{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.", "shortDescription": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 6 more): Same pattern found in 6 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED081] Java Printstacktrace (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (46,175 bytes) committed to a repo that otherwise has 1244 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/upload-artifact` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1139"}, "properties": {"repository": "PGMDev/PGM", "repoUrl": "https://github.com/PGMDev/PGM", "branch": "dev"}, "results": [{"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 113203, "scanner": "repobility-threat-engine", "fingerprint": "99c953ef46c21c6e829cfbb846fc68605860a0addf6d1d58db82012f4a50893f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new Function(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|10|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "util/src/main/java/tc/oc/pgm/util/math/AddedFunctions.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 113202, "scanner": "repobility-threat-engine", "fingerprint": "b23e58c3baf610958d724b4a0582bd706cfe791e1223a0f22fbe8104ba778148", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new Function(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|127|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/variables/VariablesModule.java"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 113197, "scanner": "repobility-threat-engine", "fingerprint": "e188ed3ffeb3a96cf496808a343f0fad9fb02f45eaf8d0d2e331be602983db9c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "iveScores.higherEntry(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e188ed3ffeb3a96cf496808a343f0fad9fb02f45eaf8d0d2e331be602983db9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/rotation/vote/MapVotePicker.java"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 113192, "scanner": "repobility-threat-engine", "fingerprint": "cf28139c1e9a8364b452c9b334d687d3c984394166e65b1f9ad494ff42866dba", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Exceeded max search visits (\" + MAX_SEARCH_VISITS_PER_TICK + \") for this tick\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf28139c1e9a8364b452c9b334d687d3c984394166e65b1f9ad494ff42866dba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/fallingblocks/FallingBlocksMatchModule.java"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 113191, "scanner": "repobility-threat-engine", "fingerprint": "9a74d14ca5ecc2101d045cac9bb1c48c00bda53b10cf72149b6d78757b905511", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\", lastPlayed=\"\n        + lastPlayed + \", lastDuration=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a74d14ca5ecc2101d045cac9bb1c48c00bda53b10cf72149b6d78757b905511"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/db/MapDataImpl.java"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 113190, "scanner": "repobility-threat-engine", "fingerprint": "b510ffc286995fbc33a4662edd45d380f62c4c847b2c2bbca5013d3965c4e359", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.fine(\"STARTING countdown \" + countdown + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b510ffc286995fbc33a4662edd45d380f62c4c847b2c2bbca5013d3965c4e359"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/countdowns/CountdownRunner.java"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113176, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b59014a05decef441152466d98214623894b5c053461910b447c224372555ba5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/tc/oc/pgm/filters/matcher/match/MonostableFilter.java", "duplicate_line": 66, "correlation_key": "fp|b59014a05decef441152466d98214623894b5c053461910b447c224372555ba5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/filters/matcher/match/PulseFilter.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113175, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a1dcb1b1bb1099dd0c7f56fd8e9a8a6013b17fcf2b2a2e9c326c6450fa3c723", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/tc/oc/pgm/api/match/event/MatchStatsEvent.java", "duplicate_line": 25, "correlation_key": "fp|9a1dcb1b1bb1099dd0c7f56fd8e9a8a6013b17fcf2b2a2e9c326c6450fa3c723"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/events/PlayerJoinResultEvent.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113174, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e511e47510c4ebfff3425ed5900c3d4acba9cdc67f2dcf79feb7284fd7489206", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/tc/oc/pgm/events/CountdownCancelEvent.java", "duplicate_line": 10, "correlation_key": "fp|e511e47510c4ebfff3425ed5900c3d4acba9cdc67f2dcf79feb7284fd7489206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/events/CountdownStartEvent.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113173, "scanner": "repobility-ai-code-hygiene", "fingerprint": "147f9f10e524979edb23d40d0b2e8e166660d356309ca3fcc4f15e4dc795c42e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/tc/oc/pgm/events/CountdownCancelEvent.java", "duplicate_line": 10, "correlation_key": "fp|147f9f10e524979edb23d40d0b2e8e166660d356309ca3fcc4f15e4dc795c42e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/events/CountdownEndEvent.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113172, "scanner": "repobility-ai-code-hygiene", "fingerprint": "77e6b683cb50462caa21c08f6dfd306f944779680ee8b3810688ab80f482af73", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/tc/oc/pgm/core/CoreModule.java", "duplicate_line": 145, "correlation_key": "fp|77e6b683cb50462caa21c08f6dfd306f944779680ee8b3810688ab80f482af73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/destroyable/DestroyableModule.java"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113171, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9cf4991cdacd992ed8352bca592718fefc62fe1db3d55d71ced2c9743bbe9887", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/main/java/tc/oc/pgm/core/Core.java", "duplicate_line": 82, "correlation_key": "fp|9cf4991cdacd992ed8352bca592718fefc62fe1db3d55d71ced2c9743bbe9887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/destroyable/Destroyable.java"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 113204, "scanner": "repobility-threat-engine", "fingerprint": "588fa31d221d266c1ccc070068a1c9a803ff07c1de473b34e6f0ba082f727a9d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|588fa31d221d266c1ccc070068a1c9a803ff07c1de473b34e6f0ba082f727a9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/main/java/tc/oc/pgm/server/PGMServer.java"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 113201, "scanner": "repobility-threat-engine", "fingerprint": "3c313ffa90def2891347230f1e2f1593c7d77b045fc2c100f98fcea101f1327d", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3c313ffa90def2891347230f1e2f1593c7d77b045fc2c100f98fcea101f1327d"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 113200, "scanner": "repobility-threat-engine", "fingerprint": "d05d33b619b1ef479c496949d5b51548a61f943b63821c0979a41299f2282198", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|25|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platform/platform-modern/src/main/java/tc/oc/pgm/platform/modern/material/ModernRecipeUtils.java"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 113199, "scanner": "repobility-threat-engine", "fingerprint": "d75dc960880e9b2e5ea4a8b619500d665c3bd0d8876c7d28adae0072b86ae47e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|28|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "platform/platform-modern/src/main/java/tc/oc/pgm/platform/modern/inventory/ModernAttributeUtil.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 113198, "scanner": "repobility-threat-engine", "fingerprint": "06cbcff4f87241293bb204879120f263c2846a1832bcb56660de77b19b5b8e70", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|80|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/structure/StructureModule.java"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 113193, "scanner": "repobility-threat-engine", "fingerprint": "c954db5209d912985723d805431a5bfcaecf940534fa8998411f625de1bb227d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c954db5209d912985723d805431a5bfcaecf940534fa8998411f625de1bb227d"}}}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 113189, "scanner": "repobility-threat-engine", "fingerprint": "2eedcdec5adf053abc4bf396e00cba61d478c13e711675908ce91342788a1fb3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2eedcdec5adf053abc4bf396e00cba61d478c13e711675908ce91342788a1fb3", "aggregated_count": 2}}}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 113188, "scanner": "repobility-threat-engine", "fingerprint": "14db5d71a61af71ead96fb95e6d192c8a8a8ba937130a898ba438d37edc18a31", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14db5d71a61af71ead96fb95e6d192c8a8a8ba937130a898ba438d37edc18a31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/listeners/InitialMatchLoader.java"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 113187, "scanner": "repobility-threat-engine", "fingerprint": "333917b2c19ba5dd123e9b5a52e69ad58b64d67062572a29456c605b7629c376", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|333917b2c19ba5dd123e9b5a52e69ad58b64d67062572a29456c605b7629c376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/db/SQLDatastore.java"}, "region": {"startLine": 235}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 113186, "scanner": "repobility-threat-engine", "fingerprint": "4f0c180c31f053e2e8f36e09feb912d30709656003f0b79935305b204ddcda07", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f0c180c31f053e2e8f36e09feb912d30709656003f0b79935305b204ddcda07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/command/util/CommandGraph.java"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 113185, "scanner": "repobility-threat-engine", "fingerprint": "b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c"}}}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 113196, "scanner": "repobility-threat-engine", "fingerprint": "27638838ebd4876391c24946ca338391c8b36e891aacd41f39dfe7ea73c6b368", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SAXBuilder()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27638838ebd4876391c24946ca338391c8b36e891aacd41f39dfe7ea73c6b368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/map/includes/MapIncludeProcessorImpl.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 113195, "scanner": "repobility-threat-engine", "fingerprint": "d101c01bdf075c6e82f7446411415d17c30f608a80f16cbf58b0cd6c31534dfc", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SAXBuilder()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d101c01bdf075c6e82f7446411415d17c30f608a80f16cbf58b0cd6c31534dfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/map/MapFilePreprocessor.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 113194, "scanner": "repobility-threat-engine", "fingerprint": "b912064a3489af9e54c5e7a369cd2666ceb9a27728b18dcd17fb7a0df7256458", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b912064a3489af9e54c5e7a369cd2666ceb9a27728b18dcd17fb7a0df7256458"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/join/JoinMatchModule.java"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113184, "scanner": "repobility-threat-engine", "fingerprint": "da2cc54a999269214c89ac6c4849c51863bee262be733eba966310b127759bda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SettingKey.CHAT.update(sender);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da2cc54a999269214c89ac6c4849c51863bee262be733eba966310b127759bda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/channels/ChatManager.java"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113183, "scanner": "repobility-threat-engine", "fingerprint": "1afeed6c1ddb83fd506bd128739b548e3c6260010e7ddaee6c70a8a4e1d0870d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "state.update(true, true);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1afeed6c1ddb83fd506bd128739b548e3c6260010e7ddaee6c70a8a4e1d0870d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/blockdrops/BlockDropsMatchModule.java"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113182, "scanner": "repobility-threat-engine", "fingerprint": "cf8b524aba61b00d4d547453e16d529a539852d4f8e781e9ddace0b4ee834538", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "newState.update(true, update);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf8b524aba61b00d4d547453e16d529a539852d4f8e781e9ddace0b4ee834538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/main/java/tc/oc/pgm/action/actions/FillAction.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 113181, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 113180, "scanner": "repobility-supply-chain", "fingerprint": "b2367f58561f4713221005494d6019455d5166be6b933de9e15e82e46189cff1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2367f58561f4713221005494d6019455d5166be6b933de9e15e82e46189cff1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `gradle/actions/setup-gradle` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 113179, "scanner": "repobility-supply-chain", "fingerprint": "a97f095a666695da56b4a69f2dcd6bc71dcaebb929417d9a1a5c9db0224d630a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a97f095a666695da56b4a69f2dcd6bc71dcaebb929417d9a1a5c9db0224d630a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 113178, "scanner": "repobility-supply-chain", "fingerprint": "8df18c523b44106a56c4fdf2dd5b269605e41718c4020feb1d07ad6cf5dc84e2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8df18c523b44106a56c4fdf2dd5b269605e41718c4020feb1d07ad6cf5dc84e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 113177, "scanner": "repobility-supply-chain", "fingerprint": "671b3b75a8bd4cccea24d79b06e8ce00da6428f14daebf7c6ceeb43df6b178e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|671b3b75a8bd4cccea24d79b06e8ce00da6428f14daebf7c6ceeb43df6b178e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 17}}}]}]}]}