{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `count_messages_tokens` (list): `def count_messages_tokens(... = []/{}/set())` \u2014 ", "shortDescription": {"text": "[MINED109] Mutable default argument in `count_messages_tokens` (list): `def count_messages_tokens(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one c"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def count_messages_tokens(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/{setting}."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 11 (SonarSource scale). Cognitive complexit", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 11."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED073", "name": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of ", "shortDescription": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1333,CWE-400 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `wow-actions/potential-duplicates` pinned to mutable ref `@v1`: `uses: wow-actions/potential-duplicate", "shortDescription": {"text": "[MINED115] Action `wow-actions/potential-duplicates` pinned to mutable ref `@v1`: `uses: wow-actions/potential-duplicates@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/ch"}, "fullDescription": {"text": "Replace with: `uses: wow-actions/potential-duplicates@<40-char-sha>  # v1` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `python:3.11` not pinned by digest: `FROM python:3.11` resolves the tag at build time. The re", "shortDescription": {"text": "[MINED118] Dockerfile FROM `python:3.11` not pinned by digest: `FROM python:3.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should"}, "fullDescription": {"text": "Replace with: `FROM python:3.11@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /openai/chat/completions has no auth: Handler `chat_completion` is registered with router/app.po", "shortDescription": {"text": "[MINED112] FastAPI POST /openai/chat/completions has no auth: Handler `chat_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `__call__`: `time.sleep` is a synchronous (blocking) call. W", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `__call__`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making "}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.anonymous_telemetry` used but never assigned in __init__: Method `chat` of class `OpenInterpreter` read", "shortDescription": {"text": "[MINED108] `self.anonymous_telemetry` used but never assigned in __init__: Method `chat` of class `OpenInterpreter` reads `self.anonymous_telemetry`, but no assignment to it exists in __init__ (and no class-level fallback). This raises Attr"}, "fullDescription": {"text": "Initialize `self.anonymous_telemetry = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_ui: Test function `test_ui` runs code but contains no assert / expect / should ca", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_ui: Test function `test_ui` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`,", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`", "shortDescription": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import queue` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/861"}, "properties": {"repository": "openinterpreter/open-interpreter", "repoUrl": "https://github.com/openinterpreter/open-interpreter", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77923, "scanner": "repobility-ast-engine", "fingerprint": "6280736820f5814f5a75957e8621fec05c54b7f166f38f2297dbfbe823693a2f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6280736820f5814f5a75957e8621fec05c54b7f166f38f2297dbfbe823693a2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/utils/count_tokens.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77922, "scanner": "repobility-ast-engine", "fingerprint": "2989238e117f35137eca2ce4dea502ce781a64a4969c4a19d005d90bc92849fc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2989238e117f35137eca2ce4dea502ce781a64a4969c4a19d005d90bc92849fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/utils/count_tokens.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77921, "scanner": "repobility-ast-engine", "fingerprint": "f4f11cd6ed854bb562e5906ea1c3d1cbff6c5baa596bf3b06b9098b83fe8be2d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4f11cd6ed854bb562e5906ea1c3d1cbff6c5baa596bf3b06b9098b83fe8be2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/utils/count_tokens.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `count_messages_tokens` (list): `def count_messages_tokens(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 77920, "scanner": "repobility-ast-engine", "fingerprint": "ee800dc14f5f27f29b5a1d3ff9012eb6da3792d92ddd7ec26c6c747a176ac63c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee800dc14f5f27f29b5a1d3ff9012eb6da3792d92ddd7ec26c6c747a176ac63c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/utils/count_tokens.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77919, "scanner": "repobility-ast-engine", "fingerprint": "019407f3a2a80e971c3215cd635d9d308efde08b8f818a58b855d0de9ccac52e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|019407f3a2a80e971c3215cd635d9d308efde08b8f818a58b855d0de9ccac52e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/utils/display_output.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77918, "scanner": "repobility-ast-engine", "fingerprint": "dad5c81abced0e0ae441cb925c6b75aaa086d4bc9226f337b103f47a23201c2e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dad5c81abced0e0ae441cb925c6b75aaa086d4bc9226f337b103f47a23201c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/profiles.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77917, "scanner": "repobility-ast-engine", "fingerprint": "154db701095026ca058e872c08cb0142189d039e2dfa2bcdd9b3d0bbc3000346", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|154db701095026ca058e872c08cb0142189d039e2dfa2bcdd9b3d0bbc3000346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/local_setup.py"}, "region": {"startLine": 442}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77916, "scanner": "repobility-ast-engine", "fingerprint": "a7e3132a3b45d3d4e4a7e637c31a1bbc2e729d31d4d1dfe1ed02a8d0259e058e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7e3132a3b45d3d4e4a7e637c31a1bbc2e729d31d4d1dfe1ed02a8d0259e058e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/local_setup.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77915, "scanner": "repobility-ast-engine", "fingerprint": "e85850e257092ba87a0cb93f067cb6f9106653cd20ad78b94d7ce045f425bcab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e85850e257092ba87a0cb93f067cb6f9106653cd20ad78b94d7ce045f425bcab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77907, "scanner": "repobility-ast-engine", "fingerprint": "3a83c6e0c467708ba29bcfbfc37ad818b2cd5b940445ed236b57e55ef8151163", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a83c6e0c467708ba29bcfbfc37ad818b2cd5b940445ed236b57e55ef8151163"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 599}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77906, "scanner": "repobility-ast-engine", "fingerprint": "31d48c006a2e1976d3e5dd8ac73fdce8a6a22908e490ead19194420ea0c3c950", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|31d48c006a2e1976d3e5dd8ac73fdce8a6a22908e490ead19194420ea0c3c950"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 534}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77905, "scanner": "repobility-ast-engine", "fingerprint": "bbeb205d7beb174b64c371d2cd634be2e4d8a296e7b79ff225eb37ea3a12e3cb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bbeb205d7beb174b64c371d2cd634be2e4d8a296e7b79ff225eb37ea3a12e3cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 490}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77904, "scanner": "repobility-ast-engine", "fingerprint": "01beff7148779cfa1420c92a45d14eee0ca7a3d0fb89a40942399a03b5e7a082", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01beff7148779cfa1420c92a45d14eee0ca7a3d0fb89a40942399a03b5e7a082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 710}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77903, "scanner": "repobility-ast-engine", "fingerprint": "5f627aa776d06b1504709fb73f72b19f011fcd656a2a03ca5534841abb0ae7d2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5f627aa776d06b1504709fb73f72b19f011fcd656a2a03ca5534841abb0ae7d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 701}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77902, "scanner": "repobility-ast-engine", "fingerprint": "8c5e99f641393ec43b22bdc8dd43445e9a587f89de6499211342c1f9719e5f00", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c5e99f641393ec43b22bdc8dd43445e9a587f89de6499211342c1f9719e5f00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 692}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77901, "scanner": "repobility-ast-engine", "fingerprint": "c8f7712175f5434c74190ccb095a6d2796e1c9c9c235f335868a364a81b39ac7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8f7712175f5434c74190ccb095a6d2796e1c9c9c235f335868a364a81b39ac7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77900, "scanner": "repobility-ast-engine", "fingerprint": "9122b4402dbee099e3b01d727737612506ab3f16043a549976450ae4f0dc3e15", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9122b4402dbee099e3b01d727737612506ab3f16043a549976450ae4f0dc3e15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 639}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77899, "scanner": "repobility-ast-engine", "fingerprint": "044c667926995bde215058d0bd69e5e60eb5e70adc9656be4c0111c11b751921", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|044c667926995bde215058d0bd69e5e60eb5e70adc9656be4c0111c11b751921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 620}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (list): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 77896, "scanner": "repobility-ast-engine", "fingerprint": "765c6698d8789b075a74fe746807d85c2e13d961703ff3f26c768589833e4c5c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|765c6698d8789b075a74fe746807d85c2e13d961703ff3f26c768589833e4c5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/core.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77894, "scanner": "repobility-ast-engine", "fingerprint": "52ed63ae7a2912a13fb5dc22a71f90e7fad16b0e453c806b90e880245b1bd25c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52ed63ae7a2912a13fb5dc22a71f90e7fad16b0e453c806b90e880245b1bd25c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77884, "scanner": "repobility-ast-engine", "fingerprint": "2bb0edb4ac3c6eaa1ef46adf4a891aa72b220857e72449855893e7c258c84d45", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2bb0edb4ac3c6eaa1ef46adf4a891aa72b220857e72449855893e7c258c84d45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/respond.py"}, "region": {"startLine": 384}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77883, "scanner": "repobility-ast-engine", "fingerprint": "b7894b88c42f506fc7a37ff50e961c6afa13844c3f5d735b30aa5c5cc2fe50a1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b7894b88c42f506fc7a37ff50e961c6afa13844c3f5d735b30aa5c5cc2fe50a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/respond.py"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77882, "scanner": "repobility-ast-engine", "fingerprint": "168e5a3efd34f569c1122a6f3e187bd103e46d36e8b68a4e0aa49df748f36a18", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|168e5a3efd34f569c1122a6f3e187bd103e46d36e8b68a4e0aa49df748f36a18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/respond.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77881, "scanner": "repobility-ast-engine", "fingerprint": "01d9ddf74ca7c763e7c88b732a656a6e50e08f590dc45bf61760a29860d470a9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01d9ddf74ca7c763e7c88b732a656a6e50e08f590dc45bf61760a29860d470a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/respond.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77836, "scanner": "repobility-ast-engine", "fingerprint": "ebca58ae32da7048bbd588f8943adba757397fd082c1b0fa792ddfa1e493922f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebca58ae32da7048bbd588f8943adba757397fd082c1b0fa792ddfa1e493922f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/wtf.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77835, "scanner": "repobility-ast-engine", "fingerprint": "89e8616f95b6ec7b26de94641308744456b1bee6e64a1530bf0c224b93d26a67", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89e8616f95b6ec7b26de94641308744456b1bee6e64a1530bf0c224b93d26a67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/wtf.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 77834, "scanner": "repobility-ast-engine", "fingerprint": "1d6439e688c131d6717e4f339010f6e8cc0e277d7c8b23ffca7294b41f8f9a9d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d6439e688c131d6717e4f339010f6e8cc0e277d7c8b23ffca7294b41f8f9a9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/wtf.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 77833, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 77832, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 20, "file_path": "interpreter/core/archived_server_1.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 198, "file_path": "interpreter/core/archived_server_2.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 956, "file_path": "interpreter/core/async_core.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 339, "file_path": "interpreter/computer_use/loop.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/{setting}."}, "properties": {"repobilityId": 77831, "scanner": "repobility-access-control", "fingerprint": "ce458c5cbe9ba45e45ae4c561f925a6198064b3a9e144769b4dccc6c948f3768", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/{setting}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|669|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 669}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /settings."}, "properties": {"repobilityId": 77830, "scanner": "repobility-access-control", "fingerprint": "3de3e9c73013e9b038f98d9387b1ebc68f0b5aad6e8e752075a4a9ddbd7c47e3", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|642|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 642}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /settings."}, "properties": {"repobilityId": 77829, "scanner": "repobility-access-control", "fingerprint": "217284938b8cd819a083b9858297c76f337e0156f6d0dbedbf6d057dc168fe01", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|207|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 77828, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 14, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 77827, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 77826, "scanner": "repobility-docker", "fingerprint": "f5037c1bb6e53f5469869a69bb201bb8ae7708128cef7634dd7df85479acd097", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f5037c1bb6e53f5469869a69bb201bb8ae7708128cef7634dd7df85479acd097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 77824, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 77823, "scanner": "repobility-docker", "fingerprint": "e58c35b4eee438ba20c6a41815f9be45ce249471b4e40dd22541d776891a5afc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11.8", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e58c35b4eee438ba20c6a41815f9be45ce249471b4e40dd22541d776891a5afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 77805, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 77802, "scanner": "repobility-threat-engine", "fingerprint": "e6c00d439b578de0547e2b52dad9fedd731fe00901959754a8eaa016cd64c91d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "api_key = \"<redacted>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6c00d439b578de0547e2b52dad9fedd731fe00901959754a8eaa016cd64c91d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/template_profile.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 77797, "scanner": "repobility-threat-engine", "fingerprint": "88df0ab70b69bbae1c8752b0e143fa9437e605bf53de8d7220aa4a1176dbf094", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|88df0ab70b69bbae1c8752b0e143fa9437e605bf53de8d7220aa4a1176dbf094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/os.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 77796, "scanner": "repobility-threat-engine", "fingerprint": "e3d395e8a4b5ba821248cf50b38a974d8ad887c49fdaf00e1709afaa31902b80", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e3d395e8a4b5ba821248cf50b38a974d8ad887c49fdaf00e1709afaa31902b80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/local-assistant.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 77795, "scanner": "repobility-threat-engine", "fingerprint": "4d308d3854af9a99a8a2ab9ef2f265fb359b0f758b5bf40cd4dd630bedc09ed8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4d308d3854af9a99a8a2ab9ef2f265fb359b0f758b5bf40cd4dd630bedc09ed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/assistant.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 77793, "scanner": "repobility-threat-engine", "fingerprint": "55b0ebec625df62bb2a09d894940bee4ae6101b514411bf26c2363b16ca09590", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug = True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55b0ebec625df62bb2a09d894940bee4ae6101b514411bf26c2363b16ca09590"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/magic_commands.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 77787, "scanner": "repobility-threat-engine", "fingerprint": "ad7c034b0f412b806bcb654c7b40ab684245cf946562bb9de1c4c48dd458745b", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(\n                f\"cd {temp_path} && semgrep scan --config auto --quiet --error {file", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|38|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/utils/scan_code.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 77777, "scanner": "repobility-threat-engine", "fingerprint": "d42e1905b5864279faa25a0b66b027b30565075fb4e7d23ce53db3e7197ef051", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|256|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/skills/skills.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 77776, "scanner": "repobility-threat-engine", "fingerprint": "7875d5fe1319268149a4e07bd272539f8302db0a55d9ce81b0e95165cd9171f6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|193|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/computer.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 77772, "scanner": "repobility-threat-engine", "fingerprint": "dbfe649a832a40e52badb0e41c0a4400d763fb635d252a02fb6835cac5c0d599", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dbfe649a832a40e52badb0e41c0a4400d763fb635d252a02fb6835cac5c0d599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/llm/utils/parse_partial_json.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 77771, "scanner": "repobility-threat-engine", "fingerprint": "70064858cbcc71504db227907d008278a4c98983181942648026e5d9586f1790", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70064858cbcc71504db227907d008278a4c98983181942648026e5d9586f1790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/keyboard/keyboard.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 77770, "scanner": "repobility-threat-engine", "fingerprint": "9bdb4b78abf845715a7b1c8d4407b9a74362f48408f1c788808a6c3805e36167", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9bdb4b78abf845715a7b1c8d4407b9a74362f48408f1c788808a6c3805e36167"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 77746, "scanner": "repobility-threat-engine", "fingerprint": "f841adc00a2a695649d78cb6f4dd043ce2d6470851c165676e1719d0beef357d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def update_from_message(self, message):\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f841adc00a2a695649d78cb6f4dd043ce2d6470851c165676e1719d0beef357d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/components/base_block.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 77745, "scanner": "repobility-threat-engine", "fingerprint": "73db2b38ae73deddf7335965b41bf5c4f830318ae6677437ff0d32ed3fd37a09", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def to_params(\n        self,\n    ) -> BetaToolUnionParam:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73db2b38ae73deddf7335965b41bf5c4f830318ae6677437ff0d32ed3fd37a09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/base.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 77825, "scanner": "repobility-docker", "fingerprint": "9c50c02b9555d677bd24fc93501c8ebc4beee58e176e0661a2f7b017b9797939", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9c50c02b9555d677bd24fc93501c8ebc4beee58e176e0661a2f7b017b9797939"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 77822, "scanner": "repobility-docker", "fingerprint": "45a5292cade42f3d625892e729a1aa3c151e3dc35f2d3ba2a664b65f6a807488", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|45a5292cade42f3d625892e729a1aa3c151e3dc35f2d3ba2a664b65f6a807488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77821, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f25b522d16894948aaa3d2f62000322eff177b46859b6713b14af54e6c7154bb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/__init__.py", "duplicate_line": 7, "correlation_key": "fp|f25b522d16894948aaa3d2f62000322eff177b46859b6713b14af54e6c7154bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/utils/display_markdown_message.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77820, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9fd116243f6c638daf8026f9cf91d44f6084bc5f418bb0c9bac4acde95259a4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/assistant.py", "duplicate_line": 49, "correlation_key": "fp|9fd116243f6c638daf8026f9cf91d44f6084bc5f418bb0c9bac4acde95259a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/the01.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77819, "scanner": "repobility-ai-code-hygiene", "fingerprint": "442873d5d0a98f3b3471df1b6a375381751ea85fb0e5c3a265f79bd83c26a808", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/gemma2.py", "duplicate_line": 3, "correlation_key": "fp|442873d5d0a98f3b3471df1b6a375381751ea85fb0e5c3a265f79bd83c26a808"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/qwen.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77818, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45edde9d261452d62366f1bc2f7f6a56b29428ecedcb5736c5be6ab26478209e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/llama3.py", "duplicate_line": 6, "correlation_key": "fp|45edde9d261452d62366f1bc2f7f6a56b29428ecedcb5736c5be6ab26478209e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/local.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77817, "scanner": "repobility-ai-code-hygiene", "fingerprint": "483ee9a01e1c636fdf66133d1b18694792b55740cc7475e8f62d0c6bd12a0715", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/codestral-os.py", "duplicate_line": 31, "correlation_key": "fp|483ee9a01e1c636fdf66133d1b18694792b55740cc7475e8f62d0c6bd12a0715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/local-os.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77816, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1726fe5d74cf6b03fa08acb8b1be714c72f403f2570794279b700e521a5025c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/codestral-vision.py", "duplicate_line": 3, "correlation_key": "fp|1726fe5d74cf6b03fa08acb8b1be714c72f403f2570794279b700e521a5025c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/llama3.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77815, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35eb646303a24108cf89df7e877fd9605caad61e1d1f0c1b0c7f62ef56bdd48f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/llama3-vision.py", "duplicate_line": 1, "correlation_key": "fp|35eb646303a24108cf89df7e877fd9605caad61e1d1f0c1b0c7f62ef56bdd48f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/llama3.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77814, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdf757fe4dcc18e068025d9fa53b3f494853a72d68b6966b98b456e33f9d8e5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/llama3-os.py", "duplicate_line": 48, "correlation_key": "fp|bdf757fe4dcc18e068025d9fa53b3f494853a72d68b6966b98b456e33f9d8e5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/llama3-vision.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77813, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4985602e09218a7126aa84d73941b8ad334c82910f271c4e0dd61d9580349b29", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/codestral-vision.py", "duplicate_line": 3, "correlation_key": "fp|4985602e09218a7126aa84d73941b8ad334c82910f271c4e0dd61d9580349b29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/llama3-vision.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77812, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b036b45012b1c3270c243e129b96142283fcce2a47650d1a3e319bc1a2623de8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/codestral-os.py", "duplicate_line": 30, "correlation_key": "fp|b036b45012b1c3270c243e129b96142283fcce2a47650d1a3e319bc1a2623de8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/llama3-os.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77811, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8cb212e1d72953a5cef1281ef641c4d5b8c090a8219f4e13d329551dc19f3f37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/codestral-vision.py", "duplicate_line": 1, "correlation_key": "fp|8cb212e1d72953a5cef1281ef641c4d5b8c090a8219f4e13d329551dc19f3f37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/codestral.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77810, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c6fcfead60ab0362f3c23998242e5e2a4547b27b8b1042db0da2665f9a6938f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/terminal_interface/profiles/defaults/codestral-os.py", "duplicate_line": 72, "correlation_key": "fp|6c6fcfead60ab0362f3c23998242e5e2a4547b27b8b1042db0da2665f9a6938f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/codestral-vision.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77809, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffc194bc1338227057c2a7f51be759e6ba41a1e54e7942d55b22f9c1e4d1d99a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/core/llm/run_function_calling_llm.py", "duplicate_line": 35, "correlation_key": "fp|ffc194bc1338227057c2a7f51be759e6ba41a1e54e7942d55b22f9c1e4d1d99a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/llm/run_tool_calling_llm.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77808, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ededaa305b3a5ebc71cac704846e627e580b0cdf376c773d9a20c21c1511177", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/computer_use/tools/computer.py", "duplicate_line": 51, "correlation_key": "fp|5ededaa305b3a5ebc71cac704846e627e580b0cdf376c773d9a20c21c1511177"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/mouse/mouse.py"}, "region": {"startLine": 221}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77807, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90ce9a071445fbdb94c6dca49b9137df9a985f55b6735d2182c5e0f9f8f09f69", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/core/archived_server_1.py", "duplicate_line": 25, "correlation_key": "fp|90ce9a071445fbdb94c6dca49b9137df9a985f55b6735d2182c5e0f9f8f09f69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77806, "scanner": "repobility-ai-code-hygiene", "fingerprint": "250e0904f21136c83739f563b3b96a4b8bccd8b77b053ea046917eacac0cb5be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "interpreter/__init__.py", "duplicate_line": 6, "correlation_key": "fp|250e0904f21136c83739f563b3b96a4b8bccd8b77b053ea046917eacac0cb5be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 77785, "scanner": "repobility-threat-engine", "fingerprint": "de619840b0b1adb4aa0ebf19b52082d8a80fcda837895b935bcda8c01e5d2311", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "print(\n                \"\\n\\n# Important Information:\\n\"\n                + app_info\n                +", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de619840b0b1adb4aa0ebf19b52082d8a80fcda837895b935bcda8c01e5d2311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/os.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 77784, "scanner": "repobility-threat-engine", "fingerprint": "276476c019dbdc29843b4d8b9c3b569cb8df9fbf7c7b7ea16532ed0d7b338d1a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"After completing the above, I need you to run {normalized_name}(step=\" + str(step + 1) + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|276476c019dbdc29843b4d8b9c3b569cb8df9fbf7c7b7ea16532ed0d7b338d1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/skills/skills.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 77783, "scanner": "repobility-threat-engine", "fingerprint": "ee09671389a71487095e2723c4d09ea9f5e35767a0c906c318ad89f5d46f4ff9", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(uuid_file_path):\n            with open(uuid_file_path, \"r\") as file:", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ee09671389a71487095e2723c4d09ea9f5e35767a0c906c318ad89f5d46f4ff9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/utils/telemetry.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 77782, "scanner": "repobility-threat-engine", "fingerprint": "ed6d40e5082e8021b31f8dece989cbad5ac604512ff24cf48c6f33bb6767dfb2", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(self.skills.path):\n            os.makedirs(self.skills.path)\n\n        with open(skill", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ed6d40e5082e8021b31f8dece989cbad5ac604512ff24cf48c6f33bb6767dfb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/skills/skills.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, except=1, if=7, nested_bonus=1, while=1."}, "properties": {"repobilityId": 77742, "scanner": "repobility-threat-engine", "fingerprint": "6f2d663cbcf5a956a854257d0bdbaf78b7dd122854a1eb5626a000c997ae6835", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 7, "break": 1, "while": 1, "except": 1, "nested_bonus": 1}, "complexity": 11, "correlation_key": "fp|6f2d663cbcf5a956a854257d0bdbaf78b7dd122854a1eb5626a000c997ae6835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/bash.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `print_markdown` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, except=1, for=1, if=2, nested_bonus=4."}, "properties": {"repobilityId": 77741, "scanner": "repobility-threat-engine", "fingerprint": "3969fdbad10914c0949430aaa8034052c4f2fbe4a193a2f3102540057fa5665e", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_markdown", "breakdown": {"if": 2, "for": 1, "elif": 1, "else": 1, "except": 1, "nested_bonus": 4}, "complexity": 10, "correlation_key": "fp|3969fdbad10914c0949430aaa8034052c4f2fbe4a193a2f3102540057fa5665e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/__init__.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 77804, "scanner": "repobility-threat-engine", "fingerprint": "50e4e459ee347aa23dfb9d987f7f1d3375ccaf4a50467dd1044be64f5b278479", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50e4e459ee347aa23dfb9d987f7f1d3375ccaf4a50467dd1044be64f5b278479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/utils/count_tokens.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 77803, "scanner": "repobility-threat-engine", "fingerprint": "bc269cbe7582b8070a013dbbe9cae18d6e8b3fd76140fdf84d89dbc8c30f9c19", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc269cbe7582b8070a013dbbe9cae18d6e8b3fd76140fdf84d89dbc8c30f9c19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/template_profile.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC002", "level": "none", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 77801, "scanner": "repobility-threat-engine", "fingerprint": "733e8a1e91c6e2a98733c4a83dce37e36dbf2cef1cfdf70590fa17af60074caa", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "api_key = \"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/template_profile.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 77799, "scanner": "repobility-threat-engine", "fingerprint": "92c8218303cd96d961210f3112f4b089656a4cfb3ab3906bf084db4e9ab948ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92c8218303cd96d961210f3112f4b089656a4cfb3ab3906bf084db4e9ab948ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/bedrock-anthropic.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 77798, "scanner": "repobility-threat-engine", "fingerprint": "2fc2352ee79a239983bde3b99e3e602f191c3f964939343206bb75ac755d22c0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2fc2352ee79a239983bde3b99e3e602f191c3f964939343206bb75ac755d22c0"}}}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 77794, "scanner": "repobility-threat-engine", "fingerprint": "115b40dd0eb8e4c05945e0095e0bd927d2e3cb586cfdafcdc0e39ee57571c660", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|115b40dd0eb8e4c05945e0095e0bd927d2e3cb586cfdafcdc0e39ee57571c660"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/magic_commands.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 77792, "scanner": "repobility-threat-engine", "fingerprint": "b303a4cba3b2a4748a64a0ca00c2dc3c8028d6f3fdd8f2f854fdc5dd9547e8d1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b303a4cba3b2a4748a64a0ca00c2dc3c8028d6f3fdd8f2f854fdc5dd9547e8d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/utils/telemetry.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED073", "level": "none", "message": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "properties": {"repobilityId": 77786, "scanner": "repobility-threat-engine", "fingerprint": "fa5093583e3cd9bd4854b03f3d33d3a205066a464684f7a77255485bb9dd6b89", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "redos-greedy-quantifier", "owasp": "A06:2021", "cwe_ids": ["CWE-1333", "CWE-400"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348072+00:00", "triaged_in_corpus": 12, "observations_count": 12702, "ai_coder_pattern_id": 35}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa5093583e3cd9bd4854b03f3d33d3a205066a464684f7a77255485bb9dd6b89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/terminal/languages/javascript.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 77773, "scanner": "repobility-threat-engine", "fingerprint": "93b9da83522ef7033c1689b56fc2639ef703f7cce5574751f2046196162761e3", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|93b9da83522ef7033c1689b56fc2639ef703f7cce5574751f2046196162761e3"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 77769, "scanner": "repobility-threat-engine", "fingerprint": "8b39ef99bfbb4e08025ab88f612d1dc1790086ccb579e66d2eab0904656ec4f5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b39ef99bfbb4e08025ab88f612d1dc1790086ccb579e66d2eab0904656ec4f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/browser/browser_next.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 77768, "scanner": "repobility-threat-engine", "fingerprint": "91f4e694a9c6cd39b1ce49139f3c3234f484ddd3859a3017a3dc302b10748393", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91f4e694a9c6cd39b1ce49139f3c3234f484ddd3859a3017a3dc302b10748393"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_1.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 77767, "scanner": "repobility-threat-engine", "fingerprint": "0de68cae7e75d5d9ec2470ef096acf6896ef52d708afc75ab29d686a916e7918", "category": "xss", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.innerHTML\\s*=\\s*[\"\\'][^${]*[\"\\']\\s*;?\\s*$' detected on same line", "evidence": {"match": ".innerHTML = '<b>' + i", "reason": "Safe pattern '\\.innerHTML\\s*=\\s*[\"\\'][^${]*[\"\\']\\s*;?\\s*$' detected on same line", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|0de68cae7e75d5d9ec2470ef096acf6896ef52d708afc75ab29d686a916e7918"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_1.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 77765, "scanner": "repobility-threat-engine", "fingerprint": "c0243c95a960df79d347d546f02c8d708977edbd4a97478c529e24c680ef3789", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c0243c95a960df79d347d546f02c8d708977edbd4a97478c529e24c680ef3789", "aggregated_count": 4}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 77759, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 77755, "scanner": "repobility-threat-engine", "fingerprint": "8bae08234a4989d758b644c4243bd0544e93df2325a580b9e750ad487db48009", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8bae08234a4989d758b644c4243bd0544e93df2325a580b9e750ad487db48009", "aggregated_count": 2}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 77754, "scanner": "repobility-threat-engine", "fingerprint": "9c06758365a6312c2c00892bf5a17da5741d46c4486de9a423bad7faaab92221", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c06758365a6312c2c00892bf5a17da5741d46c4486de9a423bad7faaab92221"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/contributing_conversations.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 77753, "scanner": "repobility-threat-engine", "fingerprint": "b66b794bbd893f9d6ac9ff07a0cac7c40854edbf4e27e50aeb6f469e14ebf1af", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b66b794bbd893f9d6ac9ff07a0cac7c40854edbf4e27e50aeb6f469e14ebf1af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 77752, "scanner": "repobility-threat-engine", "fingerprint": "1a43e36e3829dba124ac10a658fcc8876d85f5c68df5904f3e58b54c46649dfd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a43e36e3829dba124ac10a658fcc8876d85f5c68df5904f3e58b54c46649dfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/bash.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 77751, "scanner": "repobility-threat-engine", "fingerprint": "c648ec5e34f6650a2792602bfe9acb9e5bd0e4bb938044e9b85e860f89ca60dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c648ec5e34f6650a2792602bfe9acb9e5bd0e4bb938044e9b85e860f89ca60dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/base.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 77750, "scanner": "repobility-threat-engine", "fingerprint": "32c16c8147fc234dfc68ec05ca6fcdb84f5b7bbc1a90b12967635ff96b041c22", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|32c16c8147fc234dfc68ec05ca6fcdb84f5b7bbc1a90b12967635ff96b041c22", "aggregated_count": 16}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 77749, "scanner": "repobility-threat-engine", "fingerprint": "68f0ce18b142381e4d3c2c86057eab19169108d15189eda50db00592db00ce75", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68f0ce18b142381e4d3c2c86057eab19169108d15189eda50db00592db00ce75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_1.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 77748, "scanner": "repobility-threat-engine", "fingerprint": "ea01c3b48332eee6632e13d032ef66a9d2a1f3d35f710fe14efa354ff65f55f6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea01c3b48332eee6632e13d032ef66a9d2a1f3d35f710fe14efa354ff65f55f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/run.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 77747, "scanner": "repobility-threat-engine", "fingerprint": "abe6d89c08397ea2f47b041525c9b7e92c8de999ae1a1ec2c94c22cafb9d22d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|abe6d89c08397ea2f47b041525c9b7e92c8de999ae1a1ec2c94c22cafb9d22d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/base.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "properties": {"repobilityId": 77744, "scanner": "repobility-threat-engine", "fingerprint": "303e2c540ab4b5e229144f450ae8f446963dc63e88fff87fae20cbba34a78a4b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "print_markdown", "breakdown": {"if": 2, "for": 1, "elif": 1, "else": 1, "except": 1, "nested_bonus": 4}, "aggregated": true, "complexity": 10, "correlation_key": "fp|303e2c540ab4b5e229144f450ae8f446963dc63e88fff87fae20cbba34a78a4b", "aggregated_count": 45}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 77740, "scanner": "repobility-threat-engine", "fingerprint": "8a4a6eee8542066df89bc31a1647336e3047611a9bc074cfbe10edf76227be49", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8a4a6eee8542066df89bc31a1647336e3047611a9bc074cfbe10edf76227be49", "aggregated_count": 4}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 77739, "scanner": "repobility-threat-engine", "fingerprint": "1a513b035d90315b584f8dd38a5902a0636428593d913ff8e96f0b925238b7cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a513b035d90315b584f8dd38a5902a0636428593d913ff8e96f0b925238b7cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/browser/browser.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 77738, "scanner": "repobility-threat-engine", "fingerprint": "913ec0fcd31a3063a4cef4e821f308857ae93643731f1002872b0312e7dbcff2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|913ec0fcd31a3063a4cef4e821f308857ae93643731f1002872b0312e7dbcff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/unused_markdown.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 77737, "scanner": "repobility-threat-engine", "fingerprint": "2e07451bed3733ead0aaa33e1504fb30de6df51a488ce743a66ee7342650dc30", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e07451bed3733ead0aaa33e1504fb30de6df51a488ce743a66ee7342650dc30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/__init__.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 77736, "scanner": "repobility-threat-engine", "fingerprint": "6914b84c8d582a96a353e399742a72e9a6a6f6dca439c350e3996698fc9f8cb0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6914b84c8d582a96a353e399742a72e9a6a6f6dca439c350e3996698fc9f8cb0"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `wow-actions/potential-duplicates` pinned to mutable ref `@v1`: `uses: wow-actions/potential-duplicates@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77940, "scanner": "repobility-supply-chain", "fingerprint": "069701e513b6eee094a4966c5915c284f95aacd68066ca0f1c7be110cfd1bd4f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|069701e513b6eee094a4966c5915c284f95aacd68066ca0f1c7be110cfd1bd4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/potential-duplicates.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v3`: `uses: actions/setup-python@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77938, "scanner": "repobility-supply-chain", "fingerprint": "bdc38b2badf9a94f71f53c36ae474c2042681d2a388e7a064c50b313d598b5e2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bdc38b2badf9a94f71f53c36ae474c2042681d2a388e7a064c50b313d598b5e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77937, "scanner": "repobility-supply-chain", "fingerprint": "16946804be447dd28d962dd90c1b4962e70fb1235f91460dbb67adecf7850099", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16946804be447dd28d962dd90c1b4962e70fb1235f91460dbb67adecf7850099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11` not pinned by digest: `FROM python:3.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 77936, "scanner": "repobility-supply-chain", "fingerprint": "b14a847096e0bea54bc1f3c19545a0911a848db8f651e31b3eddb044b4c07827", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b14a847096e0bea54bc1f3c19545a0911a848db8f651e31b3eddb044b4c07827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11.8` not pinned by digest: `FROM python:3.11.8` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 77935, "scanner": "repobility-supply-chain", "fingerprint": "2e199d6a1e94875dbbd1d156a2f7626eb34abbdb7e65a248e565104768fe47a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e199d6a1e94875dbbd1d156a2f7626eb34abbdb7e65a248e565104768fe47a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /openai/chat/completions has no auth: Handler `chat_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77934, "scanner": "repobility-route-auth", "fingerprint": "34db905474a385ae225f24edbad4cf27cb4ea3e93df0e7a352ca4a17058e22d0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|34db905474a385ae225f24edbad4cf27cb4ea3e93df0e7a352ca4a17058e22d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 354}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /upload has no auth: Handler `upload_file` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77933, "scanner": "repobility-route-auth", "fingerprint": "c97a4a776f10eb68381b6e1400b7da9b482d927ddde74c3881acd129e78dc4a0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c97a4a776f10eb68381b6e1400b7da9b482d927ddde74c3881acd129e78dc4a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 696}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /run has no auth: Handler `run_code` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77932, "scanner": "repobility-route-auth", "fingerprint": "7bc15d021e8721c0c1c00db769ac514b8c4e4b00477a7b18f1c9fe91bd32cfc5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7bc15d021e8721c0c1c00db769ac514b8c4e4b00477a7b18f1c9fe91bd32cfc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 683}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /openai/chat/completions has no auth: Handler `chat_completion` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77931, "scanner": "repobility-route-auth", "fingerprint": "4c82c4e9eea7b14efc47a2b0d76c9f8861cd2ba0a92e3e674e4555d419206cd2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4c82c4e9eea7b14efc47a2b0d76c9f8861cd2ba0a92e3e674e4555d419206cd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 820}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /settings has no auth: Handler `set_settings` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77930, "scanner": "repobility-route-auth", "fingerprint": "277bd4243eec7b1e918e03351b1d5c6a6259bdfc735a2537289f24486137adcf", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|277bd4243eec7b1e918e03351b1d5c6a6259bdfc735a2537289f24486137adcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 643}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST / has no auth: Handler `post_input` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77929, "scanner": "repobility-route-auth", "fingerprint": "2a41ffd645e0604826eb0a97495617b09a9bf08d5c0ea59a9237625e3a93eca2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|2a41ffd645e0604826eb0a97495617b09a9bf08d5c0ea59a9237625e3a93eca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 635}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /settings has no auth: Handler `settings` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77928, "scanner": "repobility-route-auth", "fingerprint": "719bea8ba9cd62c6fa50a57908ae9d46782abe22a9c2b7ce5a86eb00ab8a8c5a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|719bea8ba9cd62c6fa50a57908ae9d46782abe22a9c2b7ce5a86eb00ab8a8c5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /chat has no auth: Handler `stream_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77927, "scanner": "repobility-route-auth", "fingerprint": "2a6cfade5910def43208445b67ace2e55ae46c48801a7868e5efc1c3bad7359f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|2a6cfade5910def43208445b67ace2e55ae46c48801a7868e5efc1c3bad7359f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_1.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PATCH interpreter.core.computer.files.files.aifs has no auth: Handler `test_search` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 77926, "scanner": "repobility-route-auth", "fingerprint": "fda6aa5d016aba800d147ca516e6f2ec368ffe40769e4eb48e636c82ed59d7f4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|fda6aa5d016aba800d147ca516e6f2ec368ffe40769e4eb48e636c82ed59d7f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `__call__`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77925, "scanner": "repobility-ast-engine", "fingerprint": "23f4088e3011a2da6507db3b2bb63f3a8924c6c3819f6b78ea240e17abc7e224", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23f4088e3011a2da6507db3b2bb63f3a8924c6c3819f6b78ea240e17abc7e224"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/computer.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `__call__`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77924, "scanner": "repobility-ast-engine", "fingerprint": "42d9d6120a43893161bf5c875cd9f70054b837f09c87207d10c922ec50e52f84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|42d9d6120a43893161bf5c875cd9f70054b837f09c87207d10c922ec50e52f84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/computer.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77914, "scanner": "repobility-ast-engine", "fingerprint": "86063691d3b79dafbb76cfbaeeefae3286cc8402caebdc49f539f9955f96d565", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86063691d3b79dafbb76cfbaeeefae3286cc8402caebdc49f539f9955f96d565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 478}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77913, "scanner": "repobility-ast-engine", "fingerprint": "cdc8e50fcf27f013e85277c4e626bff8492e1a705ed8646921326c2fbdec3906", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cdc8e50fcf27f013e85277c4e626bff8492e1a705ed8646921326c2fbdec3906"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 477}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.post` inside async function `main`: `requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77912, "scanner": "repobility-ast-engine", "fingerprint": "ab1ad9e08a0c3cd830285508e03fbc6b1d491330e85862aaf39103ad61c0a259", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab1ad9e08a0c3cd830285508e03fbc6b1d491330e85862aaf39103ad61c0a259"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 484}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77911, "scanner": "repobility-ast-engine", "fingerprint": "3534113ac942e83f2ca22dbe09ecb3c0a1ec44602cb87a60bf2dd9c69abba0f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3534113ac942e83f2ca22dbe09ecb3c0a1ec44602cb87a60bf2dd9c69abba0f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 469}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `main`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77910, "scanner": "repobility-ast-engine", "fingerprint": "9ad596385a6c24d859efbf443d02ba6fd653027071fe651fce765ad1f8378850", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ad596385a6c24d859efbf443d02ba6fd653027071fe651fce765ad1f8378850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 438}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77909, "scanner": "repobility-ast-engine", "fingerprint": "b04c11d405cd94b0d7bc74149c6caf62953ed50c28d5919c08c3a1b1f02b6638", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b04c11d405cd94b0d7bc74149c6caf62953ed50c28d5919c08c3a1b1f02b6638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 434}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `main`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77908, "scanner": "repobility-ast-engine", "fingerprint": "7adec11e9859986cf16ce41da6a522b34b111d8800eaaa4038d58eb794110099", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7adec11e9859986cf16ce41da6a522b34b111d8800eaaa4038d58eb794110099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/loop.py"}, "region": {"startLine": 429}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `chat_completion`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77898, "scanner": "repobility-ast-engine", "fingerprint": "988f9cfa050eb9b2ebb47e85ea62b3a5ef879633773483ad54938be2c8532433", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|988f9cfa050eb9b2ebb47e85ea62b3a5ef879633773483ad54938be2c8532433"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 832}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `chat_completion`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77897, "scanner": "repobility-ast-engine", "fingerprint": "56c41f4f84464cee64f5bc18ebb4e8f2ae01ce8c751867244449b4abef8ac25b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|56c41f4f84464cee64f5bc18ebb4e8f2ae01ce8c751867244449b4abef8ac25b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/async_core.py"}, "region": {"startLine": 930}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.anonymous_telemetry` used but never assigned in __init__: Method `chat` of class `OpenInterpreter` reads `self.anonymous_telemetry`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77895, "scanner": "repobility-ast-engine", "fingerprint": "c12b6799626af82eaba615bf9deea40636da91ea12c5b0a50f174bb0803bb60f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c12b6799626af82eaba615bf9deea40636da91ea12c5b0a50f174bb0803bb60f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/core.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.add_to_output_queue_sync` used but never assigned in __init__: Method `run` of class `AsyncInterpreter` reads `self.add_to_output_queue_sync`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77893, "scanner": "repobility-ast-engine", "fingerprint": "d1c65f8343967a0a096ff37b3471845f0511cab3b9417c5a18078db3413a8afb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1c65f8343967a0a096ff37b3471845f0511cab3b9417c5a18078db3413a8afb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.add_to_output_queue_sync` used but never assigned in __init__: Method `run` of class `AsyncInterpreter` reads `self.add_to_output_queue_sync`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77892, "scanner": "repobility-ast-engine", "fingerprint": "dee9aff791e3111ea5ac9aaf828516aba38efea96e538df205abe6256db6b426", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dee9aff791e3111ea5ac9aaf828516aba38efea96e538df205abe6256db6b426"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_to_queue` used but never assigned in __init__: Method `add_to_output_queue_sync` of class `AsyncInterpreter` reads `self._add_to_queue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77891, "scanner": "repobility-ast-engine", "fingerprint": "d3fbe96d2c794f8217b23368976551066b6d09f031e5f350db355e441b5f2a61", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3fbe96d2c794f8217b23368976551066b6d09f031e5f350db355e441b5f2a61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_to_queue` used but never assigned in __init__: Method `input` of class `AsyncInterpreter` reads `self._add_to_queue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77890, "scanner": "repobility-ast-engine", "fingerprint": "ed981b730a7bfef7dbe308f69fbe6b1e71066376143197fb56b5e0595ea0bfdf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed981b730a7bfef7dbe308f69fbe6b1e71066376143197fb56b5e0595ea0bfdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.run` used but never assigned in __init__: Method `input` of class `AsyncInterpreter` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77889, "scanner": "repobility-ast-engine", "fingerprint": "f53da54c39a3c1c2a4432e2ab01ff83ffc33529349f454c371d43eec3752f624", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f53da54c39a3c1c2a4432e2ab01ff83ffc33529349f454c371d43eec3752f624"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.clear_queue` used but never assigned in __init__: Method `clear_output_queue` of class `AsyncInterpreter` reads `self.clear_queue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77888, "scanner": "repobility-ast-engine", "fingerprint": "c6ff7d1ec0ef30407eb3e560f7a15b8227972b8df224712cee19f5b15b86db37", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6ff7d1ec0ef30407eb3e560f7a15b8227972b8df224712cee19f5b15b86db37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.clear_queue` used but never assigned in __init__: Method `clear_input_queue` of class `AsyncInterpreter` reads `self.clear_queue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77887, "scanner": "repobility-ast-engine", "fingerprint": "6d45eae09e50b1f13a52c1b2d54bd141173489e0cbec717c7eca0748892823f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d45eae09e50b1f13a52c1b2d54bd141173489e0cbec717c7eca0748892823f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ui: Test function `test_ui` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77885, "scanner": "repobility-ast-engine", "fingerprint": "21ee55d0f0381a22b350e539d71bbd29618a8d4f3001af5f3fcd74006323dbfa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21ee55d0f0381a22b350e539d71bbd29618a8d4f3001af5f3fcd74006323dbfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_1.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.files` used but never assigned in __init__: Method `test_edit_original_text_not_in_filedata` of class `TestFiles` reads `self.files`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77880, "scanner": "repobility-ast-engine", "fingerprint": "712d77c8c7ec28c60f1c14099eee5b87573f7c9f0ab8c33d388332b017cdccdc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|712d77c8c7ec28c60f1c14099eee5b87573f7c9f0ab8c33d388332b017cdccdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertRaises` used but never assigned in __init__: Method `test_edit_original_text_not_in_filedata` of class `TestFiles` reads `self.assertRaises`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77879, "scanner": "repobility-ast-engine", "fingerprint": "4ed126ae5591e0fd5b69c10691168daae8ce19b486385a356d41ebfa1940fade", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ed126ae5591e0fd5b69c10691168daae8ce19b486385a356d41ebfa1940fade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_edit_original_text_not_in_filedata` of class `TestFiles` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77878, "scanner": "repobility-ast-engine", "fingerprint": "729945e3b6ab22c43751e8453bdb68d02ee4124fcf97d89c20b5f23471da0c76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|729945e3b6ab22c43751e8453bdb68d02ee4124fcf97d89c20b5f23471da0c76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.files` used but never assigned in __init__: Method `test_edit_original_text_in_filedata` of class `TestFiles` reads `self.files`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77877, "scanner": "repobility-ast-engine", "fingerprint": "c6cf7dd1c5c9c1c056203f798f1b9ad6a961ff2140c78120aceb288b01e16c1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6cf7dd1c5c9c1c056203f798f1b9ad6a961ff2140c78120aceb288b01e16c1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.files` used but never assigned in __init__: Method `test_search` of class `TestFiles` reads `self.files`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77876, "scanner": "repobility-ast-engine", "fingerprint": "889000b505257ae81b6ec204841d94194ec3b51166d73ab28e110df2390a31c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|889000b505257ae81b6ec204841d94194ec3b51166d73ab28e110df2390a31c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.files` used but never assigned in __init__: Method `setUp` of class `TestFiles` reads `self.files`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77875, "scanner": "repobility-ast-engine", "fingerprint": "4e572c9ae913119be784c572140c8a936c5f6fe014fcbb75ee6018ffc269aac2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e572c9ae913119be784c572140c8a936c5f6fe014fcbb75ee6018ffc269aac2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_edit_original_text_in_filedata: Test function `test_edit_original_text_in_filedata` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77874, "scanner": "repobility-ast-engine", "fingerprint": "d30a973a668ce2d32091ec58d20dd6a29db1779e255d951478c629afc0c028ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d30a973a668ce2d32091ec58d20dd6a29db1779e255d951478c629afc0c028ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_search: Test function `test_search` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77873, "scanner": "repobility-ast-engine", "fingerprint": "09e817da85b612e52b80c923da71ab31c9e2fa755170f42292803937202fb1ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09e817da85b612e52b80c923da71ab31c9e2fa755170f42292803937202fb1ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/files/test_files.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.computer` used but never assigned in __init__: Method `test_get_all_computer_tools_signature_and_description` of class `TestComputer` reads `self.computer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77872, "scanner": "repobility-ast-engine", "fingerprint": "98effeef46840b5b30b64003dbcf60ae9eab24902e5ad7ee24fa0bb2aae6d79d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98effeef46840b5b30b64003dbcf60ae9eab24902e5ad7ee24fa0bb2aae6d79d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/test_computer.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertGreater` used but never assigned in __init__: Method `test_get_all_computer_tools_signature_and_description` of class `TestComputer` reads `self.assertGreater`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77871, "scanner": "repobility-ast-engine", "fingerprint": "9ff996d3e6d803d51ea487e80178a7727f25d24e8bce8b051c933d77ce0feab3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ff996d3e6d803d51ea487e80178a7727f25d24e8bce8b051c933d77ce0feab3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/test_computer.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.computer` used but never assigned in __init__: Method `test_get_all_computer_tools_list` of class `TestComputer` reads `self.computer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77870, "scanner": "repobility-ast-engine", "fingerprint": "033ba683fc27d2e24c9edab270d08cfcd5c5dd71ad155665bd3cfdd43fa385e5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|033ba683fc27d2e24c9edab270d08cfcd5c5dd71ad155665bd3cfdd43fa385e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/test_computer.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_get_all_computer_tools_list` of class `TestComputer` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77869, "scanner": "repobility-ast-engine", "fingerprint": "fc79381370069becdeaacd8c1a4f7155cc4bd1e62ff695d406418160ea7b8459", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fc79381370069becdeaacd8c1a4f7155cc4bd1e62ff695d406418160ea7b8459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/test_computer.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.computer` used but never assigned in __init__: Method `setUp` of class `TestComputer` reads `self.computer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77868, "scanner": "repobility-ast-engine", "fingerprint": "3f81ab15de1a75a47d79136578a5b9f5daafe4d01fb4bf6f96b3bffeac0f6e01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f81ab15de1a75a47d79136578a5b9f5daafe4d01fb4bf6f96b3bffeac0f6e01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/computer/test_computer.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_host_and_port_from_env_1` of class `TestServerConstruction` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77867, "scanner": "repobility-ast-engine", "fingerprint": "2c968212bd2afa72e7fcff15a509db6e400413064855703a9c4f6a5ec7d46da7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c968212bd2afa72e7fcff15a509db6e400413064855703a9c4f6a5ec7d46da7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/test_async_core.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_host_and_port_from_env_1` of class `TestServerConstruction` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77866, "scanner": "repobility-ast-engine", "fingerprint": "7de7fa2ac8c333eb55a3e888172363aa32efe846a018d8cb119bff9ed6bd650c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7de7fa2ac8c333eb55a3e888172363aa32efe846a018d8cb119bff9ed6bd650c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/test_async_core.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_host_and_port_passed_in` of class `TestServerConstruction` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77865, "scanner": "repobility-ast-engine", "fingerprint": "cef2e4e39d6f06a463c9caa0c9b89cbb6e9ca3a2501ebb058c336f0df81eabec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cef2e4e39d6f06a463c9caa0c9b89cbb6e9ca3a2501ebb058c336f0df81eabec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/test_async_core.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_host_and_port_passed_in` of class `TestServerConstruction` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77864, "scanner": "repobility-ast-engine", "fingerprint": "3f1a52e6de03526b6db5333728d44a3281956c71d1fac7c211d8e8f7085bcafa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f1a52e6de03526b6db5333728d44a3281956c71d1fac7c211d8e8f7085bcafa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/test_async_core.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_host_and_port_defaults` of class `TestServerConstruction` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77863, "scanner": "repobility-ast-engine", "fingerprint": "74a795c60f641fa389bd70e78a18bf5f530507513c4376ab12315607f5effccb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|74a795c60f641fa389bd70e78a18bf5f530507513c4376ab12315607f5effccb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/test_async_core.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_host_and_port_defaults` of class `TestServerConstruction` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 77862, "scanner": "repobility-ast-engine", "fingerprint": "20f03fcaff65c88edc77673114b3d550fe53b5ed393efb1886ccc8cca2f7e835", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20f03fcaff65c88edc77673114b3d550fe53b5ed393efb1886ccc8cca2f7e835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/core/test_async_core.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.get` inside async function `test_fastapi_server`: `requests.get` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77861, "scanner": "repobility-ast-engine", "fingerprint": "5b722820c9af3bf508101cca8e7443952478c53bd9017339427cc38dec6d3c7b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b722820c9af3bf508101cca8e7443952478c53bd9017339427cc38dec6d3c7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 624}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.get` inside async function `test_fastapi_server`: `requests.get` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77860, "scanner": "repobility-ast-engine", "fingerprint": "7a304f779fe130ab920505f7bcdffcd23c707d77c55b8b03198015efc1c3a487", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a304f779fe130ab920505f7bcdffcd23c707d77c55b8b03198015efc1c3a487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 547}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.post` inside async function `test_fastapi_server`: `requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77859, "scanner": "repobility-ast-engine", "fingerprint": "0f2c99634b480f9acf8fd686d8f63946ee84a7e39283a9eeb63e2059a5db7ae6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0f2c99634b480f9acf8fd686d8f63946ee84a7e39283a9eeb63e2059a5db7ae6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 643}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.post` inside async function `test_fastapi_server`: `requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77858, "scanner": "repobility-ast-engine", "fingerprint": "7ef59e97931569baefc67bf7cab7fa86514f3a4f6ded03797ab0e0bce456ba1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ef59e97931569baefc67bf7cab7fa86514f3a4f6ded03797ab0e0bce456ba1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 564}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.post` inside async function `test_fastapi_server`: `requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77857, "scanner": "repobility-ast-engine", "fingerprint": "72638d92c0b5412f57cbec9e7a2430408301f58cb1db83e8e3cbd2925b72463a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72638d92c0b5412f57cbec9e7a2430408301f58cb1db83e8e3cbd2925b72463a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 482}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.get` inside async function `test_fastapi_server`: `requests.get` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77856, "scanner": "repobility-ast-engine", "fingerprint": "73d55e6b94311dd5827c30b5d31f80b0a5d740fb6e1a8ccb384f9675fa652090", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73d55e6b94311dd5827c30b5d31f80b0a5d740fb6e1a8ccb384f9675fa652090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 428}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_fastapi_server`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77855, "scanner": "repobility-ast-engine", "fingerprint": "37d7be7507fc57b41e7aaf6a3519389b8a50032be633e4ecc1df2afd9afda097", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|37d7be7507fc57b41e7aaf6a3519389b8a50032be633e4ecc1df2afd9afda097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 424}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.post` inside async function `test_fastapi_server`: `requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77854, "scanner": "repobility-ast-engine", "fingerprint": "5ad2da6d04e14e9bb29482d24877e34ef0b87bdfc8c4dbf9887678ef68f379ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ad2da6d04e14e9bb29482d24877e34ef0b87bdfc8c4dbf9887678ef68f379ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 385}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.post` inside async function `test_fastapi_server`: `requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77853, "scanner": "repobility-ast-engine", "fingerprint": "4087b288a0f81f2d7e80879db6eb74b77232e00a6c741f44ab3b1ec52fc5126a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4087b288a0f81f2d7e80879db6eb74b77232e00a6c741f44ab3b1ec52fc5126a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.post` inside async function `test_fastapi_server`: `requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77852, "scanner": "repobility-ast-engine", "fingerprint": "f2b5ecfc23b6652e05362d132aa408ddb1238ecb21cd9aedaeaae91e1e379524", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f2b5ecfc23b6652e05362d132aa408ddb1238ecb21cd9aedaeaae91e1e379524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_fastapi_server`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77851, "scanner": "repobility-ast-engine", "fingerprint": "9fe773bfb7b784fa735ed786b7295a5f41019304933bf299694eabbaa1a25199", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9fe773bfb7b784fa735ed786b7295a5f41019304933bf299694eabbaa1a25199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_fastapi_server`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77850, "scanner": "repobility-ast-engine", "fingerprint": "0b3d9271e446cdef30afbe3d4a374cccb1bb7c7805dc40e8c1a49835b732149a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b3d9271e446cdef30afbe3d4a374cccb1bb7c7805dc40e8c1a49835b732149a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `requests.post` inside async function `test_fastapi_server`: `requests.post` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77849, "scanner": "repobility-ast-engine", "fingerprint": "727f7c4f549ed26d86559f7db28507e2eb33787330519a590c185a0b96822036", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|727f7c4f549ed26d86559f7db28507e2eb33787330519a590c185a0b96822036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `test_fastapi_server`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 77848, "scanner": "repobility-ast-engine", "fingerprint": "a660d00e4b2f13c4d50d575c2caaf47a60378f9a04b7408d22a11b89eafcb2c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a660d00e4b2f13c4d50d575c2caaf47a60378f9a04b7408d22a11b89eafcb2c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_fastapi_server: Test function `test_fastapi_server` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77847, "scanner": "repobility-ast-engine", "fingerprint": "b42b64e0a514bebbde6d0d4d1ba96882e760bd5a51299ad7961e6c28882a5f13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b42b64e0a514bebbde6d0d4d1ba96882e760bd5a51299ad7961e6c28882a5f13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_markdown: Test function `test_markdown` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77846, "scanner": "repobility-ast-engine", "fingerprint": "3d92246bfb4e46ce100464f6ef03e7989af909a50e16f5ba3fb5c7fd464a5b11", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d92246bfb4e46ce100464f6ef03e7989af909a50e16f5ba3fb5c7fd464a5b11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 1289}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_nested_loops_and_multiple_newlines: Test function `test_nested_loops_and_multiple_newlines` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77845, "scanner": "repobility-ast-engine", "fingerprint": "91ba258f6e0cb0815967d854a1954e2a4d5fe06cb35def3669f7db9e94203360", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|91ba258f6e0cb0815967d854a1954e2a4d5fe06cb35def3669f7db9e94203360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 1271}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_delayed_exec: Test function `test_delayed_exec` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77844, "scanner": "repobility-ast-engine", "fingerprint": "27ab838f6e95ced00a16fba2884337d5d68c4f47bb2f29b4ee808b1a5b6b3b36", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27ab838f6e95ced00a16fba2884337d5d68c4f47bb2f29b4ee808b1a5b6b3b36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 1265}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_vision: Test function `test_vision` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77843, "scanner": "repobility-ast-engine", "fingerprint": "bf386383ba81b609d0f51f0461ea8301995d46ab5102bf0c6ea9c95086ca7e91", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf386383ba81b609d0f51f0461ea8301995d46ab5102bf0c6ea9c95086ca7e91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 1140}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_files: Test function `test_files` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77842, "scanner": "repobility-ast-engine", "fingerprint": "f3557dfca769162bf05a0dd4c76d0b62daeeb41fc6cb68bd2f13b28709aa5b07", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f3557dfca769162bf05a0dd4c76d0b62daeeb41fc6cb68bd2f13b28709aa5b07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 1126}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_spotlight: Test function `test_spotlight` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77841, "scanner": "repobility-ast-engine", "fingerprint": "c2a3687831c0c8241e11104c3690ae4da51aec639fa9b186ca84a124698f3654", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c2a3687831c0c8241e11104c3690ae4da51aec639fa9b186ca84a124698f3654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 1122}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_async: Test function `test_async` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77840, "scanner": "repobility-ast-engine", "fingerprint": "21742ef7d37c4abed87bc51ed5b1bc43b6fa84f79101f5e64f97fe6f69b7f0b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21742ef7d37c4abed87bc51ed5b1bc43b6fa84f79101f5e64f97fe6f69b7f0b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 1023}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_m_vision: Test function `test_m_vision` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77839, "scanner": "repobility-ast-engine", "fingerprint": "374faf6443b84dbcb11450c35ba3c60c1e31d814c6af71a5e08c18e1693ff10e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|374faf6443b84dbcb11450c35ba3c60c1e31d814c6af71a5e08c18e1693ff10e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 786}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ai_chat: Test function `test_ai_chat` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77838, "scanner": "repobility-ast-engine", "fingerprint": "7390dc2890b9d562bf3687e98a03245b5eba57fc5cae90add33e3864312ec0c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7390dc2890b9d562bf3687e98a03245b5eba57fc5cae90add33e3864312ec0c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 689}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_authenticated_acknowledging_breaking_server: Test function `test_authenticated_acknowledging_breaking_server` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 77837, "scanner": "repobility-ast-engine", "fingerprint": "872075c3bdf300c4331adc32a5f932570527901b91daef9ad9a9f1198d5f0bad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|872075c3bdf300c4331adc32a5f932570527901b91daef9ad9a9f1198d5f0bad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/test_interpreter.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 77791, "scanner": "repobility-threat-engine", "fingerprint": "9517a5ff1592c3fe6a4e1911bf11471ec052aa78250530998ab52c5d46d60e83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9517a5ff1592c3fe6a4e1911bf11471ec052aa78250530998ab52c5d46d60e83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/magic_commands.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 77790, "scanner": "repobility-threat-engine", "fingerprint": "cacebd6695bdc932fe8916b0ad7b0cefdbf88dd891b06c9e6841c0471187230f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cacebd6695bdc932fe8916b0ad7b0cefdbf88dd891b06c9e6841c0471187230f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/contributing_conversations.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 77789, "scanner": "repobility-threat-engine", "fingerprint": "9eae4ca48c82a8accdec6015e4c95e5ee49cdf3c905f29d7691ca45bb671e40b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9eae4ca48c82a8accdec6015e4c95e5ee49cdf3c905f29d7691ca45bb671e40b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/utils/telemetry.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 77788, "scanner": "repobility-threat-engine", "fingerprint": "c8f315aea3e5eb23ded26ebf258e3655ed89c2fb9341917d245faf2cddc846b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c8f315aea3e5eb23ded26ebf258e3655ed89c2fb9341917d245faf2cddc846b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/utils/scan_code.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 77781, "scanner": "repobility-threat-engine", "fingerprint": "5c9ec359e1ad79ae00fe3e912740344a5a251318ac6cbdf64269a92c48d7c623", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'class\\s+(\\w+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|36|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/terminal/languages/java.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 77780, "scanner": "repobility-threat-engine", "fingerprint": "ea264521f6e0cc3c7d25e8a9716d5a50556a66221b152e7a7aedceb9f93221dd", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"Can\u2019t get item (\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|47|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/mail/mail.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 77779, "scanner": "repobility-threat-engine", "fingerprint": "0ad906d7134dbf8b8a3f1fa3d09370ba33129255d16e36f08fea920509ccc21f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(skill_string", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ad906d7134dbf8b8a3f1fa3d09370ba33129255d16e36f08fea920509ccc21f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/skills/skills.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 77778, "scanner": "repobility-threat-engine", "fingerprint": "56d0fd3a1bc3477cc3d29e691fd03d94961b75e7e67652e58345cb85a4d9e321", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(self", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|56d0fd3a1bc3477cc3d29e691fd03d94961b75e7e67652e58345cb85a4d9e321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/computer.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 77775, "scanner": "repobility-threat-engine", "fingerprint": "4acf4b5a288e9e98b3bc3aca6ef8468a4adafb9a88af86e3334fb39791133328", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(base_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4acf4b5a288e9e98b3bc3aca6ef8468a4adafb9a88af86e3334fb39791133328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/screenpipe.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 77774, "scanner": "repobility-threat-engine", "fingerprint": "c141962f37d84bee6cb751434726b04945417e089b8da19a33b2b03c36567e89", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c141962f37d84bee6cb751434726b04945417e089b8da19a33b2b03c36567e89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/browser/browser.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 77766, "scanner": "repobility-threat-engine", "fingerprint": "95998d2fbcf05156afd6c52343f6993b5a08bb5de06dcfa599dedcb9fa0a2cd0", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = '<b>' + i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|90|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_1.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 77764, "scanner": "repobility-threat-engine", "fingerprint": "ff70eefdd04d9270a00d33c64c1159a45afbc919aeba9bf7af6ba03d069db7c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff70eefdd04d9270a00d33c64c1159a45afbc919aeba9bf7af6ba03d069db7c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 77763, "scanner": "repobility-threat-engine", "fingerprint": "b2fcf096c41e0746cf95cf0549a5f103cc4cb0b3d1aa74ac5a55508b221ab470", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b2fcf096c41e0746cf95cf0549a5f103cc4cb0b3d1aa74ac5a55508b221ab470"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_1.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 77762, "scanner": "repobility-threat-engine", "fingerprint": "6e0dadcbe44269d88d0930b6b9f151650037738ac013dd71e4b74d269acaf554", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e0dadcbe44269d88d0930b6b9f151650037738ac013dd71e4b74d269acaf554"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/run.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 77761, "scanner": "repobility-threat-engine", "fingerprint": "87fec813cd54e099d0de655ed04c315221fe69696e76bc0134bb39bdd4bcb2ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87fec813cd54e099d0de655ed04c315221fe69696e76bc0134bb39bdd4bcb2ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/keyboard/keyboard.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 77760, "scanner": "repobility-threat-engine", "fingerprint": "ee187f651e793383211acdc69fe5a3dd103e2b37c54ea79ae1dea1694ee243d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee187f651e793383211acdc69fe5a3dd103e2b37c54ea79ae1dea1694ee243d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/computer.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 77758, "scanner": "repobility-threat-engine", "fingerprint": "85fb12f82914b0f5b78965d4662471b2f67b9c657c8d98f698eddb36a6badb94", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "img.save(buffered, format=extension)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|85fb12f82914b0f5b78965d4662471b2f67b9c657c8d98f698eddb36a6badb94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/llm/utils/convert_to_openai_messages.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 77757, "scanner": "repobility-threat-engine", "fingerprint": "68fce44288508d2a84f6f205b5c6f13a74ec23cb66d584094ba439d41d513f24", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pil_image.save(temp_file, format=\"PNG\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|68fce44288508d2a84f6f205b5c6f13a74ec23cb66d584094ba439d41d513f24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/vision/vision.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 77756, "scanner": "repobility-threat-engine", "fingerprint": "967fcbd02d0f62270206cbd8068da052cff159d0d66163c5136ad36d7d26c26b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "img.save(path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|967fcbd02d0f62270206cbd8068da052cff159d0d66163c5136ad36d7d26c26b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/computer.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `__call__` has cognitive complexity 44 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=7, else=4, if=11, nested_bonus=22."}, "properties": {"repobilityId": 77743, "scanner": "repobility-threat-engine", "fingerprint": "44947ff899577c9055f03ee2a6e7676ba632315e027b09349deba8223fb7815f", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 44 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "__call__", "breakdown": {"if": 11, "elif": 7, "else": 4, "nested_bonus": 22}, "complexity": 44, "correlation_key": "fp|44947ff899577c9055f03ee2a6e7676ba632315e027b09349deba8223fb7815f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/tools/computer.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 77735, "scanner": "repobility-threat-engine", "fingerprint": "96c9495727cbb808e7523daa810226cc98b623b0fed6b5c88b54ed2d2b3123f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|96c9495727cbb808e7523daa810226cc98b623b0fed6b5c88b54ed2d2b3123f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/computer/browser/browser.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 77734, "scanner": "repobility-threat-engine", "fingerprint": "f44302fdbe40f73d4a80b3b79addc98ecc5ab1899ffe5820fb42bfe176c464a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f44302fdbe40f73d4a80b3b79addc98ecc5ab1899ffe5820fb42bfe176c464a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/computer_use/unused_markdown.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 77733, "scanner": "repobility-threat-engine", "fingerprint": "2714be42b3332f0cb6cd5cef2e4af915be74cb05732a40e5bd5a869169f9da9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2714be42b3332f0cb6cd5cef2e4af915be74cb05732a40e5bd5a869169f9da9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/__init__.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 77939, "scanner": "repobility-supply-chain", "fingerprint": "c12f9572ff48c9df06496af4fcb24ff0424fc01a247f9a31ef8e6c27f13878bb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c12f9572ff48c9df06496af4fcb24ff0424fc01a247f9a31ef8e6c27f13878bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 77886, "scanner": "repobility-ast-engine", "fingerprint": "b591299243d3eca0fb2a95937d1af25e3345c2e2c5d3e48b65391c9f0e6a0332", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b591299243d3eca0fb2a95937d1af25e3345c2e2c5d3e48b65391c9f0e6a0332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/core/archived_server_2.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 77800, "scanner": "repobility-threat-engine", "fingerprint": "de43719cb016242ed68c526ff0f9b0daacba53301338f22e699d8cce51ba0378", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://{db_user}:{db_password}@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|postgresql:// db_user : db_password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "interpreter/terminal_interface/profiles/defaults/llama31-database.py"}, "region": {"startLine": 19}}}]}]}]}