c5b51ee4b3fe591d8fc702ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6e9d57837c0518cabd8f1cdbf5a7665e1a9ec75c5b51ee4b3fe591d8fc702ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-support/digest_package.sh"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 134927, "scanner": "repobility-threat-engine", "fingerprint": "1b17142391bd7491f2bdea6833f2ec867bcb5e6866f61b6591db98248eaa108f", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search('(D[0-9]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|69|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "arcanist_util/check-diff-name.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 135438, "scanner": "repobility-supply-chain", "fingerprint": "cde410bd6c6fdfa4cf456ee77bebf68c75e8a5c9d1461058dee7c8f0c2be5e58", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cde410bd6c6fdfa4cf456ee77bebf68c75e8a5c9d1461058dee7c8f0c2be5e58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_parquet/.github/workflows/ci.yml"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135437, "scanner": "repobility-supply-chain", "fingerprint": "ef787332e499cbb4479b1df68f7eb41d5dc730a439ec6130344cf78e6d707a94", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef787332e499cbb4479b1df68f7eb41d5dc730a439ec6130344cf78e6d707a94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/.github/workflows/docker.yaml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 135436, "scanner": "repobility-supply-chain", "fingerprint": "fa9350a735a85fdc30a6fdb929a0e9e463871a5a5d7600b9bb9f432d50921c90", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa9350a735a85fdc30a6fdb929a0e9e463871a5a5d7600b9bb9f432d50921c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/.github/workflows/docker.yaml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 135435, "scanner": "repobility-supply-chain", "fingerprint": "779e580f5d9b3e35d074712a960b8e7a180f78e527694b7aecda847e5e558f02", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|779e580f5d9b3e35d074712a960b8e7a180f78e527694b7aecda847e5e558f02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/.github/workflows/docker.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: `run:` step interpolates ${{ github.head_ref }} directly into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135429, "scanner": "repobility-supply-chain", "fingerprint": "57261cada910029cad006013e6b2b4546e639d0ea5617823677e376b63c92b59", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57261cada910029cad006013e6b2b4546e639d0ea5617823677e376b63c92b59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-11-pmm.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: `run:` step interpolates ${{ github.head_ref }} directly into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135428, "scanner": "repobility-supply-chain", "fingerprint": "e73ea2e9d8bd8c363eabb98d177e4fbcb2cbd6fbf2eacdc84ba5e5efcc1cdfb1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e73ea2e9d8bd8c363eabb98d177e4fbcb2cbd6fbf2eacdc84ba5e5efcc1cdfb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-13-pmm.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: `run:` step interpolates ${{ github.head_ref }} directly into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135427, "scanner": "repobility-supply-chain", "fingerprint": "616bc823d3f9284523bba6ddf600cb8f01036f80366dd22379a0c1526f7f78ce", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|616bc823d3f9284523bba6ddf600cb8f01036f80366dd22379a0c1526f7f78ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-14-pmm.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: `run:` step interpolates ${{ github.head_ref }} directly into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135426, "scanner": "repobility-supply-chain", "fingerprint": "f806cfebd789ee02673467b7f77e4ec23e21b663ef473b4b0482255d0d1283b6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f806cfebd789ee02673467b7f77e4ec23e21b663ef473b4b0482255d0d1283b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-12-pmm.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: `run:` step interpolates ${{ github.head_ref }} directly into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135425, "scanner": "repobility-supply-chain", "fingerprint": "a294666ba2b3ad870bf3ecd72573140d8a9e62f5110c1d8f32873b695b65fe73", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a294666ba2b3ad870bf3ecd72573140d8a9e62f5110c1d8f32873b695b65fe73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_stat_monitor/.github/workflows/postgresql-15-pmm.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.body in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.body }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135389, "scanner": "repobility-supply-chain", "fingerprint": "0e943705459c5112dfbd29b150cc6102156f9bd2f463e03cd68720a294c97471", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e943705459c5112dfbd29b150cc6102156f9bd2f463e03cd68720a294c97471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-title.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135388, "scanner": "repobility-supply-chain", "fingerprint": "93921048a9be16b87cc125fea07bcffa0e9397c84c1ce7b1aeb8053638e6cea9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93921048a9be16b87cc125fea07bcffa0e9397c84c1ce7b1aeb8053638e6cea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-title.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135387, "scanner": "repobility-supply-chain", "fingerprint": "e4f9262bca3a2480870cf280a199401d8d8fac04bea90e147aae7629be7ee1cf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4f9262bca3a2480870cf280a199401d8d8fac04bea90e147aae7629be7ee1cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-title.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135386, "scanner": "repobility-supply-chain", "fingerprint": "c5840bd742cdc30c9be6cc93d6865e7587adf3c99caa57aee40a6a4a96ecb6d4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c5840bd742cdc30c9be6cc93d6865e7587adf3c99caa57aee40a6a4a96ecb6d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-title.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.title in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.title }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 135385, "scanner": "repobility-supply-chain", "fingerprint": "6c8ca3049568691a91310bac09bc126719eb488885fa438c0b67927fd65926b8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c8ca3049568691a91310bac09bc126719eb488885fa438c0b67927fd65926b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-title.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `copy` used but not imported: The file uses `copy.something(...)` but never imports `copy`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 135348, "scanner": "repobility-ast-engine", "fingerprint": "d4541edb6a66bc580b1cf19aebb82ff0fe36bda0289fddee68c5366c11921ffe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4541edb6a66bc580b1cf19aebb82ff0fe36bda0289fddee68c5366c11921ffe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/pg_duckdb/test/pycheck/copy_test.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `io` used but not imported: The file uses `io.something(...)` but never imports `io`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 135344, "scanner": "repobility-ast-engine", "fingerprint": "591e499c854bae8d4d1dbe73e070aa89f31908aac2ae73f4f5342470ef6c5e39", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|591e499c854bae8d4d1dbe73e070aa89f31908aac2ae73f4f5342470ef6c5e39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lint/cpplint.py"}, "region": {"startLine": 5677}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `platform` used but not imported: The file uses `platform.something(...)` but never imports `platform`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 135279, "scanner": "repobility-ast-engine", "fingerprint": "34371d5f7ae1e1d10a70453e9f3befc9d0a584ed7ce3856c464a808dfe6c9514", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|34371d5f7ae1e1d10a70453e9f3befc9d0a584ed7ce3856c464a808dfe6c9514"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/node-agent/yb_release.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 135206, "scanner": "repobility-docker", "fingerprint": "2ea350a81638af8e1ed89aecbdbb616570ba5207a39b1c88ee84d5260d7d3db7", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|2ea350a81638af8e1ed89aecbdbb616570ba5207a39b1c88ee84d5260d7d3db7", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/postgres/third-party-extensions/mage/drivers/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 135191, "scanner": "repobility-docker", "fingerprint": "b7c24a7e73fb215d4e5b2827ad98a9fd4edb31b1f7c0ff00a56c46487b1b88a1", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|b7c24a7e73fb215d4e5b2827ad98a9fd4edb31b1f7c0ff00a56c46487b1b88a1", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/docker-compose.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 135034, "scanner": "repobility-threat-engine", "fingerprint": "90f14b003063e99f52969c2368bc9dfa86fd3c15b73a84f42d45218d76d157c7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90f14b003063e99f52969c2368bc9dfa86fd3c15b73a84f42d45218d76d157c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/controllers/handlers/AccessKeyHandler.java"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 135033, "scanner": "repobility-threat-engine", "fingerprint": "a60f20466a5432d6bc017fde0a0cbc6c38e99a49227c8019ba1f527db2d7c0f3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a60f20466a5432d6bc017fde0a0cbc6c38e99a49227c8019ba1f527db2d7c0f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/TemplateManager.java"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 134994, "scanner": "repobility-threat-engine", "fingerprint": "7bb2feba6a328ea07d4c610ce2f4248eaccaadf6d3d608665860708c8261389f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(module", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bb2feba6a328ea07d4c610ce2f4248eaccaadf6d3d608665860708c8261389f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/pex/pexEnvTest.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 134946, "scanner": "repobility-threat-engine", "fingerprint": "933653561828f14937f8c5034e53579bf8a76a30e67ed51a1d6f07d64d5e84cb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|933653561828f14937f8c5034e53579bf8a76a30e67ed51a1d6f07d64d5e84cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/ConfigHelper.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 134945, "scanner": "repobility-threat-engine", "fingerprint": "8fabbb949bcb959361029be026da34760b9e1a6a41be00849c953824df2dbd78", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8fabbb949bcb959361029be026da34760b9e1a6a41be00849c953824df2dbd78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 134944, "scanner": "repobility-threat-engine", "fingerprint": "689ca31cad993ae867e999ba19024e02371f6e5d4f195a8eb5a3108fdea944b8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|689ca31cad993ae867e999ba19024e02371f6e5d4f195a8eb5a3108fdea944b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-support/stabilize_auto_flags_list.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 134942, "scanner": "repobility-threat-engine", "fingerprint": "c7f796851024b0dd9d06f0c9330bf0cf6d0ab4f41abc98b1e373d154392d4680", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|107|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/ConfigHelper.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 134941, "scanner": "repobility-threat-engine", "fingerprint": "7a5f055056a027627e2e5fb9bccafd0bc6f3f8a5494ac7a6ea4a3341df748795", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|98|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/devops/opscli/ybops/scripts/generateMetadataFiles.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 134940, "scanner": "repobility-threat-engine", "fingerprint": "46e5ace209ee271bf6f410ed389054eb937bb8c9855c36051ed0326ef770127b", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|54|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-support/stabilize_auto_flags_list.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 134938, "scanner": "repobility-threat-engine", "fingerprint": "28f93dc3c5604a6e1ffd4de94bb9ca6701a5302480b26ecf48ccef1f742c1c05", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(readFileToString(promConfigFile)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|28f93dc3c5604a6e1ffd4de94bb9ca6701a5302480b26ecf48ccef1f742c1c05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/PrometheusConfigManager.java"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 134937, "scanner": "repobility-threat-engine", "fingerprint": "171e85c3ad070aa74b0ba1ca28363104fcc98333a5c397594b32ae0e55055dac", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(inputStream)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|171e85c3ad070aa74b0ba1ca28363104fcc98333a5c397594b32ae0e55055dac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "managed/src/main/java/com/yugabyte/yw/common/ConfigHelper.java"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 134936, "scanner": "repobility-threat-engine", "fingerprint": "59e96fc79f500328e45ef796dfde5672920b60d150d6e524a0d7c886fe1ec60e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(build_desc_file)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|59e96fc79f500328e45ef796dfde5672920b60d150d6e524a0d7c886fe1ec60e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build-support/stabilize_auto_flags_list.py"}, "region": {"startLine": 54}}}]}]}]}