{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `myst-parser[linkify]` has no version pin: Unpinned pip requirement means every fresh insta", "shortDescription": {"text": "[MINED124] requirements.txt: `myst-parser[linkify]` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Repro"}, "fullDescription": {"text": "Replace `myst-parser[linkify]` with `myst-parser[linkify]==` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `get_flight` (dict): `def get_flight(... = []/{}/set())` \u2014 Python's default value", "shortDescription": {"text": "[MINED109] Mutable default argument in `get_flight` (dict): `def get_flight(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for eve"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def get_flight(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `impala` image uses the latest tag", "shortDescription": {"text": "Compose service `impala` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `postgres` image has no explicit tag", "shortDescription": {"text": "Compose service `postgres` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC005", "name": "Compose service adds dangerous Linux capabilities", "shortDescription": {"text": "Compose service adds dangerous Linux capabilities"}, "fullDescription": {"text": "Drop all capabilities by default and add only narrowly required capabilities after review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC115", "name": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 ", "shortDescription": {"text": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 memory/disk exhaustion DoS (10kb \u2192 4GB classic 'zip bomb')."}, "fullDescription": {"text": "Wrap reader with `io.LimitReader(r, MAX_BYTES)`. In Python, iterate `ZipFile.infolist()` and check each entry's `file_size`. Cap total uncompressed bytes (e.g. 100MB)."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `print_unpack_k` has cognitive complexity 16 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `print_unpack_k` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 16."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED022] C Strcpy (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED046", "name": "[MINED046] Dart Print (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED046] Dart Print (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 44 more): Same pattern found in 44 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path (and 7 more): Same pattern found in 7 additional files. Review if need", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 169 more): Same pattern found in 169 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 169 more): Same pattern found in 169 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `conda-python-no-numpy` unpinned: `container/services image: conda-python-n", "shortDescription": {"text": "[MINED126] Workflow container/services image `conda-python-no-numpy` unpinned: `container/services image: conda-python-no-numpy` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the sa"}, "fullDescription": {"text": "Replace with `conda-python-no-numpy@sha256:`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mcr.microsoft.com/windows/servercore:ltsc2022` not pinned by digest: `FROM mcr.microsoft.com", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/windows/servercore:ltsc2022` not pinned by digest: `FROM mcr.microsoft.com/windows/servercore:ltsc2022` resolves the tag at build time. The registry CAN re-push a different image for the same ta"}, "fullDescription": {"text": "Replace with: `FROM mcr.microsoft.com/windows/servercore:ltsc2022@sha256:`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "[MINED131] pre-commit hook `https://github.com/trim21/pre-commit-mirror-meson` pinned to mutable rev `v1.9.0`: `.pre-com", "shortDescription": {"text": "[MINED131] pre-commit hook `https://github.com/trim21/pre-commit-mirror-meson` pinned to mutable rev `v1.9.0`: `.pre-commit-config.yaml` references `https://github.com/trim21/pre-commit-mirror-meson` at `rev: v1.9.0`. If `{rev}` is a branch"}, "fullDescription": {"text": "Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_dataset_factory_inspect_bad_params: Test function `test_dataset_factory_inspect_b", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_dataset_factory_inspect_bad_params: Test function `test_dataset_factory_inspect_bad_params` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line covera"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.val` used but never assigned in __init__: Method `to_string` of class `FixedSizeBinaryTypePrinter` read", "shortDescription": {"text": "[MINED108] `self.val` used but never assigned in __init__: Method `to_string` of class `FixedSizeBinaryTypePrinter` reads `self.val`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the f"}, "fullDescription": {"text": "Initialize `self.val = ` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "MINED017", "name": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.", "shortDescription": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED010", "name": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.", "shortDescription": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`,", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. T", "shortDescription": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import stat` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC009", "name": "[SEC009] .env File Committed: .env file with secrets committed to repository.", "shortDescription": {"text": "[SEC009] .env File Committed: .env file with secrets committed to repository."}, "fullDescription": {"text": "Add .env to .gitignore. Rotate all exposed credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED025", "name": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection.", "shortDescription": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED015", "name": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection.", "shortDescription": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_ENV_FILE", "name": ".env file committed to repository", "shortDescription": {"text": ".env file committed to repository"}, "fullDescription": {"text": "Remove .env from version control: git rm --cached .env. Add '.env' to .gitignore. Rotate all exposed credentials."}, "properties": {"scanner": "repobility-core", "category": "security", "severity": "critical", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1299"}, "properties": {"repository": "apache/arrow", "repoUrl": "https://github.com/apache/arrow", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `myst-parser[linkify]` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132191, "scanner": "repobility-supply-chain", "fingerprint": "d15cb51758534a28d3bb476c1232d39b5058d663943229d2b9a2735255744253", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d15cb51758534a28d3bb476c1232d39b5058d663943229d2b9a2735255744253"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `linuxdoc` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132190, "scanner": "repobility-supply-chain", "fingerprint": "4e62caa9c8d34521a6221155fcf18a1cdd8b99cafed197f8c8dda842e584c986", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e62caa9c8d34521a6221155fcf18a1cdd8b99cafed197f8c8dda842e584c986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `ipython` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132189, "scanner": "repobility-supply-chain", "fingerprint": "1b939ce7a0507e251e2a5837b51d9cba268a11154006d36e1dd66f52c3774411", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b939ce7a0507e251e2a5837b51d9cba268a11154006d36e1dd66f52c3774411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `cython>3.1.1` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132188, "scanner": "repobility-supply-chain", "fingerprint": "fe936781fb8d33f8787b3cce3bc38f52e7813f41f220c365b4cf96fb123a9bd6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe936781fb8d33f8787b3cce3bc38f52e7813f41f220c365b4cf96fb123a9bd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `breathe` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132187, "scanner": "repobility-supply-chain", "fingerprint": "b901d1ad39fd7bbe19bfea5ea22765390d11d67490977b170bc7fede37eab6bb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b901d1ad39fd7bbe19bfea5ea22765390d11d67490977b170bc7fede37eab6bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `scikit-build-core` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132186, "scanner": "repobility-supply-chain", "fingerprint": "75faaf51d773a3d2f2662f777ac8b378ce0301bacfd4e7f099df806a592099fc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75faaf51d773a3d2f2662f777ac8b378ce0301bacfd4e7f099df806a592099fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-build.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `build` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132185, "scanner": "repobility-supply-chain", "fingerprint": "35ea0014600afa46fd131c38acc69576406c4df3a22e2c8b419bbc8268804a5d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35ea0014600afa46fd131c38acc69576406c4df3a22e2c8b419bbc8268804a5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-build.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pytz` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132184, "scanner": "repobility-supply-chain", "fingerprint": "ca477470e55048079caffa1e942c93d48f458a14508e1f9fa6b4f8937353c43a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca477470e55048079caffa1e942c93d48f458a14508e1f9fa6b4f8937353c43a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-test.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pytest-xdist` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132183, "scanner": "repobility-supply-chain", "fingerprint": "c899229207a638411a5da0e84b1e03b46a642ea5391b6822f6e32e493ef7eef4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c899229207a638411a5da0e84b1e03b46a642ea5391b6822f6e32e493ef7eef4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-test.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pytest` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132182, "scanner": "repobility-supply-chain", "fingerprint": "aa79021e1e57454ebb5621496c002749b6a9e5b25f779db1f309ef05fe4ad76c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa79021e1e57454ebb5621496c002749b6a9e5b25f779db1f309ef05fe4ad76c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-test.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pandas` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132181, "scanner": "repobility-supply-chain", "fingerprint": "3ab6e913aa2773a19218298cbbcf5a22157be6292bf20cb591985bdb2cf7f8ea", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ab6e913aa2773a19218298cbbcf5a22157be6292bf20cb591985bdb2cf7f8ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-test.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `packaging` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132180, "scanner": "repobility-supply-chain", "fingerprint": "44d5b6f86cb627a088ef3c3e3a5ab6bbe06556e4f90e31df1bbc28bf5651b240", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44d5b6f86cb627a088ef3c3e3a5ab6bbe06556e4f90e31df1bbc28bf5651b240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-test.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `hypothesis` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132179, "scanner": "repobility-supply-chain", "fingerprint": "edb107492867d3d6be48d1e3fc347c0cc3aa2ed252eec3bd476631451436832b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edb107492867d3d6be48d1e3fc347c0cc3aa2ed252eec3bd476631451436832b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-test.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `cffi` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132178, "scanner": "repobility-supply-chain", "fingerprint": "f6a78b0014c1706a8b714cf146f288883d729de42655e69b53018c283235d7ce", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6a78b0014c1706a8b714cf146f288883d729de42655e69b53018c283235d7ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-test.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pandas` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132177, "scanner": "repobility-supply-chain", "fingerprint": "2a8e336f691ed85503a8c609f02b476b7d55b1a4adf926be64ad1f12acb82f20", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a8e336f691ed85503a8c609f02b476b7d55b1a4adf926be64ad1f12acb82f20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-test.txt"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pytz` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132176, "scanner": "repobility-supply-chain", "fingerprint": "ec8c10dbfc12f284128e292b797f9baae2cc2803d5f9e67b4bd4cca9d9aa770b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec8c10dbfc12f284128e292b797f9baae2cc2803d5f9e67b4bd4cca9d9aa770b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-test.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pytest` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132175, "scanner": "repobility-supply-chain", "fingerprint": "a9c5d73d8effcce0e629f91d7b683470602011caeb09cb0e1c350c3e05265ef5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9c5d73d8effcce0e629f91d7b683470602011caeb09cb0e1c350c3e05265ef5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-test.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `packaging` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132174, "scanner": "repobility-supply-chain", "fingerprint": "330f68747aa1b8bd5b65c112d9f9eb85f28327109df8db8ede9112f5ad3ba4bb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|330f68747aa1b8bd5b65c112d9f9eb85f28327109df8db8ede9112f5ad3ba4bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-test.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `hypothesis` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132173, "scanner": "repobility-supply-chain", "fingerprint": "f4d3826fa9c9d0b9d4000864c8601b78f5e58bb462bfb4bf3a78cd773bec4206", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4d3826fa9c9d0b9d4000864c8601b78f5e58bb462bfb4bf3a78cd773bec4206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-test.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `cython` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132172, "scanner": "repobility-supply-chain", "fingerprint": "28c5b30f44c70b433def5c493eb7678df14de541826f7c07876564aa3197684c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28c5b30f44c70b433def5c493eb7678df14de541826f7c07876564aa3197684c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-test.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `cffi` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132171, "scanner": "repobility-supply-chain", "fingerprint": "ebbb0f89351fa137831b12286231b52062ab701f9441ec648dc7b552a6068f39", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ebbb0f89351fa137831b12286231b52062ab701f9441ec648dc7b552a6068f39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-test.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `wheel` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132170, "scanner": "repobility-supply-chain", "fingerprint": "4e5776dfb8311f7b4aa29897b9aed1548d335f04835a2edef5b64c5a144b4a72", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e5776dfb8311f7b4aa29897b9aed1548d335f04835a2edef5b64c5a144b4a72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-build.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `setuptools_scm` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132169, "scanner": "repobility-supply-chain", "fingerprint": "116872c195cef61827b65068ffb8b8ec5bfde7defcf95ad637f8815bf5566894", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|116872c195cef61827b65068ffb8b8ec5bfde7defcf95ad637f8815bf5566894"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-build.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `scikit-build-core` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132168, "scanner": "repobility-supply-chain", "fingerprint": "b93a964dd22d3721dbee8529eaf1e5e4c6f77f4e2647490311cf76b96be0b559", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b93a964dd22d3721dbee8529eaf1e5e4c6f77f4e2647490311cf76b96be0b559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-build.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `build` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 132167, "scanner": "repobility-supply-chain", "fingerprint": "035a2109f1bff0e7a20ad4e621a2cfa7a17d18459f1f978a7790594629c13aff", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|035a2109f1bff0e7a20ad4e621a2cfa7a17d18459f1f978a7790594629c13aff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/requirements-wheel-build.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132148, "scanner": "repobility-ast-engine", "fingerprint": "0de66eb70dfd5bbf1c344bc55eb03245e9110ff65e85444b57dc4fa54c85690a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0de66eb70dfd5bbf1c344bc55eb03245e9110ff65e85444b57dc4fa54c85690a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/util/bpacking_simd_codegen.py"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132147, "scanner": "repobility-ast-engine", "fingerprint": "1e14ef257259b7fb19115f1effecd4462556b8c9960181a92b51a6658ca40c59", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e14ef257259b7fb19115f1effecd4462556b8c9960181a92b51a6658ca40c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/acero/hash_join_graphs.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132146, "scanner": "repobility-ast-engine", "fingerprint": "8c9fbfd9dbf6e19b9bac8cd212b80c3e5798caed4f43e25cb0d0bf398f40cba0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c9fbfd9dbf6e19b9bac8cd212b80c3e5798caed4f43e25cb0d0bf398f40cba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/acero/hash_join_graphs.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132145, "scanner": "repobility-ast-engine", "fingerprint": "14ab7fafeb8eda0b6474e0b12f15cc841de6c8cc1b8bc7fa167209f5f8912d0a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|14ab7fafeb8eda0b6474e0b12f15cc841de6c8cc1b8bc7fa167209f5f8912d0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/build-support/asan_symbolize.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132144, "scanner": "repobility-ast-engine", "fingerprint": "022383bf1ebebb54456395b8d23bda9030ceda927d7bdcc52485febc1fef8798", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|022383bf1ebebb54456395b8d23bda9030ceda927d7bdcc52485febc1fef8798"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/build-support/asan_symbolize.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `get_flight` (dict): `def get_flight(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 132143, "scanner": "repobility-ast-engine", "fingerprint": "20fdae2aadc0b3ab0c9a0866e782111e2968cc44fd63ba77ccdd865291417fcf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20fdae2aadc0b3ab0c9a0866e782111e2968cc44fd63ba77ccdd865291417fcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/flight/client.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `push_data` (dict): `def push_data(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 132142, "scanner": "repobility-ast-engine", "fingerprint": "0b447607b9c3bcc756bf33f36429936a23b6f8ba080f2d57352159fb751986cd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b447607b9c3bcc756bf33f36429936a23b6f8ba080f2d57352159fb751986cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/flight/client.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `do_action` (dict): `def do_action(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 132141, "scanner": "repobility-ast-engine", "fingerprint": "8f65e86f856d19a339537991e7bce3c31f605677a54d31b5b1fc04f83431f0f8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f65e86f856d19a339537991e7bce3c31f605677a54d31b5b1fc04f83431f0f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/flight/client.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `list_flights` (dict): `def list_flights(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 132140, "scanner": "repobility-ast-engine", "fingerprint": "3d8a0c9cdb189295afc33e682ffa6b06b736e3727d861f13fe32195d745f56de", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d8a0c9cdb189295afc33e682ffa6b06b736e3727d861f13fe32195d745f56de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/flight/client.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132138, "scanner": "repobility-ast-engine", "fingerprint": "8ebee79456517edebd50c12da1c5a066bdfd6f7aed26c130e3172a5520b54465", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ebee79456517edebd50c12da1c5a066bdfd6f7aed26c130e3172a5520b54465"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/parquet/test_parquet_writer.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132137, "scanner": "repobility-ast-engine", "fingerprint": "d6ba34b619c2a7a37a0fa920e951f2b6bc75b4f4854fbfce830343f633f0241d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d6ba34b619c2a7a37a0fa920e951f2b6bc75b4f4854fbfce830343f633f0241d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/parquet/test_basic.py"}, "region": {"startLine": 785}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132128, "scanner": "repobility-ast-engine", "fingerprint": "0ee333bd7ef6900f194fa721281fdfc5d9579608e05e8271d9791f98500d32d7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ee333bd7ef6900f194fa721281fdfc5d9579608e05e8271d9791f98500d32d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_csv.py"}, "region": {"startLine": 2117}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132123, "scanner": "repobility-ast-engine", "fingerprint": "2a19bbf8c895300db7e3e37fde65f7536457e3d662b0f05d486573b698c2817d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a19bbf8c895300db7e3e37fde65f7536457e3d662b0f05d486573b698c2817d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/conftest.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132119, "scanner": "repobility-ast-engine", "fingerprint": "768d4ac9a798de8858e5081f44cfce9a55527d86b545e0b427c81a9206a594e8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|768d4ac9a798de8858e5081f44cfce9a55527d86b545e0b427c81a9206a594e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/pandas_compat.py"}, "region": {"startLine": 284}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132099, "scanner": "repobility-ast-engine", "fingerprint": "0fbc877aa1d80eb038347890d2df0fa632998b2541bd4d50cc3ad27d21ae5410", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0fbc877aa1d80eb038347890d2df0fa632998b2541bd4d50cc3ad27d21ae5410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/lang/python.py"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132098, "scanner": "repobility-ast-engine", "fingerprint": "19449feb117eb349e373f62dfc6e2012d498a5929b6e15de06ce53e792d3dc72", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|19449feb117eb349e373f62dfc6e2012d498a5929b6e15de06ce53e792d3dc72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/core.py"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132097, "scanner": "repobility-ast-engine", "fingerprint": "d1d6f93a191b4c099ebbdd200157a8c7baaaf0460ebe2217d45010d4f40d34a9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1d6f93a191b4c099ebbdd200157a8c7baaaf0460ebe2217d45010d4f40d34a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/core.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132096, "scanner": "repobility-ast-engine", "fingerprint": "7abf9c6c7e2928b66d1ac18d116f2410d1daf739b2db73356b2ea5c5371fe359", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7abf9c6c7e2928b66d1ac18d116f2410d1daf739b2db73356b2ea5c5371fe359"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/integration/runner.py"}, "region": {"startLine": 574}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132095, "scanner": "repobility-ast-engine", "fingerprint": "d5bba0833adee67d32f937b566c198ef644c6736115637fcc11e88c1aa412bc9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5bba0833adee67d32f937b566c198ef644c6736115637fcc11e88c1aa412bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/integration/runner.py"}, "region": {"startLine": 524}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132094, "scanner": "repobility-ast-engine", "fingerprint": "caa2a90f965c2057d0cc014fc7241e2683e2af2e7ffe5f9a3fc7fca3702399bc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|caa2a90f965c2057d0cc014fc7241e2683e2af2e7ffe5f9a3fc7fca3702399bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/integration/runner.py"}, "region": {"startLine": 450}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132093, "scanner": "repobility-ast-engine", "fingerprint": "e0b0b40ef0a53437dd60cbf97f29fa8168edf2f9678b17d62f344bd134a802d9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e0b0b40ef0a53437dd60cbf97f29fa8168edf2f9678b17d62f344bd134a802d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/integration/runner.py"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132089, "scanner": "repobility-ast-engine", "fingerprint": "4f9a0ab23354a8aa71c73c749f7815477a97da30f9e35f7c67717bdedd2036e9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f9a0ab23354a8aa71c73c749f7815477a97da30f9e35f7c67717bdedd2036e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/utils/lint.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 132085, "scanner": "repobility-ast-engine", "fingerprint": "f431addce758b6b851a9ee21c2ad74b562eb999eb26b0223f5ca52c641967fa7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f431addce758b6b851a9ee21c2ad74b562eb999eb26b0223f5ca52c641967fa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/merge_arrow_pr.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `impala` image uses the latest tag"}, "properties": {"repobilityId": 132025, "scanner": "repobility-docker", "fingerprint": "a1f42ab6d329cbac63850094094c9a380a6fb36014e2047358b0cb3fcbdf39d9", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ibisproject/impala:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a1f42ab6d329cbac63850094094c9a380a6fb36014e2047358b0cb3fcbdf39d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1891}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 132024, "scanner": "repobility-docker", "fingerprint": "e239d596ddf2c8d34b4004c115068928be0c085ec7fa977945fa587c2af6dfd7", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|e239d596ddf2c8d34b4004c115068928be0c085ec7fa977945fa587c2af6dfd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1883}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `postgres` image has no explicit tag"}, "properties": {"repobilityId": 132020, "scanner": "repobility-docker", "fingerprint": "314751866bb06e8bbc5a158b067ce3b8c28822250bb129370121bcdcc79e5e44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "postgres", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|314751866bb06e8bbc5a158b067ce3b8c28822250bb129370121bcdcc79e5e44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1883}}}]}, {"ruleId": "DKC005", "level": "warning", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 131883, "scanner": "repobility-docker", "fingerprint": "af3be5cf693b0cdca96659835af847b5012eb3aaa89288e717928c6d487d7710", "category": "docker", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "ubuntu-cpp-sanitizer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["SYS_PTRACE"], "correlation_key": "fp|af3be5cf693b0cdca96659835af847b5012eb3aaa89288e717928c6d487d7710"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 621}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131842, "scanner": "repobility-docker", "fingerprint": "bdd22867332aa954a88e4584a4f48e066f140e5303752a44f2cd19eeaba84486", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bdd22867332aa954a88e4584a4f48e066f140e5303752a44f2cd19eeaba84486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/Dockerfile.ubuntu"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131841, "scanner": "repobility-docker", "fingerprint": "dcae5107c8e2c4f09cd4c57763dbe9ef62df268607fec7d5a5594eebe3229bcb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "fedora:42", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dcae5107c8e2c4f09cd4c57763dbe9ef62df268607fec7d5a5594eebe3229bcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/Dockerfile.fedora"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131840, "scanner": "repobility-docker", "fingerprint": "a7d7a7d0df8212de6356c36650000e9db58bd14f9e95d0fe0abea8d391eb1859", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "quay.io/centos/centos:stream9", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a7d7a7d0df8212de6356c36650000e9db58bd14f9e95d0fe0abea8d391eb1859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/centos-9-stream/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131839, "scanner": "repobility-docker", "fingerprint": "72313e3b0dda8ee6f34a8622ac0695bffee1d44e3ffbda41c60ccac691fb4bc2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "amazonlinux:2023", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|72313e3b0dda8ee6f34a8622ac0695bffee1d44e3ffbda41c60ccac691fb4bc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/amazon-linux-2023/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131838, "scanner": "repobility-docker", "fingerprint": "aecbfb74b5f5437294d86cc6d7c36794a932d4bb1880ae752f3d41559398c6b6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "almalinux:9", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aecbfb74b5f5437294d86cc6d7c36794a932d4bb1880ae752f3d41559398c6b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-9/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131837, "scanner": "repobility-docker", "fingerprint": "fb4b3e244f5737251da120bedaac38304d74d8fb53de0995fc8f36b0c729201b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "almalinux:8", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fb4b3e244f5737251da120bedaac38304d74d8fb53de0995fc8f36b0c729201b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-8/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131836, "scanner": "repobility-docker", "fingerprint": "cad2c08dd966e85a97b70eedeef5149281a36408cac27574d7d21b7190953fb8", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "almalinux:10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cad2c08dd966e85a97b70eedeef5149281a36408cac27574d7d21b7190953fb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-10/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131835, "scanner": "repobility-docker", "fingerprint": "dd137cb2735c22a95602cce5977298e4de741b5a48afe66163f16e49b8ca9ca2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:resolute", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dd137cb2735c22a95602cce5977298e4de741b5a48afe66163f16e49b8ca9ca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-resolute/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131833, "scanner": "repobility-docker", "fingerprint": "2023101279c6fac504c55eb807821ec223fcc34f0b2eaf4652d76328d70f2210", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:noble", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2023101279c6fac504c55eb807821ec223fcc34f0b2eaf4652d76328d70f2210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-noble/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131831, "scanner": "repobility-docker", "fingerprint": "9d36ef13713ac419ba0c2bcc4c1f7531bd66aeb84e8708592cad18cbc52f933b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:jammy", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9d36ef13713ac419ba0c2bcc4c1f7531bd66aeb84e8708592cad18cbc52f933b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-jammy/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131829, "scanner": "repobility-docker", "fingerprint": "8b66dff0c03fb972fe61df45878437ed77005905548c28de6daf776b903c9ae4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8b66dff0c03fb972fe61df45878437ed77005905548c28de6daf776b903c9ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131826, "scanner": "repobility-docker", "fingerprint": "81957d14db5dc6091caa48865cd96b4928093dd36f6deba2d3a015d3a9a7a729", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:forky", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|81957d14db5dc6091caa48865cd96b4928093dd36f6deba2d3a015d3a9a7a729"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131823, "scanner": "repobility-docker", "fingerprint": "2c0da3c3359ac99b15e305505091ffdb73c3ac20c5394d0461e0587641df0863", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2c0da3c3359ac99b15e305505091ffdb73c3ac20c5394d0461e0587641df0863"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131820, "scanner": "repobility-docker", "fingerprint": "0e8a0e2f27c5bf8f44cabd0039dc3703ee664e91715ccdc6ebc68621fdf1704b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0e8a0e2f27c5bf8f44cabd0039dc3703ee664e91715ccdc6ebc68621fdf1704b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/centos-9-stream/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131818, "scanner": "repobility-docker", "fingerprint": "8eb6118ed0c3e1e5d5983c7656f657eec4abdbd8aec3d5bb66fe451f549abc5f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8eb6118ed0c3e1e5d5983c7656f657eec4abdbd8aec3d5bb66fe451f549abc5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/amazon-linux-2023/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131816, "scanner": "repobility-docker", "fingerprint": "07daf4a48099ff78d06aab9d112c5634bc004890f45d5d7ddd02ea05e6d3e11b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|07daf4a48099ff78d06aab9d112c5634bc004890f45d5d7ddd02ea05e6d3e11b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/almalinux-9/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131814, "scanner": "repobility-docker", "fingerprint": "75e41a29dca3ac6ec25b37ea378f5c167d0b4ee2a5332bdb497f29bbc54d5425", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|75e41a29dca3ac6ec25b37ea378f5c167d0b4ee2a5332bdb497f29bbc54d5425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/almalinux-8/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131812, "scanner": "repobility-docker", "fingerprint": "2e548a70c13e5ad4e9b0cd584d772837c4a0663efd8d68097dfbe8831691d990", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2e548a70c13e5ad4e9b0cd584d772837c4a0663efd8d68097dfbe8831691d990"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/almalinux-10/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131810, "scanner": "repobility-docker", "fingerprint": "d2f28e8d84536e6da8406a029ce3ceb035e553dd283911929316d9c1fb055c46", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d2f28e8d84536e6da8406a029ce3ceb035e553dd283911929316d9c1fb055c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-resolute/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131807, "scanner": "repobility-docker", "fingerprint": "739931b3d51f3072812c960c0e63f67ba3a1193594badc607e96a2739c79e693", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|739931b3d51f3072812c960c0e63f67ba3a1193594badc607e96a2739c79e693"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-noble/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131804, "scanner": "repobility-docker", "fingerprint": "79e0b51cf944d62c7d3e4e3650398dc72b69c622393038062dc8fb0da39eedfa", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|79e0b51cf944d62c7d3e4e3650398dc72b69c622393038062dc8fb0da39eedfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-jammy/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131801, "scanner": "repobility-docker", "fingerprint": "1bcedd8887d8311d53a257f5377a4fdfe3f0760f9fb596af2adb42f1357558b2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1bcedd8887d8311d53a257f5377a4fdfe3f0760f9fb596af2adb42f1357558b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-trixie/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131797, "scanner": "repobility-docker", "fingerprint": "3d297345bfd0ede1e999b6365c83392c2022b6804ec3a0ff45205a612f69c38c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3d297345bfd0ede1e999b6365c83392c2022b6804ec3a0ff45205a612f69c38c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-forky/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131793, "scanner": "repobility-docker", "fingerprint": "f8592ca60c1c55b323e8db2de90e96da77f34d3d49d57b76fc2970488cc49145", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${FROM}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f8592ca60c1c55b323e8db2de90e96da77f34d3d49d57b76fc2970488cc49145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-bookworm/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 131788, "scanner": "repobility-docker", "fingerprint": "e463948de7a90bde7e32adc52b5cb50ee596add1fb60c264c1cfe0e1ab133130", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e463948de7a90bde7e32adc52b5cb50ee596add1fb60c264c1cfe0e1ab133130"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/release/binary/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC115", "level": "warning", "message": {"text": "[SEC115] Decompression without size cap (zip/gzip bomb): Decompressing untrusted archives without a size or ratio cap \u2192 memory/disk exhaustion DoS (10kb \u2192 4GB classic 'zip bomb')."}, "properties": {"repobilityId": 131763, "scanner": "repobility-threat-engine", "fingerprint": "9feea695093f73f3e151a453b895365193c99cc39f1142d2943cd609db266761", "category": "resource_exhaustion", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tarfile.open(tzdata_compressed_path).extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC115", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9feea695093f73f3e151a453b895365193c99cc39f1142d2943cd609db266761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/util.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 131762, "scanner": "repobility-threat-engine", "fingerprint": "6d64434b1828e067036a464e3cfa9a8a32f5944a5552e9953dd7e881e1f9e790", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|python/pyarrow/util.py|293|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/util.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 131747, "scanner": "repobility-threat-engine", "fingerprint": "9ca83163d0d3edd4072ff46f88268dda12209523378bf65356fcb67e83ac5d31", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def flight_request(self, port, json_path=None, scenario_name=None):\n raise NotImplementedErro", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9ca83163d0d3edd4072ff46f88268dda12209523378bf65356fcb67e83ac5d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/integration/tester.py"}, "region": {"startLine": 270}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 131735, "scanner": "repobility-threat-engine", "fingerprint": "6fca548217a2c2ef28e9cfcd4b613adcfcde263c191d16327d583f5350158734", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6fca548217a2c2ef28e9cfcd4b613adcfcde263c191d16327d583f5350158734"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/tools/parquet/parquet_dump_footer.cc"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 131730, "scanner": "repobility-threat-engine", "fingerprint": "0ff601b11a70c20617901c164d5dc09991abc9312cb876ca65f2642cf3bd2e07", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"foo bar\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ff601b11a70c20617901c164d5dc09991abc9312cb876ca65f2642cf3bd2e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/telemetry/telemetry_test.cc"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 131724, "scanner": "repobility-threat-engine", "fingerprint": "065c0dca9ed93e23a8f44b10f848972d902d4d8d085f95b886b717e7b7ec788f", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.7 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: test/fixture path]", "evidence": {"match": "SecretKey = \"miniopass\"", "reason": "Low entropy value (2.7 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: test/fixture path]", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|secretkey miniopass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/filesystem/s3_test_util.cc"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 131722, "scanner": "repobility-threat-engine", "fingerprint": "d0707711fad24d684cbe4f2e0760ac8975cf305b67c653ef94295744d4517ca3", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "Exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|130|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/compute/kernels/scalar_cast_internal.cc"}, "region": {"startLine": 130}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `print_unpack_k` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, else=4, for=2, if=5, nested_bonus=4."}, "properties": {"repobilityId": 131717, "scanner": "repobility-threat-engine", "fingerprint": "7a1b9f4e7152b4ed0f16a76d4b64abc3a5be9b729c0b0155946e79920a07091c", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_unpack_k", "breakdown": {"if": 5, "and": 1, "for": 2, "else": 4, "nested_bonus": 4}, "complexity": 16, "correlation_key": "fp|7a1b9f4e7152b4ed0f16a76d4b64abc3a5be9b729c0b0155946e79920a07091c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/util/bpacking_scalar_codegen.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `organize_tests` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=2, if=6, nested_bonus=9."}, "properties": {"repobilityId": 131716, "scanner": "repobility-threat-engine", "fingerprint": "44ac23b8db672d6128b8beb4d0f131c5230b16aec445cef31887fbdcb3719791", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 18 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "organize_tests", "breakdown": {"if": 6, "for": 2, "else": 1, "nested_bonus": 9}, "complexity": 18, "correlation_key": "fp|44ac23b8db672d6128b8beb4d0f131c5230b16aec445cef31887fbdcb3719791"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/acero/hash_join_graphs.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 131682, "scanner": "repobility-threat-engine", "fingerprint": "673f0a72100a58feeba1d8fa1c8147e20d0bea6ff2121b2bf2993afa1e952aad", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "(exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|94|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/compute/function_benchmark.cc"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 131681, "scanner": "repobility-threat-engine", "fingerprint": "83fb882e0e2292ac4f1c4a20b1acd95f11dc8cad16aefae077e8bfc20cf60af7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|65|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/acero/partition_util.h"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 131680, "scanner": "repobility-threat-engine", "fingerprint": "22d37914a0466498b456972099c01dd2f9ee0d5a0bc6f606f31c401945907d0c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|37|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev_pr/helpers.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132057, "scanner": "repobility-docker", "fingerprint": "a59363d44a8dc9f0fac8d5ec11c500fc706e44ec422e7392e82dd8308937e94d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "minimal-ubuntu-venv", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a59363d44a8dc9f0fac8d5ec11c500fc706e44ec422e7392e82dd8308937e94d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/compose.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132056, "scanner": "repobility-docker", "fingerprint": "2804e29b49e5c0b6ab8d46127e80e16dce066956b98851cfc93e2f596947e5a6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "minimal-ubuntu-venv", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2804e29b49e5c0b6ab8d46127e80e16dce066956b98851cfc93e2f596947e5a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/compose.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132055, "scanner": "repobility-docker", "fingerprint": "cec056e7b607691af4491f63f2d9fd584d3f5c7378e5bcd503775d5f2268c9fe", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "minimal-ubuntu-conda", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cec056e7b607691af4491f63f2d9fd584d3f5c7378e5bcd503775d5f2268c9fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/compose.yaml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132054, "scanner": "repobility-docker", "fingerprint": "378daa74ba4bc3beb4a34a01af2be79e03240304c7a0b862f6c32250edfb2ab5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "minimal-ubuntu-conda", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|378daa74ba4bc3beb4a34a01af2be79e03240304c7a0b862f6c32250edfb2ab5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/compose.yaml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132053, "scanner": "repobility-docker", "fingerprint": "384f6d12b9981ea0be2c978a9575e61eb4e9e038e0927e34e837bacad4bd319c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "minimal-fedora-venv", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|384f6d12b9981ea0be2c978a9575e61eb4e9e038e0927e34e837bacad4bd319c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/compose.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132052, "scanner": "repobility-docker", "fingerprint": "1693411b83e6e0ccfc4b1db5645bbebed8df3700c3477c996275a84f77c000d8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "minimal-fedora-venv", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1693411b83e6e0ccfc4b1db5645bbebed8df3700c3477c996275a84f77c000d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/compose.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132051, "scanner": "repobility-docker", "fingerprint": "10e6967b2ac05d49610906b74fac5cdd5bb15d2aa8740458b5a25b3de20d38f5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "minimal-fedora-conda", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|10e6967b2ac05d49610906b74fac5cdd5bb15d2aa8740458b5a25b3de20d38f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132050, "scanner": "repobility-docker", "fingerprint": "8184bcfdf25908a90fbaee73164d4c174c8892d124898296f51833927f2eceea", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "minimal-fedora-conda", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8184bcfdf25908a90fbaee73164d4c174c8892d124898296f51833927f2eceea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132049, "scanner": "repobility-docker", "fingerprint": "2ff53fb510e760f8a8e15b2fd146fb44b0aa5adb02937fae8bea2cdc5eebc016", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "tutorial", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ff53fb510e760f8a8e15b2fd146fb44b0aa5adb02937fae8bea2cdc5eebc016"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/tutorial_examples/compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132048, "scanner": "repobility-docker", "fingerprint": "384e6d2c7d17a3ffc5cb1e78de8da4c90e1f3bf3bcf8600b2318e3679482a911", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "tutorial", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|384e6d2c7d17a3ffc5cb1e78de8da4c90e1f3bf3bcf8600b2318e3679482a911"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/tutorial_examples/compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132047, "scanner": "repobility-docker", "fingerprint": "c9c063f75c6874aa8ccb98671cc2e9d0f9078d43318ac6c1e3014d43ba891382", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "static-system-dependency", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c9c063f75c6874aa8ccb98671cc2e9d0f9078d43318ac6c1e3014d43ba891382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/minimal_build/compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132046, "scanner": "repobility-docker", "fingerprint": "9a280913f24cde75cb304e9e07925a31e826bcbe0d3ec5b4da273e9d5474f2ae", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "static-system-dependency", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9a280913f24cde75cb304e9e07925a31e826bcbe0d3ec5b4da273e9d5474f2ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/minimal_build/compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132045, "scanner": "repobility-docker", "fingerprint": "5f31ef4e73319055fe9dc9fceac9636cf774895f8f48b4e4acb50421c3c94ebf", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "static", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5f31ef4e73319055fe9dc9fceac9636cf774895f8f48b4e4acb50421c3c94ebf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/minimal_build/compose.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132044, "scanner": "repobility-docker", "fingerprint": "8b1880187f74102b34e9accc962b5714ea5c4aae4a5d17e338aacfd1e335ca28", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "static", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8b1880187f74102b34e9accc962b5714ea5c4aae4a5d17e338aacfd1e335ca28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/minimal_build/compose.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132043, "scanner": "repobility-docker", "fingerprint": "8bcdb284629c35c0ffc2c2205b592d8a849e610c088c1c64ab4b7e728ff6cf63", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "minimal", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8bcdb284629c35c0ffc2c2205b592d8a849e610c088c1c64ab4b7e728ff6cf63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/minimal_build/compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132042, "scanner": "repobility-docker", "fingerprint": "f86956d54eb30d71ea948f5cf1165540d5d8d48a1e462068dd59c085c692038d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "minimal", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f86956d54eb30d71ea948f5cf1165540d5d8d48a1e462068dd59c085c692038d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/minimal_build/compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132041, "scanner": "repobility-docker", "fingerprint": "8d1c4603eddb1e68c4dda4ad3fc898b415d0cee9152bdd9c8ecfcbda5de4ec48", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-verify-rc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8d1c4603eddb1e68c4dda4ad3fc898b415d0cee9152bdd9c8ecfcbda5de4ec48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 2036}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132040, "scanner": "repobility-docker", "fingerprint": "0e3bfe05e908d1bbade72f68710bb9154d11f0740d2710d41a13255710952f7f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-verify-rc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0e3bfe05e908d1bbade72f68710bb9154d11f0740d2710d41a13255710952f7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 2036}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132038, "scanner": "repobility-docker", "fingerprint": "b8b5802b795945cd93076cb0de7d8bb5dbe0c38f6b1e764031cf5a546f5daa08", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "almalinux-verify-rc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b8b5802b795945cd93076cb0de7d8bb5dbe0c38f6b1e764031cf5a546f5daa08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 2007}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132037, "scanner": "repobility-docker", "fingerprint": "b174d2fd3d7e425bec82dae143dff2bc760e91573b9fd5802222bbc4c377fcc5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "almalinux-verify-rc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b174d2fd3d7e425bec82dae143dff2bc760e91573b9fd5802222bbc4c377fcc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 2007}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132034, "scanner": "repobility-docker", "fingerprint": "ea55ee0818eafe425ac638c2b0c0f0885ba0bb46cd311cd32a2a26b160bbfb36", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-python-spark", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ea55ee0818eafe425ac638c2b0c0f0885ba0bb46cd311cd32a2a26b160bbfb36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1956}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132033, "scanner": "repobility-docker", "fingerprint": "5b9b00fbe49ce2694d10978b4b945e327f3948399b507c17c389031aff03bd68", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-python-spark", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5b9b00fbe49ce2694d10978b4b945e327f3948399b507c17c389031aff03bd68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1956}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132031, "scanner": "repobility-docker", "fingerprint": "cd86b43280a3191a42412ac87231987553bff6e113806a6c60575c77a99bf970", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-python-hdfs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cd86b43280a3191a42412ac87231987553bff6e113806a6c60575c77a99bf970"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1915}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132030, "scanner": "repobility-docker", "fingerprint": "ea5351b3e64ea93b4f4de0d11763618875ab0e0438230420d53cade7dcb04a0f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-python-hdfs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ea5351b3e64ea93b4f4de0d11763618875ab0e0438230420d53cade7dcb04a0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1915}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132028, "scanner": "repobility-docker", "fingerprint": "3e395a3e78a925f28a39489673e143e3a7cbcca8f20b8c8f10ac16659921e75e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "impala", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3e395a3e78a925f28a39489673e143e3a7cbcca8f20b8c8f10ac16659921e75e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1891}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132026, "scanner": "repobility-docker", "fingerprint": "5ddf6ca7f3c214561486ba55511f2fb46408b812a30b1721e39836055fb5d2e0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "impala", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5ddf6ca7f3c214561486ba55511f2fb46408b812a30b1721e39836055fb5d2e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1891}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132019, "scanner": "repobility-docker", "fingerprint": "fecf1429c4f2ac2dbefb335976b87a0e25c600f6dc25b72dafeb2dfdbc43614e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "debian-docs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fecf1429c4f2ac2dbefb335976b87a0e25c600f6dc25b72dafeb2dfdbc43614e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1839}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132018, "scanner": "repobility-docker", "fingerprint": "3aa8e1bb4ee4046fac9c1b691e38431c45bee25c39e4e6bf5c3e105ad4e6d3ae", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "debian-docs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3aa8e1bb4ee4046fac9c1b691e38431c45bee25c39e4e6bf5c3e105ad4e6d3ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1839}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132015, "scanner": "repobility-docker", "fingerprint": "46aac6eb7d37c73e09305f852e2d1a2e8245de76c5ed2ec05e442baa27ceccc3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-integration", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|46aac6eb7d37c73e09305f852e2d1a2e8245de76c5ed2ec05e442baa27ceccc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1804}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132014, "scanner": "repobility-docker", "fingerprint": "c127f6af1fefa4b7a81a040439d2b1fbd257d71b994712929cae97860dd34649", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-integration", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c127f6af1fefa4b7a81a040439d2b1fbd257d71b994712929cae97860dd34649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1804}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132012, "scanner": "repobility-docker", "fingerprint": "982a2cece51f6ac48ddda0e2dfa53c8a3a18d9c14cb7dbce21ee0cebd598730f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "fedora-r-clang", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|982a2cece51f6ac48ddda0e2dfa53c8a3a18d9c14cb7dbce21ee0cebd598730f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1771}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132011, "scanner": "repobility-docker", "fingerprint": "29244a0a9e60d8835f5282c1a0fd72266d55ab72891e8646c86698dca9a684d8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "fedora-r-clang", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|29244a0a9e60d8835f5282c1a0fd72266d55ab72891e8646c86698dca9a684d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1771}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132009, "scanner": "repobility-docker", "fingerprint": "656bb289e8f051ad2529c35dc9b876371f0b20a60f7d48420ff79eaa1a67c003", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "alpine-linux-r", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|656bb289e8f051ad2529c35dc9b876371f0b20a60f7d48420ff79eaa1a67c003"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1740}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132008, "scanner": "repobility-docker", "fingerprint": "4ce94ea1044de80001d9b5f4e7e39526f025311c06f8a292ac260f6f87d5a479", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "alpine-linux-r", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4ce94ea1044de80001d9b5f4e7e39526f025311c06f8a292ac260f6f87d5a479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1740}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132006, "scanner": "repobility-docker", "fingerprint": "c2745530517b522095a4e51b70ccfe7e924067e4b68e9b108b912ee8e40fb89c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "r-revdepcheck", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c2745530517b522095a4e51b70ccfe7e924067e4b68e9b108b912ee8e40fb89c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1716}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132005, "scanner": "repobility-docker", "fingerprint": "e1b3f910a59b2deba65a466ec2b1fb4afcdfcf02bcf66e760b49ea9f697431c8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "r-revdepcheck", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e1b3f910a59b2deba65a466ec2b1fb4afcdfcf02bcf66e760b49ea9f697431c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1716}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132003, "scanner": "repobility-docker", "fingerprint": "2c1858ae16affec0a3434aa5eaad57f7a658a94b5641a6571cbc13e9895d1861", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-r-valgrind", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2c1858ae16affec0a3434aa5eaad57f7a658a94b5641a6571cbc13e9895d1861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1687}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 132002, "scanner": "repobility-docker", "fingerprint": "ea05208b259160e77b7ea552a80c5a605e8b193419e35f8f855af4e221b83fd9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-r-valgrind", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ea05208b259160e77b7ea552a80c5a605e8b193419e35f8f855af4e221b83fd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1687}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 132000, "scanner": "repobility-docker", "fingerprint": "c9bd066968ade2014e4174525a61835aeb57934e2b286160d058f475b95b7ec9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "r-san", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c9bd066968ade2014e4174525a61835aeb57934e2b286160d058f475b95b7ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1658}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131999, "scanner": "repobility-docker", "fingerprint": "24ea0b1562d9aba4292e29a95e9e88c6c1ebde62d978813ff15758b83c797555", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "r-san", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|24ea0b1562d9aba4292e29a95e9e88c6c1ebde62d978813ff15758b83c797555"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1658}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131997, "scanner": "repobility-docker", "fingerprint": "e271a9eeb1a71055bcbadd96eff5b3e88f62c978ea48f41242407b44da413a33", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "r", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e271a9eeb1a71055bcbadd96eff5b3e88f62c978ea48f41242407b44da413a33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1625}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131996, "scanner": "repobility-docker", "fingerprint": "f5bee3848e0864377ac5f972cbec8532a6d285091ea988c7f748ecbd8bc62135", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "r", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f5bee3848e0864377ac5f972cbec8532a6d285091ea988c7f748ecbd8bc62135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1625}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131994, "scanner": "repobility-docker", "fingerprint": "dc42c64244005c67e63539bf272d9eae706dac87e5abdaac3121c171dd745715", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-r", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dc42c64244005c67e63539bf272d9eae706dac87e5abdaac3121c171dd745715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1577}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131993, "scanner": "repobility-docker", "fingerprint": "25b692cec9f7e7b8588768fbdab51a3c5c3716e15cc615e2fc2c02a7af6e418b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-r", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|25b692cec9f7e7b8588768fbdab51a3c5c3716e15cc615e2fc2c02a7af6e418b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1577}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131991, "scanner": "repobility-docker", "fingerprint": "f5e48f0474a3ed593141cbe19761821fdc1c4514ff20c96a4df1e4dc2a5821a6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-python-cpython-debug", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f5e48f0474a3ed593141cbe19761821fdc1c4514ff20c96a4df1e4dc2a5821a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1551}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131990, "scanner": "repobility-docker", "fingerprint": "b3a4aaa14c352f197caba489f131fab05cd7cf83ea24d03d3a3980b9da54cb26", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-python-cpython-debug", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b3a4aaa14c352f197caba489f131fab05cd7cf83ea24d03d3a3980b9da54cb26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1551}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131988, "scanner": "repobility-docker", "fingerprint": "c54603add61b76e07224d9c5354c5d05b16b4761b0962dd26b7f903dcf7a1eb3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-python-dask", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c54603add61b76e07224d9c5354c5d05b16b4761b0962dd26b7f903dcf7a1eb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1520}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131987, "scanner": "repobility-docker", "fingerprint": "ceb205d4e2968a546bf39bc767b6495a0df98e55f410ef6d18daced2122789dd", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-python-dask", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ceb205d4e2968a546bf39bc767b6495a0df98e55f410ef6d18daced2122789dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1520}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131983, "scanner": "repobility-docker", "fingerprint": "68b5b629d33806388cbce5b6b8953f575fe10f9a2689ac59280d87fa201c8e58", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-python-no-numpy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|68b5b629d33806388cbce5b6b8953f575fe10f9a2689ac59280d87fa201c8e58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1461}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131982, "scanner": "repobility-docker", "fingerprint": "d0aa5cfc3a8cba85ea329239fe700ca2bcec3b9a4b47adeb64e4dee54c804e37", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-python-no-numpy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d0aa5cfc3a8cba85ea329239fe700ca2bcec3b9a4b47adeb64e4dee54c804e37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1461}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131980, "scanner": "repobility-docker", "fingerprint": "4adb6ae3826da61e135417f069206bcc313d60a5f53dbd381163866fd93e6d22", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-python-pandas", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4adb6ae3826da61e135417f069206bcc313d60a5f53dbd381163866fd93e6d22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1427}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131979, "scanner": "repobility-docker", "fingerprint": "c9bcbf9a6fc11350a335c6b8e567fb2a81a8888337813fcea02ddee764337676", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-python-pandas", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c9bcbf9a6fc11350a335c6b8e567fb2a81a8888337813fcea02ddee764337676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1427}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131977, "scanner": "repobility-docker", "fingerprint": "e464b0d22dcfd3896e65f2081287a08c7300c19d4696e92841ce6ed8783061ec", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-windows-test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e464b0d22dcfd3896e65f2081287a08c7300c19d4696e92841ce6ed8783061ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1414}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131976, "scanner": "repobility-docker", "fingerprint": "0a4b2de31ac8b269cf1fe53776787a7af9b4dc53d8b3bde4c42843cd99328140", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-windows-test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0a4b2de31ac8b269cf1fe53776787a7af9b4dc53d8b3bde4c42843cd99328140"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1414}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131974, "scanner": "repobility-docker", "fingerprint": "639bb000e67e3d5164246e2b08ff35692518fec934f87f3148c868b5c4e747f9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-wheel-windows-test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|639bb000e67e3d5164246e2b08ff35692518fec934f87f3148c868b5c4e747f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1403}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131973, "scanner": "repobility-docker", "fingerprint": "31018edd6b8daa48e6b123391c1695407cd47793fc8792014a137096b82f70be", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-wheel-windows-test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|31018edd6b8daa48e6b123391c1695407cd47793fc8792014a137096b82f70be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1403}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131971, "scanner": "repobility-docker", "fingerprint": "cbb901d6f40a20780c96ed0e3c96b7e16ad924599c90e1aeff46c8f34604cf64", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-wheel-windows-test-base", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cbb901d6f40a20780c96ed0e3c96b7e16ad924599c90e1aeff46c8f34604cf64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1396}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131970, "scanner": "repobility-docker", "fingerprint": "e329dfe6c45e2569dee346b93266da33e17685b9ebd5a216085b8d47a672a1be", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-wheel-windows-test-base", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e329dfe6c45e2569dee346b93266da33e17685b9ebd5a216085b8d47a672a1be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1396}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131968, "scanner": "repobility-docker", "fingerprint": "41b227fc1e359e25a026b5b073a7550f58964ef296eea3e293b366ab38d4736f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-windows-vs2022", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|41b227fc1e359e25a026b5b073a7550f58964ef296eea3e293b366ab38d4736f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1379}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131967, "scanner": "repobility-docker", "fingerprint": "65afb49807709c64e4dcc54f5c85c419b23c20908439c994c55da0db78f7f233", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-windows-vs2022", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|65afb49807709c64e4dcc54f5c85c419b23c20908439c994c55da0db78f7f233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1379}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131965, "scanner": "repobility-docker", "fingerprint": "7b032339d335c1daa123dfe306a76908a60c7a2f68c6582837afc3bd5950a06f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-wheel-windows-vs2022", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7b032339d335c1daa123dfe306a76908a60c7a2f68c6582837afc3bd5950a06f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1363}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131964, "scanner": "repobility-docker", "fingerprint": "521b003616e03f046d691c118bcfcfba6f86fd4464b79b29e5050cad4ea5f303", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-wheel-windows-vs2022", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|521b003616e03f046d691c118bcfcfba6f86fd4464b79b29e5050cad4ea5f303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1363}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131962, "scanner": "repobility-docker", "fingerprint": "f72b600b5e4c146a8453d7660220e3ebcf27e3d639eccce85c4fe0bd5ebc60b4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-wheel-windows-vs2022-base", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f72b600b5e4c146a8453d7660220e3ebcf27e3d639eccce85c4fe0bd5ebc60b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1346}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131961, "scanner": "repobility-docker", "fingerprint": "3b628ffe74e044f5c9a30f123ac2b6e8eeab8ee528d8802b11ccf1f9073439d8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-wheel-windows-vs2022-base", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3b628ffe74e044f5c9a30f123ac2b6e8eeab8ee528d8802b11ccf1f9073439d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1346}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131959, "scanner": "repobility-docker", "fingerprint": "001676bb86fb1f88bdc87f99c3635304281c14a2eec29eea7f3e0551935a9fb7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-manylinux-test-unittests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|001676bb86fb1f88bdc87f99c3635304281c14a2eec29eea7f3e0551935a9fb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1326}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131958, "scanner": "repobility-docker", "fingerprint": "52aa3cbdafbc8ecaff852f9340cf476a2bf7544b3dc810b057b2542ae7dbbb9c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-manylinux-test-unittests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|52aa3cbdafbc8ecaff852f9340cf476a2bf7544b3dc810b057b2542ae7dbbb9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1326}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131956, "scanner": "repobility-docker", "fingerprint": "cdc2438f3f448c7cbea9fc95062006d446266e7ad2ef40cd24dffa90622be3d3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-wheel-manylinux-test-unittests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cdc2438f3f448c7cbea9fc95062006d446266e7ad2ef40cd24dffa90622be3d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1303}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131955, "scanner": "repobility-docker", "fingerprint": "08cd35b11e8d04ef57372751faacb6bd451361b3f6b645e4354112d3c78b9bc9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-wheel-manylinux-test-unittests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|08cd35b11e8d04ef57372751faacb6bd451361b3f6b645e4354112d3c78b9bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1303}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131953, "scanner": "repobility-docker", "fingerprint": "9e4d5abb393b9caf3a4e4b2cad94996a954129b64911d3850576528b1a6cac2f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-manylinux-test-imports", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9e4d5abb393b9caf3a4e4b2cad94996a954129b64911d3850576528b1a6cac2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1283}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131952, "scanner": "repobility-docker", "fingerprint": "fc27a973ccbd99a6f52989a3fd05b3297fa83942892696481105243b8d2d145e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-manylinux-test-imports", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fc27a973ccbd99a6f52989a3fd05b3297fa83942892696481105243b8d2d145e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1283}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131949, "scanner": "repobility-docker", "fingerprint": "2042bfe99ff13499376c462fddb6a4e9f10dde92fceeab23959ea4c8f1589884", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-musllinux-test-unittests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2042bfe99ff13499376c462fddb6a4e9f10dde92fceeab23959ea4c8f1589884"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1247}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131948, "scanner": "repobility-docker", "fingerprint": "15954b328a89752a88f8d319f0dca4b018ce32d571be45cadbc94408fae4de92", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-musllinux-test-unittests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|15954b328a89752a88f8d319f0dca4b018ce32d571be45cadbc94408fae4de92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1247}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131946, "scanner": "repobility-docker", "fingerprint": "6e82e2beb031dddd83aa4bca72ee0c14bce1c7f60a10167da5b97119f8b994c4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-wheel-musllinux-test-unittests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6e82e2beb031dddd83aa4bca72ee0c14bce1c7f60a10167da5b97119f8b994c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1225}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131945, "scanner": "repobility-docker", "fingerprint": "47f0fce8f98529dd23127f4b802fd4ea9c72edb8e60e7e6064ee9104b59061b6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-wheel-musllinux-test-unittests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|47f0fce8f98529dd23127f4b802fd4ea9c72edb8e60e7e6064ee9104b59061b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1225}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131943, "scanner": "repobility-docker", "fingerprint": "dce398aee9afff7a0f70359ee9ed373a42091e292f7a85f5ec5135555112949f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-musllinux-test-imports", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dce398aee9afff7a0f70359ee9ed373a42091e292f7a85f5ec5135555112949f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1203}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131942, "scanner": "repobility-docker", "fingerprint": "cf748ae2e0b83daedce0da1a8410e50cc5c5f3ca553e8bd64174e1626fc4e84c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-free-threaded-wheel-musllinux-test-imports", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cf748ae2e0b83daedce0da1a8410e50cc5c5f3ca553e8bd64174e1626fc4e84c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1203}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131939, "scanner": "repobility-docker", "fingerprint": "ebebc4d0a53ce58d759e6aa5684ce664103290cfaedd506785629ddc74510820", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-wheel-musllinux-1-2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ebebc4d0a53ce58d759e6aa5684ce664103290cfaedd506785629ddc74510820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1162}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131938, "scanner": "repobility-docker", "fingerprint": "80b415f168c8643b800a41e343131ffab49a0a49af79223515154f2d31d41e9b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-wheel-musllinux-1-2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|80b415f168c8643b800a41e343131ffab49a0a49af79223515154f2d31d41e9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1162}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131936, "scanner": "repobility-docker", "fingerprint": "c1047c4d937df6ae715ce724c57865f93aee8f96e3931724bf2ecbf00539aefa", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-wheel-manylinux-2-28", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c1047c4d937df6ae715ce724c57865f93aee8f96e3931724bf2ecbf00539aefa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1137}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131935, "scanner": "repobility-docker", "fingerprint": "6e69b5850a5a2b1d7b3067f867c8d1a91ce7ec0464912893b43b2f61266cbdd9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-wheel-manylinux-2-28", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6e69b5850a5a2b1d7b3067f867c8d1a91ce7ec0464912893b43b2f61266cbdd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1137}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131933, "scanner": "repobility-docker", "fingerprint": "7a88e8a79db542c2f38d185a2331bade4c6d62525532800cfe2c3ed864888dc0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-python-sdist-test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7a88e8a79db542c2f38d185a2331bade4c6d62525532800cfe2c3ed864888dc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1103}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131932, "scanner": "repobility-docker", "fingerprint": "f6bf88451a9ebf416069a3bc14acc14d4b9a67ce5ce8cc82d38491ed9330094d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-python-sdist-test", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f6bf88451a9ebf416069a3bc14acc14d4b9a67ce5ce8cc82d38491ed9330094d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1103}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131930, "scanner": "repobility-docker", "fingerprint": "8f81c0950761411b769eb20c14c7ba6a5cf45b049345182ccee0e7e011dd79de", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-sdist", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8f81c0950761411b769eb20c14c7ba6a5cf45b049345182ccee0e7e011dd79de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1085}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131929, "scanner": "repobility-docker", "fingerprint": "06fde459a3f59000068d4603ac921716879000f7400eefabb331042d22434621", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-sdist", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|06fde459a3f59000068d4603ac921716879000f7400eefabb331042d22434621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1085}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131927, "scanner": "repobility-docker", "fingerprint": "ead388c0352a73f093b4936b45e96ab20052c0d58fddced66206f079ffd6887d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "fedora-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ead388c0352a73f093b4936b45e96ab20052c0d58fddced66206f079ffd6887d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1061}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131926, "scanner": "repobility-docker", "fingerprint": "ab5a3690fa18fb2c3d13d89b7aa520edc763675a1e166d763d916229abfaa538", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "fedora-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ab5a3690fa18fb2c3d13d89b7aa520edc763675a1e166d763d916229abfaa538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1061}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131924, "scanner": "repobility-docker", "fingerprint": "b220605112ec526001794044c57586ee869474ebf32e7bc28215f7487736ebbd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b220605112ec526001794044c57586ee869474ebf32e7bc28215f7487736ebbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1039}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131923, "scanner": "repobility-docker", "fingerprint": "a053b0c22d6e2d973b274d2d2cd602f75a8c944e02dfdb58d9dbbaab06445bc6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a053b0c22d6e2d973b274d2d2cd602f75a8c944e02dfdb58d9dbbaab06445bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1039}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131921, "scanner": "repobility-docker", "fingerprint": "484c852b0e7b9af2a19e6c47b15282f4769621275d1b07200b53b217f6817fa5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "debian-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|484c852b0e7b9af2a19e6c47b15282f4769621275d1b07200b53b217f6817fa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1017}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131920, "scanner": "repobility-docker", "fingerprint": "ae33da3af943e2c294083a534c5a0883a048ff417e940073f595a1f69e5c6c41", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "debian-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ae33da3af943e2c294083a534c5a0883a048ff417e940073f595a1f69e5c6c41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1017}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131918, "scanner": "repobility-docker", "fingerprint": "a1ca407fe9749086f3e9a30bf12de08e536e026e63afc3b030dddfcf454ceef7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cuda-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a1ca407fe9749086f3e9a30bf12de08e536e026e63afc3b030dddfcf454ceef7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 965}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131917, "scanner": "repobility-docker", "fingerprint": "f6e22c5fec00d839a172e36096e7f82b007730f5ac4d2194e9f3670f3341321e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cuda-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f6e22c5fec00d839a172e36096e7f82b007730f5ac4d2194e9f3670f3341321e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 965}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131915, "scanner": "repobility-docker", "fingerprint": "2325461cae0078aaadef2ac3df8f4429462460126a7142d6b15627bb1fff7422", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-python-emscripten", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2325461cae0078aaadef2ac3df8f4429462460126a7142d6b15627bb1fff7422"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 933}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131914, "scanner": "repobility-docker", "fingerprint": "bdd59f1055f985cfb12c221b0335a6af527a02c009dedab3336d9d6b03d7714c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-python-emscripten", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bdd59f1055f985cfb12c221b0335a6af527a02c009dedab3336d9d6b03d7714c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 933}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131912, "scanner": "repobility-docker", "fingerprint": "1c66025e63f91e572f9490f8b05c19463409332a378be98f9d507b90d9752113", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1c66025e63f91e572f9490f8b05c19463409332a378be98f9d507b90d9752113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 903}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131911, "scanner": "repobility-docker", "fingerprint": "9fd5104481a69b05760a0833fe6a8a1988855190b22c4965be3730ff0cb6ce82", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-python", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9fd5104481a69b05760a0833fe6a8a1988855190b22c4965be3730ff0cb6ce82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 903}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131909, "scanner": "repobility-docker", "fingerprint": "74066db85ae09757963c81ed279f61b828ef2d023db97ea012c90bd0c61135df", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-ruby", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|74066db85ae09757963c81ed279f61b828ef2d023db97ea012c90bd0c61135df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 877}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131908, "scanner": "repobility-docker", "fingerprint": "1372d59432a98ce1bed4370990c194d254f1137e4d5f7ece2a282f4930c0d316", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-ruby", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1372d59432a98ce1bed4370990c194d254f1137e4d5f7ece2a282f4930c0d316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 877}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131906, "scanner": "repobility-docker", "fingerprint": "9aa758fb9befec0c75bf3f497a737e23ca9c479799440a56ed1f1d2c61000e98", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "debian-ruby", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9aa758fb9befec0c75bf3f497a737e23ca9c479799440a56ed1f1d2c61000e98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 847}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131905, "scanner": "repobility-docker", "fingerprint": "a7439edc0f0c5403a126f4964ca1724b2a49bd78fc68c769f831c0a7318ea7e4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "debian-ruby", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a7439edc0f0c5403a126f4964ca1724b2a49bd78fc68c769f831c0a7318ea7e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 847}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131903, "scanner": "repobility-docker", "fingerprint": "33c07480f23261e72015cd90d6cc7502f852fbe18bcf2b5e3bbe8fa7dcc41c82", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-c-glib", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|33c07480f23261e72015cd90d6cc7502f852fbe18bcf2b5e3bbe8fa7dcc41c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 818}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131902, "scanner": "repobility-docker", "fingerprint": "67f6eb4dde2fd2e506a2853f9cef123160ee675dd6ea6724eb749a41e64786b2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-c-glib", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|67f6eb4dde2fd2e506a2853f9cef123160ee675dd6ea6724eb749a41e64786b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 818}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131900, "scanner": "repobility-docker", "fingerprint": "3315bd7982da566074401888ba2173a94346c710f571f014a209bce8b2d55624", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "debian-c-glib", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3315bd7982da566074401888ba2173a94346c710f571f014a209bce8b2d55624"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 790}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131899, "scanner": "repobility-docker", "fingerprint": "8c81380b4660291f2740fd77ec555495f8cc6c88a4aa028bebea19b0b5f8df11", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "debian-c-glib", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8c81380b4660291f2740fd77ec555495f8cc6c88a4aa028bebea19b0b5f8df11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 790}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131897, "scanner": "repobility-docker", "fingerprint": "57888fbf4787f73d17fdca0ba1005e343cb389a1433d0e4ff329fcc2695fcebf", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cpp-jni", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|57888fbf4787f73d17fdca0ba1005e343cb389a1433d0e4ff329fcc2695fcebf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 757}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131896, "scanner": "repobility-docker", "fingerprint": "511c4a09bb075712a21596faaf0f596b110b9cb7256bbe93fc4ab217ffdae587", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "cpp-jni", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|511c4a09bb075712a21596faaf0f596b110b9cb7256bbe93fc4ab217ffdae587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 757}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131894, "scanner": "repobility-docker", "fingerprint": "a23f158b52065b4c7e019a001cd00e31373b1dab4bdd599d1c7af4b867ba5d56", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "fedora-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a23f158b52065b4c7e019a001cd00e31373b1dab4bdd599d1c7af4b867ba5d56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 730}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131893, "scanner": "repobility-docker", "fingerprint": "b9959d4f5c36ce1a9623b14f0fa1c1211ab1ec42ca41c8afe6b212e0ddca7161", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "fedora-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b9959d4f5c36ce1a9623b14f0fa1c1211ab1ec42ca41c8afe6b212e0ddca7161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 730}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131891, "scanner": "repobility-docker", "fingerprint": "1a9dac24d8d15f168900f0654267bcd757d17ae52a9a19a36ea87ba60df9e262", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp-emscripten", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1a9dac24d8d15f168900f0654267bcd757d17ae52a9a19a36ea87ba60df9e262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 704}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131890, "scanner": "repobility-docker", "fingerprint": "4752d32daab62b64562327f702aa7cbb6fe0412d3c8e157d860f261482c2171c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp-emscripten", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4752d32daab62b64562327f702aa7cbb6fe0412d3c8e157d860f261482c2171c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 704}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131888, "scanner": "repobility-docker", "fingerprint": "fac0d15af0f98f5f07d9d694c5f979756f92dab09844c96cf11f411a3eb935eb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp-thread-sanitizer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fac0d15af0f98f5f07d9d694c5f979756f92dab09844c96cf11f411a3eb935eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 670}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131887, "scanner": "repobility-docker", "fingerprint": "ee5b1128d53866c8ec631b4d83b668ff27cf5c86b16d3fd4357ada0c23bf142f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp-thread-sanitizer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ee5b1128d53866c8ec631b4d83b668ff27cf5c86b16d3fd4357ada0c23bf142f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 670}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131885, "scanner": "repobility-docker", "fingerprint": "4262e1cfc26e22152cda23700c89fb595530e3f3267bae13fb180e128181a2df", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp-sanitizer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4262e1cfc26e22152cda23700c89fb595530e3f3267bae13fb180e128181a2df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 621}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131884, "scanner": "repobility-docker", "fingerprint": "d14a6e63a250ec72c1ce49f312ba48fdab41f71f8079f74e9670f84b1fa61b3f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp-sanitizer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d14a6e63a250ec72c1ce49f312ba48fdab41f71f8079f74e9670f84b1fa61b3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 621}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131881, "scanner": "repobility-docker", "fingerprint": "095def9887b74efcc7355afbd7ba7be0dbf34bf21c555be61752926ad25dce56", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cuda-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|095def9887b74efcc7355afbd7ba7be0dbf34bf21c555be61752926ad25dce56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 567}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131880, "scanner": "repobility-docker", "fingerprint": "e63ddb1d18dda9982a580ff7812e7e0f8eac0ad71bea25011c259fd340bf5b66", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cuda-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e63ddb1d18dda9982a580ff7812e7e0f8eac0ad71bea25011c259fd340bf5b66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 567}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131878, "scanner": "repobility-docker", "fingerprint": "b9b4526a7c7b3f66eb82b7aa05cb48f21ec730cfbc5445b8b53f7a6cb2970c30", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp-minimal", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b9b4526a7c7b3f66eb82b7aa05cb48f21ec730cfbc5445b8b53f7a6cb2970c30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 524}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131877, "scanner": "repobility-docker", "fingerprint": "4273f4c8d337073f373f0c7339f03bf78881f658d71c2ae4f5df08204546c104", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp-minimal", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4273f4c8d337073f373f0c7339f03bf78881f658d71c2ae4f5df08204546c104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 524}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131875, "scanner": "repobility-docker", "fingerprint": "96484452ca25cdd8a98531e1ff7fb8aed9663a192caf2b7da41bc3f226714a62", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp-odbc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|96484452ca25cdd8a98531e1ff7fb8aed9663a192caf2b7da41bc3f226714a62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 497}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131874, "scanner": "repobility-docker", "fingerprint": "da9cf13ef27f46a4af0e042169060d8551be504d9138a8760046a47ae6bdf959", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp-odbc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|da9cf13ef27f46a4af0e042169060d8551be504d9138a8760046a47ae6bdf959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 497}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131871, "scanner": "repobility-docker", "fingerprint": "7069488ef8233fc856774ec6f5986fc14faae9f0f94dac1ae34bb67ca161a5c0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp-bundled-offline", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7069488ef8233fc856774ec6f5986fc14faae9f0f94dac1ae34bb67ca161a5c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 473}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131870, "scanner": "repobility-docker", "fingerprint": "8a4d7d5682e2a08536a1ebcce05b3bab39c54e5a6fd1eea687a4c539314f5d3d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp-bundled-offline", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8a4d7d5682e2a08536a1ebcce05b3bab39c54e5a6fd1eea687a4c539314f5d3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 473}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131868, "scanner": "repobility-docker", "fingerprint": "7eab4059135213fbd6390bd5ba87217977cb49d8dbb70b5572206c14f7032bb2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp-bundled", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7eab4059135213fbd6390bd5ba87217977cb49d8dbb70b5572206c14f7032bb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 451}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131867, "scanner": "repobility-docker", "fingerprint": "0931ffbc78a7b72b0ce3cd8bbad1908f22a368d0feee0a55a326b4a753e223fa", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp-bundled", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0931ffbc78a7b72b0ce3cd8bbad1908f22a368d0feee0a55a326b4a753e223fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 451}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131865, "scanner": "repobility-docker", "fingerprint": "dc7518be7fbc2816e6542f48896f78cf8972bb959a667ab2292fe9b11b306eeb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp-static", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dc7518be7fbc2816e6542f48896f78cf8972bb959a667ab2292fe9b11b306eeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 409}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131864, "scanner": "repobility-docker", "fingerprint": "7f90bb33e226d4eae402b69d2fcf7b0bbef84444c81198b0aff6ec65d60559d2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp-static", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f90bb33e226d4eae402b69d2fcf7b0bbef84444c81198b0aff6ec65d60559d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 409}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131861, "scanner": "repobility-docker", "fingerprint": "3b029244df8eb46138e8e248fa388cc2ac7e1a6b70667bf0326b0e691076dd5a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ubuntu-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3b029244df8eb46138e8e248fa388cc2ac7e1a6b70667bf0326b0e691076dd5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131860, "scanner": "repobility-docker", "fingerprint": "93dcd08b58673f60ffa7b015e44047477e9427bf69db374e52266d86f2e997c8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ubuntu-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|93dcd08b58673f60ffa7b015e44047477e9427bf69db374e52266d86f2e997c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131857, "scanner": "repobility-docker", "fingerprint": "dc9c35e7f5478fdeb6b13ebcfbbda250d5b318f45e78ab91488961b715882034", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "debian-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dc9c35e7f5478fdeb6b13ebcfbbda250d5b318f45e78ab91488961b715882034"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 341}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131856, "scanner": "repobility-docker", "fingerprint": "18237e0747fe2fa64d9e65c9c64b9c4ff596e98fd4c4fb69ffe91981a7190eea", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "debian-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|18237e0747fe2fa64d9e65c9c64b9c4ff596e98fd4c4fb69ffe91981a7190eea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 341}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131854, "scanner": "repobility-docker", "fingerprint": "ffb1755120ca5f1b2e669f914cfc479ea6f875bec3d7b49f199a6d24fb2b4b5b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-cpp-valgrind", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ffb1755120ca5f1b2e669f914cfc479ea6f875bec3d7b49f199a6d24fb2b4b5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 304}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131853, "scanner": "repobility-docker", "fingerprint": "109c7aa0ea1cf7d5a400bda6beff07b58e848279fc4fc9b37ca4a7bb5ea09a8a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-cpp-valgrind", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|109c7aa0ea1cf7d5a400bda6beff07b58e848279fc4fc9b37ca4a7bb5ea09a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 304}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131851, "scanner": "repobility-docker", "fingerprint": "f3265c0c2533e0ac69f07e868376bdf1f8f92ed74d9648f7c8b678d2f524679d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f3265c0c2533e0ac69f07e868376bdf1f8f92ed74d9648f7c8b678d2f524679d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 267}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131850, "scanner": "repobility-docker", "fingerprint": "aca77e69b6ac169dfc35d106322af0fc950bfeb316b94904face4098978ef7c8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|aca77e69b6ac169dfc35d106322af0fc950bfeb316b94904face4098978ef7c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 267}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131848, "scanner": "repobility-docker", "fingerprint": "cb158bdd1dd49a565f02d055e85f01c5b3a443e0cdb319ba83fef2996e2fa81d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "conda", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cb158bdd1dd49a565f02d055e85f01c5b3a443e0cdb319ba83fef2996e2fa81d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 248}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131847, "scanner": "repobility-docker", "fingerprint": "0071187af8cac0961a63ed47f4aba5eb2d61d319fccde406e271f91b7cb295ec", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "conda", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0071187af8cac0961a63ed47f4aba5eb2d61d319fccde406e271f91b7cb295ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 248}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 131845, "scanner": "repobility-docker", "fingerprint": "0c7d59089277c8c718ee38e91cdf37149dae5e920a9d2a9f8d3d326c285dc268", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "alpine-linux-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0c7d59089277c8c718ee38e91cdf37149dae5e920a9d2a9f8d3d326c285dc268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 218}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 131844, "scanner": "repobility-docker", "fingerprint": "b69cd9b9c08bfd5227a30b96316a360312bccac32a06b04c32c41e4940a46f9c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "alpine-linux-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b69cd9b9c08bfd5227a30b96316a360312bccac32a06b04c32c41e4940a46f9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 218}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131834, "scanner": "repobility-docker", "fingerprint": "5bf6a3ea2057bdf11b647bbfc9a03d8877d22f13575ec1355783c28310115708", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5bf6a3ea2057bdf11b647bbfc9a03d8877d22f13575ec1355783c28310115708"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-resolute/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131832, "scanner": "repobility-docker", "fingerprint": "750304c4b293b3b8253cb010aef5eb4cdbdd7aab1d951c1889d6eb0104e1160f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|750304c4b293b3b8253cb010aef5eb4cdbdd7aab1d951c1889d6eb0104e1160f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-noble/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131830, "scanner": "repobility-docker", "fingerprint": "dcc2f02084aa83572d064ac7bfa050e92f24f4a7f604dc6639f8c57f06b91315", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dcc2f02084aa83572d064ac7bfa050e92f24f4a7f604dc6639f8c57f06b91315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-jammy/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131828, "scanner": "repobility-docker", "fingerprint": "b580f69502f3332ce92303121cc25e6c560c514f4614ea94d340b60c1b0da3d1", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b580f69502f3332ce92303121cc25e6c560c514f4614ea94d340b60c1b0da3d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 131827, "scanner": "repobility-docker", "fingerprint": "b2a521d2be676976032fe3bba9d5ac115e5b2818f2e4ca16f92ad925f5d99f12", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b2a521d2be676976032fe3bba9d5ac115e5b2818f2e4ca16f92ad925f5d99f12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131825, "scanner": "repobility-docker", "fingerprint": "0ee3153856d4ae4857a5f156312a1498099975dd39dd12e513536468997a2746", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0ee3153856d4ae4857a5f156312a1498099975dd39dd12e513536468997a2746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 131824, "scanner": "repobility-docker", "fingerprint": "7dbf246edaac03ef4a0912ee8f48008ec949e1ac3d035a304e9723d595adca6d", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7dbf246edaac03ef4a0912ee8f48008ec949e1ac3d035a304e9723d595adca6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131822, "scanner": "repobility-docker", "fingerprint": "8461b3a6da68c7e3a05e7688883ca3fdca341c6dc5cb2a750ee1640fdcaaf737", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8461b3a6da68c7e3a05e7688883ca3fdca341c6dc5cb2a750ee1640fdcaaf737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 131821, "scanner": "repobility-docker", "fingerprint": "c0b399ca9630ac5b33951f0596078f989a332e44f46f52928ec1b4ed970dc1c1", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c0b399ca9630ac5b33951f0596078f989a332e44f46f52928ec1b4ed970dc1c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131809, "scanner": "repobility-docker", "fingerprint": "aa38909b6e4b97e5ed0994e89aceb37a59e0ee44d51ae8d1ab9664d7c0a76400", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aa38909b6e4b97e5ed0994e89aceb37a59e0ee44d51ae8d1ab9664d7c0a76400"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-resolute/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131806, "scanner": "repobility-docker", "fingerprint": "5f12d64616143104b0913606ad86ac0a9ace885aa45149654fa9ff26b38f3bf0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5f12d64616143104b0913606ad86ac0a9ace885aa45149654fa9ff26b38f3bf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-noble/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131803, "scanner": "repobility-docker", "fingerprint": "5e1662eec40338c6a98b9d3e062de41b1843dd0cbcd4e4c1f3adc0dfcfba4300", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5e1662eec40338c6a98b9d3e062de41b1843dd0cbcd4e4c1f3adc0dfcfba4300"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-jammy/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131800, "scanner": "repobility-docker", "fingerprint": "ad48a59a728ed3ac47f859e6428ddc3fd5d553995f9436188ff671d3e07cd085", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ad48a59a728ed3ac47f859e6428ddc3fd5d553995f9436188ff671d3e07cd085"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-trixie/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 131799, "scanner": "repobility-docker", "fingerprint": "c712f79fb024a14ed384415e1d342fead7b257f95d0c1342ad88a1fa995a8fd9", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c712f79fb024a14ed384415e1d342fead7b257f95d0c1342ad88a1fa995a8fd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-trixie/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131796, "scanner": "repobility-docker", "fingerprint": "2e30e03d365649ec7011de9d696fd6e0c3d500407484180b893d7901de87e7cf", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2e30e03d365649ec7011de9d696fd6e0c3d500407484180b893d7901de87e7cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-forky/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 131795, "scanner": "repobility-docker", "fingerprint": "618f87a136d77d052960fec217d95f243350066074a5823e8dd0af77dcf44a01", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|618f87a136d77d052960fec217d95f243350066074a5823e8dd0af77dcf44a01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-forky/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131792, "scanner": "repobility-docker", "fingerprint": "46c921b51fc32da6d08eec3afbb953976f30d03b984801c9c04e6b3d204c2848", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|46c921b51fc32da6d08eec3afbb953976f30d03b984801c9c04e6b3d204c2848"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-bookworm/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 131791, "scanner": "repobility-docker", "fingerprint": "f2a94ca35f2aef8896f3b51ba2b3f030f93b7acff1a5bf0f057775b6de7ddaab", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f2a94ca35f2aef8896f3b51ba2b3f030f93b7acff1a5bf0f057775b6de7ddaab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-bookworm/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 131789, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 131787, "scanner": "repobility-docker", "fingerprint": "9422e0476a345f7650b327cbaf727f219d412a24b4b644f3e5d0356ec5d85df7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9422e0476a345f7650b327cbaf727f219d412a24b4b644f3e5d0356ec5d85df7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/release/binary/Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 131786, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8381154ee73d457abcef168df185129977b940b505b70e4d178691cb0ca25be4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cpp/src/arrow/filesystem/azurefs.h", "duplicate_line": 104, "correlation_key": "fp|8381154ee73d457abcef168df185129977b940b505b70e4d178691cb0ca25be4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/filesystem/s3fs.h"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 131785, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f5a7de04de81d8b3d6a01046a8aa8f98f7c23cfc487bc38db781b12d5d228cf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cpp/src/arrow/filesystem/hdfs.h", "duplicate_line": 25, "correlation_key": "fp|2f5a7de04de81d8b3d6a01046a8aa8f98f7c23cfc487bc38db781b12d5d228cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/filesystem/mockfs.h"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 131784, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da11ac493e08cd2c65cf39c7738d9b3a0e3ec3bc460996000e72282d94050955", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cpp/src/arrow/filesystem/hdfs.h", "duplicate_line": 34, "correlation_key": "fp|da11ac493e08cd2c65cf39c7738d9b3a0e3ec3bc460996000e72282d94050955"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/filesystem/localfs.h"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 131783, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec0279dac329ae3fd3898afce72068915ddeed1b16946f2b95f84abb54b6d2f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cpp/src/arrow/filesystem/azurefs.h", "duplicate_line": 104, "correlation_key": "fp|ec0279dac329ae3fd3898afce72068915ddeed1b16946f2b95f84abb54b6d2f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/filesystem/gcsfs.h"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 131782, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9fb28e635f13d8591566ded373c16b9eb3179472e25a4a7fdd5e6430645720e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cpp/src/arrow/filesystem/azurefs.h", "duplicate_line": 101, "correlation_key": "fp|9fb28e635f13d8591566ded373c16b9eb3179472e25a4a7fdd5e6430645720e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/filesystem/filesystem.h"}, "region": {"startLine": 162}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 131781, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95bde741b7480305166335895a2b8574b590eb191193f5abc146b27874d30ea5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cpp/src/arrow/dataset/file_ipc.h", "duplicate_line": 8, "correlation_key": "fp|95bde741b7480305166335895a2b8574b590eb191193f5abc146b27874d30ea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/dataset/file_orc.h"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 131780, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a46a2bc4840e8e690fff1e2ace92594fb2f39eea4a5c1d7e28870a40e3cda21", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "c_glib/arrow-dataset-glib/dataset-factory.cpp", "duplicate_line": 292, "correlation_key": "fp|1a46a2bc4840e8e690fff1e2ace92594fb2f39eea4a5c1d7e28870a40e3cda21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "c_glib/arrow-dataset-glib/dataset.cpp"}, "region": {"startLine": 209}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `print_unpack_bit_func` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, for=3, if=1, nested_bonus=3."}, "properties": {"repobilityId": 131718, "scanner": "repobility-threat-engine", "fingerprint": "570f5380962b78b1673d04cc9e90bff4956894774b41fc71a7bcc17083d1a4bd", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_unpack_bit_func", "breakdown": {"if": 1, "for": 3, "elif": 1, "else": 1, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|570f5380962b78b1673d04cc9e90bff4956894774b41fc71a7bcc17083d1a4bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/util/bpacking_simd_codegen.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 131691, "scanner": "repobility-threat-engine", "fingerprint": "7bbec9b540b49fa7edea60a6ce4e6c214b63664a76418122daaf6d95b055bb3b", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"The (optional) second parameter to \" + function_name +\n \" function ne", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bbec9b540b49fa7edea60a6ce4e6c214b63664a76418122daaf6d95b055bb3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/gandiva/interval_holder.h"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 131690, "scanner": "repobility-threat-engine", "fingerprint": "52820f1d913109f7bda51eada07bf6a8adeaae77d93c4fd1b2c45991288e71d4", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Failed to authenticate with token: \" + token_ +\n \" Message:", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|52820f1d913109f7bda51eada07bf6a8adeaae77d93c4fd1b2c45991288e71d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/flight/sql/odbc/odbc_impl/flight_sql_auth_method.cc"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 131689, "scanner": "repobility-threat-engine", "fingerprint": "c645ff573a2d51e445affe5c50990b41a5b4343910d4717111bac70ce97fb8bb", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\":x: GitHub issue #\" + issueID + \" could not be retrieved.\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c645ff573a2d51e445affe5c50990b41a5b4343910d4717111bac70ce97fb8bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev_pr/issue_check.js"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-verify-rc` image is selected through a build variable"}, "properties": {"repobilityId": 132039, "scanner": "repobility-docker", "fingerprint": "ad4631479c4429b0abe36823068a0d8d6380f56c99c6fa5fd548049c8806b1c3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-verify-rc", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ad4631479c4429b0abe36823068a0d8d6380f56c99c6fa5fd548049c8806b1c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 2036}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `almalinux-verify-rc` image is selected through a build variable"}, "properties": {"repobilityId": 132036, "scanner": "repobility-docker", "fingerprint": "6e01ef19f2678a0f68efa9f6d56d20e62f5dbb0a5f38724ddf1230849abde8f2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-almalinux-${ALMALINUX}-verify-rc", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|6e01ef19f2678a0f68efa9f6d56d20e62f5dbb0a5f38724ddf1230849abde8f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 2007}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-verify-rc` image is selected through a build variable"}, "properties": {"repobilityId": 132035, "scanner": "repobility-docker", "fingerprint": "11328becfe8eb81edac18265cb1dda84198660dd144c7353c1ffdc60edf76825", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ubuntu:${UBUNTU}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|11328becfe8eb81edac18265cb1dda84198660dd144c7353c1ffdc60edf76825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1987}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python-spark` image is selected through a build variable"}, "properties": {"repobilityId": 132032, "scanner": "repobility-docker", "fingerprint": "cb59208c87ea5c27145ce38fcd17a2fcf9ea5edbf7834b3b2bfbd2191f7a2a9c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-${PYTHON}-spark-${SPARK}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cb59208c87ea5c27145ce38fcd17a2fcf9ea5edbf7834b3b2bfbd2191f7a2a9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1956}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python-hdfs` image is selected through a build variable"}, "properties": {"repobilityId": 132029, "scanner": "repobility-docker", "fingerprint": "a39af2dd8c9c68dd5bbf04a3a624d26a8c639ffb39fbd7f66f0606c975d8a1c8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-${PYTHON}-hdfs-${HDFS}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a39af2dd8c9c68dd5bbf04a3a624d26a8c639ffb39fbd7f66f0606c975d8a1c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1915}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `debian-docs` image is selected through a build variable"}, "properties": {"repobilityId": 132016, "scanner": "repobility-docker", "fingerprint": "1c8f902442892a9dbced7a81f72ac04c71078813ad1c4dae5395bd699e4dce75", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-debian-${DEBIAN}-docs", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1c8f902442892a9dbced7a81f72ac04c71078813ad1c4dae5395bd699e4dce75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1839}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-integration` image is selected through a build variable"}, "properties": {"repobilityId": 132013, "scanner": "repobility-docker", "fingerprint": "4d4ea0a9e904fd44a658b9cc6c122475d2d4966db96ab51a27cd6a3eb62c7741", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-integration", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4d4ea0a9e904fd44a658b9cc6c122475d2d4966db96ab51a27cd6a3eb62c7741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1804}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `fedora-r-clang` image is selected through a build variable"}, "properties": {"repobilityId": 132010, "scanner": "repobility-docker", "fingerprint": "47d3f148413cfffb48153dd2175aa99e1c0379d5aa05c9909e3cf45005a804fb", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-fedora-${FEDORA}-r-clang", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|47d3f148413cfffb48153dd2175aa99e1c0379d5aa05c9909e3cf45005a804fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1771}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `alpine-linux-r` image is selected through a build variable"}, "properties": {"repobilityId": 132007, "scanner": "repobility-docker", "fingerprint": "f667490ebac433c6bc1d0fd004208df262c8691589a3c6c640996fc5ae941c7a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-alpine-linux-${ALPINE_LINUX}-r", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f667490ebac433c6bc1d0fd004208df262c8691589a3c6c640996fc5ae941c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1740}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `r-revdepcheck` image is selected through a build variable"}, "properties": {"repobilityId": 132004, "scanner": "repobility-docker", "fingerprint": "b0f303683d5df317348ad6e691ecbf43fa8d0dac6570c9121544ceb49880d2a3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:r-rstudio-r-base-4.2-focal-revdepcheck", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b0f303683d5df317348ad6e691ecbf43fa8d0dac6570c9121544ceb49880d2a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1716}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-r-valgrind` image is selected through a build variable"}, "properties": {"repobilityId": 132001, "scanner": "repobility-docker", "fingerprint": "f39e37510621aa1dd41da70370a678cc9327ca4e260c345163f91969cce9aa9c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:amd64-ubuntu-r-valgrind", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f39e37510621aa1dd41da70370a678cc9327ca4e260c345163f91969cce9aa9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1687}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `r-san` image is selected through a build variable"}, "properties": {"repobilityId": 131998, "scanner": "repobility-docker", "fingerprint": "af411f2327f094dc6bedb8f3616c182fa1c46fbfbf140731915b106b8a8aeece", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:r-${R_ORG}-${R_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|af411f2327f094dc6bedb8f3616c182fa1c46fbfbf140731915b106b8a8aeece"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1658}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `r` image is selected through a build variable"}, "properties": {"repobilityId": 131995, "scanner": "repobility-docker", "fingerprint": "a2482e48fdaab8ebea7ed9a9a3998326a840ed8d199552e33970193618316040", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:r-${R_ORG}-${R_IMAGE}-${R_TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a2482e48fdaab8ebea7ed9a9a3998326a840ed8d199552e33970193618316040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1625}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-r` image is selected through a build variable"}, "properties": {"repobilityId": 131992, "scanner": "repobility-docker", "fingerprint": "322f5c661b838dded525df371b4bfa53d7633fbe6ce024e8d5c7a81dfc35671a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-r-${R}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|322f5c661b838dded525df371b4bfa53d7633fbe6ce024e8d5c7a81dfc35671a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1577}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python-cpython-debug` image is selected through a build variable"}, "properties": {"repobilityId": 131989, "scanner": "repobility-docker", "fingerprint": "568d1644f073eaeae6e0fbd764050efa87ddb627e35a105ba338a2edcc817dec", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-${PYTHON}-cpython-debug", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|568d1644f073eaeae6e0fbd764050efa87ddb627e35a105ba338a2edcc817dec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1551}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python-dask` image is selected through a build variable"}, "properties": {"repobilityId": 131986, "scanner": "repobility-docker", "fingerprint": "ca03a1e773b1d482585e3c90653cbd6b1c89981926dba25a1a0891013a50f8d3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-${PYTHON}-dask-${DASK}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ca03a1e773b1d482585e3c90653cbd6b1c89981926dba25a1a0891013a50f8d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1520}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python-docs` image is selected through a build variable"}, "properties": {"repobilityId": 131984, "scanner": "repobility-docker", "fingerprint": "7b541c3c7e33cc6ba98c3efca273ce48e8391a160525ccd6c2accae6d1f35dc4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-${PYTHON}-pandas-${PANDAS}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|7b541c3c7e33cc6ba98c3efca273ce48e8391a160525ccd6c2accae6d1f35dc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1492}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python-no-numpy` image is selected through a build variable"}, "properties": {"repobilityId": 131981, "scanner": "repobility-docker", "fingerprint": "e67189b5c1bb072987888f1423f94da699b1f80ffb0fdb107faed6ebe07b0610", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-${PYTHON}-no-numpy", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e67189b5c1bb072987888f1423f94da699b1f80ffb0fdb107faed6ebe07b0610"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1461}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python-pandas` image is selected through a build variable"}, "properties": {"repobilityId": 131978, "scanner": "repobility-docker", "fingerprint": "2364fd172853775fb4761a0a3f1dd2d07b6cd2e7e85634946a422c848909a860", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-${PYTHON}-pandas-${PANDAS}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2364fd172853775fb4761a0a3f1dd2d07b6cd2e7e85634946a422c848909a860"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1427}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-free-threaded-wheel-windows-test` image is selected through a build variable"}, "properties": {"repobilityId": 131975, "scanner": "repobility-docker", "fingerprint": "0193940398afc7f5089414447e3d1ef45ad11f6cbcb97f01d820d700fda190ed", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:python-${PYTHON}-free-threaded-wheel-windows-test-vs2022-${PYTHON_WHEEL_WINDOWS_TEST_IMAGE_REVISION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0193940398afc7f5089414447e3d1ef45ad11f6cbcb97f01d820d700fda190ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1414}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-windows-test` image is selected through a build variable"}, "properties": {"repobilityId": 131972, "scanner": "repobility-docker", "fingerprint": "f9c54f648b43e5fb867a617e002514ede4c2b6730f71e9be3c7831b04efec052", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:python-${PYTHON}-wheel-windows-test-vs2022-${PYTHON_WHEEL_WINDOWS_TEST_IMAGE_REVISION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f9c54f648b43e5fb867a617e002514ede4c2b6730f71e9be3c7831b04efec052"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1403}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-windows-test-base` image is selected through a build variable"}, "properties": {"repobilityId": 131969, "scanner": "repobility-docker", "fingerprint": "4b5339057ce9ecf45f15854cc9bcc5f1f830e1990ee66c53d5708b7f1cae2a9f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:python-wheel-windows-test-vs2022-base-${PYTHON_WHEEL_WINDOWS_TEST_IMAGE_REVISION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4b5339057ce9ecf45f15854cc9bcc5f1f830e1990ee66c53d5708b7f1cae2a9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1396}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-free-threaded-wheel-windows-vs2022` image is selected through a build variable"}, "properties": {"repobilityId": 131966, "scanner": "repobility-docker", "fingerprint": "63506882084ab997c3e325208944d45f7c3ac7a3f5ced485f6724202c54e65b8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:python-${PYTHON}-free-threaded-wheel-windows-vs2022-vcpkg-${VCPKG}-${PYTHON_WHEEL_WINDOWS_IMAGE_REVISION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|63506882084ab997c3e325208944d45f7c3ac7a3f5ced485f6724202c54e65b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1379}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-windows-vs2022` image is selected through a build variable"}, "properties": {"repobilityId": 131963, "scanner": "repobility-docker", "fingerprint": "f8aae3be50eeefb113bb58623a4b195198e0eaf2d5a2e6c33b096d9eb6ab85ed", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:python-${PYTHON}-wheel-windows-vs2022-vcpkg-${VCPKG}-${PYTHON_WHEEL_WINDOWS_IMAGE_REVISION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f8aae3be50eeefb113bb58623a4b195198e0eaf2d5a2e6c33b096d9eb6ab85ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1363}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-windows-vs2022-base` image is selected through a build variable"}, "properties": {"repobilityId": 131960, "scanner": "repobility-docker", "fingerprint": "409b24dd05d4602687381c700db8c33f8a6ff4adb0b2757b2699907a80bc9a70", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:python-wheel-windows-vs2022-base-vcpkg-${VCPKG}-${PYTHON_WHEEL_WINDOWS_IMAGE_REVISION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|409b24dd05d4602687381c700db8c33f8a6ff4adb0b2757b2699907a80bc9a70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1346}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-free-threaded-wheel-manylinux-test-unittests` image is selected through a build variable"}, "properties": {"repobilityId": 131957, "scanner": "repobility-docker", "fingerprint": "3f54a87cc1c73168a7c5c815b69ad5f19585982eadab17ca09fe92734d9e4eaf", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-python-${PYTHON_IMAGE_TAG}-free-threaded-wheel-manylinux-test-unittests", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3f54a87cc1c73168a7c5c815b69ad5f19585982eadab17ca09fe92734d9e4eaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1326}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-manylinux-test-unittests` image is selected through a build variable"}, "properties": {"repobilityId": 131954, "scanner": "repobility-docker", "fingerprint": "14d931e72c9ebda6d4e90bcd3ccd184550e08797ee0b42f1ec25d169f4b2f683", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-python-${PYTHON}-wheel-manylinux-test", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|14d931e72c9ebda6d4e90bcd3ccd184550e08797ee0b42f1ec25d169f4b2f683"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1303}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-free-threaded-wheel-manylinux-test-imports` image is selected through a build variable"}, "properties": {"repobilityId": 131951, "scanner": "repobility-docker", "fingerprint": "a18c9956eae2d437833b740091489b2b14ebc803e4d4c83e95f09739047b6aa9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-python-${PYTHON_IMAGE_TAG}-free-threaded-wheel-manylinux-test-imports", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a18c9956eae2d437833b740091489b2b14ebc803e4d4c83e95f09739047b6aa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1283}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-manylinux-test-imports` image is selected through a build variable"}, "properties": {"repobilityId": 131950, "scanner": "repobility-docker", "fingerprint": "a505cfb2babaf111394a310a559ee855fddb0707445162ba3e4ae75974b6e10c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${ARCH}/python:${PYTHON_IMAGE_TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a505cfb2babaf111394a310a559ee855fddb0707445162ba3e4ae75974b6e10c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1269}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-free-threaded-wheel-musllinux-test-unittests` image is selected through a build variable"}, "properties": {"repobilityId": 131947, "scanner": "repobility-docker", "fingerprint": "d60a6baff83ad3633886f7f358b8aa890d49e5f2e37a19fc2f267e1e9db46618", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-python-${PYTHON_IMAGE_TAG}-free-threaded-wheel-musllinux-test-unittests", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d60a6baff83ad3633886f7f358b8aa890d49e5f2e37a19fc2f267e1e9db46618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1247}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-musllinux-test-unittests` image is selected through a build variable"}, "properties": {"repobilityId": 131944, "scanner": "repobility-docker", "fingerprint": "c4250ab998d3f94e611b3213326a804db154fa6d75d13b950bef7d6d21f0bc22", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-python-${PYTHON}-wheel-musllinux-test", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c4250ab998d3f94e611b3213326a804db154fa6d75d13b950bef7d6d21f0bc22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1225}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-free-threaded-wheel-musllinux-test-imports` image is selected through a build variable"}, "properties": {"repobilityId": 131941, "scanner": "repobility-docker", "fingerprint": "ef8e28209e17bb56d33564e22cfd8b10fbcaf3985b771e94e19b7ee265549d58", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-python-${PYTHON_IMAGE_TAG}-free-threaded-wheel-musllinux-test-imports", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ef8e28209e17bb56d33564e22cfd8b10fbcaf3985b771e94e19b7ee265549d58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1203}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-musllinux-test-imports` image is selected through a build variable"}, "properties": {"repobilityId": 131940, "scanner": "repobility-docker", "fingerprint": "daeb6b283018f973ae27c8b9b54f1710ce2872f3d3994a3d82e0deb6520e95d3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "python:${PYTHON_IMAGE_TAG}-alpine${ALPINE_LINUX}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|daeb6b283018f973ae27c8b9b54f1710ce2872f3d3994a3d82e0deb6520e95d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1185}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-musllinux-1-2` image is selected through a build variable"}, "properties": {"repobilityId": 131937, "scanner": "repobility-docker", "fingerprint": "c683819f47672af0c7be1dc547425bb98253da6ce8868a4a14d572fbcbf1e32f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-python-${PYTHON}-wheel-musllinux-1-2-vcpkg-${VCPKG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c683819f47672af0c7be1dc547425bb98253da6ce8868a4a14d572fbcbf1e32f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1162}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-wheel-manylinux-2-28` image is selected through a build variable"}, "properties": {"repobilityId": 131934, "scanner": "repobility-docker", "fingerprint": "bdf149a8fa2130e816560d5d501f25a9a49582e99889aec2bc31a9b1b38f50cb", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-python-${PYTHON}-wheel-manylinux-2-28-vcpkg-${VCPKG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|bdf149a8fa2130e816560d5d501f25a9a49582e99889aec2bc31a9b1b38f50cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1137}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-python-sdist-test` image is selected through a build variable"}, "properties": {"repobilityId": 131931, "scanner": "repobility-docker", "fingerprint": "10971f3e5fe5af9634635e1b8f06989230cab5f108b0d77e21c0d7482268b6fa", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-python-3", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|10971f3e5fe5af9634635e1b8f06989230cab5f108b0d77e21c0d7482268b6fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1103}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `python-sdist` image is selected through a build variable"}, "properties": {"repobilityId": 131928, "scanner": "repobility-docker", "fingerprint": "b14c5ca9b5d9849f5c73afbe16fc325a53757f5f7eb74ae0c6ff22a651419ec2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:python-sdist", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b14c5ca9b5d9849f5c73afbe16fc325a53757f5f7eb74ae0c6ff22a651419ec2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1085}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `fedora-python` image is selected through a build variable"}, "properties": {"repobilityId": 131925, "scanner": "repobility-docker", "fingerprint": "4131710e317819cfd1ffdae93eb6df478479b1ae4d22d822b3abacfd41134c36", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-fedora-${FEDORA}-python-3", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4131710e317819cfd1ffdae93eb6df478479b1ae4d22d822b3abacfd41134c36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1061}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-python` image is selected through a build variable"}, "properties": {"repobilityId": 131922, "scanner": "repobility-docker", "fingerprint": "34627bb803709a535c834b9ef2465c0cfa2fcb7fa0ef27e6d0d370ea9b8e2044", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-python-3", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|34627bb803709a535c834b9ef2465c0cfa2fcb7fa0ef27e6d0d370ea9b8e2044"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1039}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `debian-python` image is selected through a build variable"}, "properties": {"repobilityId": 131919, "scanner": "repobility-docker", "fingerprint": "e5c2dcccfe66bb020f6b3d72a0b5e8769c2567109a3de02c7980b6373ab16a8a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-debian-${DEBIAN}-python-3", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e5c2dcccfe66bb020f6b3d72a0b5e8769c2567109a3de02c7980b6373ab16a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1017}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cuda-python` image is selected through a build variable"}, "properties": {"repobilityId": 131916, "scanner": "repobility-docker", "fingerprint": "25eb44098b84e42a8f4a5996d4357bba573748b7b9c5e7184e3fcc0dc706d490", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cuda-${CUDA}-python-3", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|25eb44098b84e42a8f4a5996d4357bba573748b7b9c5e7184e3fcc0dc706d490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 965}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python-emscripten` image is selected through a build variable"}, "properties": {"repobilityId": 131913, "scanner": "repobility-docker", "fingerprint": "708826f8e0a1b77596a1f33ad91e13c544f1234f52dc2643ed8b28bb39d4e8b9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-emscripten", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|708826f8e0a1b77596a1f33ad91e13c544f1234f52dc2643ed8b28bb39d4e8b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 933}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-python` image is selected through a build variable"}, "properties": {"repobilityId": 131910, "scanner": "repobility-docker", "fingerprint": "a97ce445091588504c81c93c9865161a4d465b785ff4fd4e5555658ad7ff0b01", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-python-${PYTHON}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a97ce445091588504c81c93c9865161a4d465b785ff4fd4e5555658ad7ff0b01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 903}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-ruby` image is selected through a build variable"}, "properties": {"repobilityId": 131907, "scanner": "repobility-docker", "fingerprint": "9f8bd33782a9bdfe1ed54e4c59d2fc0a73c173a8425c04f4f9c51006bcda5975", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-ruby", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9f8bd33782a9bdfe1ed54e4c59d2fc0a73c173a8425c04f4f9c51006bcda5975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 877}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `debian-ruby` image is selected through a build variable"}, "properties": {"repobilityId": 131904, "scanner": "repobility-docker", "fingerprint": "ec7980399f17efbf60a72eff1f8b37c5818cfa61f9564870225ecda3aab33e14", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-debian-${DEBIAN}-ruby", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ec7980399f17efbf60a72eff1f8b37c5818cfa61f9564870225ecda3aab33e14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 847}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-c-glib` image is selected through a build variable"}, "properties": {"repobilityId": 131901, "scanner": "repobility-docker", "fingerprint": "b8e04b33ad65c1cb4e20235e58dcced02938f1678af4c514c434cbaccccb645f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-c-glib", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b8e04b33ad65c1cb4e20235e58dcced02938f1678af4c514c434cbaccccb645f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 818}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `debian-c-glib` image is selected through a build variable"}, "properties": {"repobilityId": 131898, "scanner": "repobility-docker", "fingerprint": "932477aeb77dde88a955d282f34f952b2c5d19ec9a171eaf92b055d72bad6a90", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-debian-${DEBIAN}-c-glib", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|932477aeb77dde88a955d282f34f952b2c5d19ec9a171eaf92b055d72bad6a90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 790}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `cpp-jni` image is selected through a build variable"}, "properties": {"repobilityId": 131895, "scanner": "repobility-docker", "fingerprint": "1544e9ed8dd06f268c9c65c81de9931d16e17194e6d7728d2922b9dc6782fbcf", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-cpp-jni-${VCPKG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1544e9ed8dd06f268c9c65c81de9931d16e17194e6d7728d2922b9dc6782fbcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 757}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `fedora-cpp` image is selected through a build variable"}, "properties": {"repobilityId": 131892, "scanner": "repobility-docker", "fingerprint": "5f32af07d8db28f8c57affa82e57dafe6f4b69c6f68dc1c9df0305a45cb80137", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-fedora-${FEDORA}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5f32af07d8db28f8c57affa82e57dafe6f4b69c6f68dc1c9df0305a45cb80137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 730}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp-emscripten` image is selected through a build variable"}, "properties": {"repobilityId": 131889, "scanner": "repobility-docker", "fingerprint": "0b61aa5cf84d9c438f181281e49ddd464f28e22ef6e2ad402855601ca2ff86f1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0b61aa5cf84d9c438f181281e49ddd464f28e22ef6e2ad402855601ca2ff86f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 704}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp-thread-sanitizer` image is selected through a build variable"}, "properties": {"repobilityId": 131886, "scanner": "repobility-docker", "fingerprint": "0a8f6ef6dd8615394fad1cba4e281a467d87b79b0ad2a2223b5930164ce1875e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0a8f6ef6dd8615394fad1cba4e281a467d87b79b0ad2a2223b5930164ce1875e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 670}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp-sanitizer` image is selected through a build variable"}, "properties": {"repobilityId": 131882, "scanner": "repobility-docker", "fingerprint": "78145ed6980aa8e20e94e73e0841ecd3095aabece9982818f7918d5e10aedc53", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|78145ed6980aa8e20e94e73e0841ecd3095aabece9982818f7918d5e10aedc53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 621}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cuda-cpp` image is selected through a build variable"}, "properties": {"repobilityId": 131879, "scanner": "repobility-docker", "fingerprint": "b23ace13df0e935039685ed1e2e853e583fea64c3f7a40ccc2db4fe93a5bece3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cuda-${CUDA}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b23ace13df0e935039685ed1e2e853e583fea64c3f7a40ccc2db4fe93a5bece3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 567}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp-minimal` image is selected through a build variable"}, "properties": {"repobilityId": 131876, "scanner": "repobility-docker", "fingerprint": "61d4803fdb9c73dd3193711956f75891233d65ef706c01f5fd65861fe85d2c22", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp-minimal", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|61d4803fdb9c73dd3193711956f75891233d65ef706c01f5fd65861fe85d2c22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 524}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp-odbc` image is selected through a build variable"}, "properties": {"repobilityId": 131872, "scanner": "repobility-docker", "fingerprint": "1764e4c919045f7a944ac239d2906f5df8674a3af038f2920da6e24fc2b3daa8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1764e4c919045f7a944ac239d2906f5df8674a3af038f2920da6e24fc2b3daa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 497}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp-bundled-offline` image is selected through a build variable"}, "properties": {"repobilityId": 131869, "scanner": "repobility-docker", "fingerprint": "626060f64ea5812191700151b34945e4bcf1ae4065e79a9185bff5a4099fbc2a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp-minimal", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|626060f64ea5812191700151b34945e4bcf1ae4065e79a9185bff5a4099fbc2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 473}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp-bundled` image is selected through a build variable"}, "properties": {"repobilityId": 131866, "scanner": "repobility-docker", "fingerprint": "eccd46fc3979a3eb3adee0c9f3a16eff690ffb9518c6e435881b0144a8615147", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp-minimal", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|eccd46fc3979a3eb3adee0c9f3a16eff690ffb9518c6e435881b0144a8615147"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 451}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp-static` image is selected through a build variable"}, "properties": {"repobilityId": 131862, "scanner": "repobility-docker", "fingerprint": "5e5779fb49b30966a10d0917184e787e81e10a415df81bb6306579ab7041519e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp-static", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5e5779fb49b30966a10d0917184e787e81e10a415df81bb6306579ab7041519e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 409}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ubuntu-cpp` image is selected through a build variable"}, "properties": {"repobilityId": 131858, "scanner": "repobility-docker", "fingerprint": "73930a7e8114ec55214567a8adfd882e775136aecd4186fe64ab1017ecc719de", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-ubuntu-${UBUNTU}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|73930a7e8114ec55214567a8adfd882e775136aecd4186fe64ab1017ecc719de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `debian-cpp` image is selected through a build variable"}, "properties": {"repobilityId": 131855, "scanner": "repobility-docker", "fingerprint": "78cbc89551cf43f3785a6696422f5599dac952eef0db3177276ec6ce6cafa025", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-debian-${DEBIAN}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|78cbc89551cf43f3785a6696422f5599dac952eef0db3177276ec6ce6cafa025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 341}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-cpp-valgrind` image is selected through a build variable"}, "properties": {"repobilityId": 131852, "scanner": "repobility-docker", "fingerprint": "54dc7ffea6f38e41aeb5fe921777153dad4bcf885f92cc5b6f4043615c1052fa", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|54dc7ffea6f38e41aeb5fe921777153dad4bcf885f92cc5b6f4043615c1052fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 304}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda-cpp` image is selected through a build variable"}, "properties": {"repobilityId": 131849, "scanner": "repobility-docker", "fingerprint": "38615397e7f5957d1b9b037f3b15f8cfd0d53591a9e972e17af52b96efe14030", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|38615397e7f5957d1b9b037f3b15f8cfd0d53591a9e972e17af52b96efe14030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 267}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `conda` image is selected through a build variable"}, "properties": {"repobilityId": 131846, "scanner": "repobility-docker", "fingerprint": "66200890759a09b97e42b92c67a574d1e06e11fd65acc98cd6cf1f008486712d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-conda", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|66200890759a09b97e42b92c67a574d1e06e11fd65acc98cd6cf1f008486712d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 248}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `alpine-linux-cpp` image is selected through a build variable"}, "properties": {"repobilityId": 131843, "scanner": "repobility-docker", "fingerprint": "891086b4d62e08860c6caaa243ee09bf4d53a9a4a66df94c132f88ed089253c3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REPO}:${ARCH}-alpine-linux-${ALPINE_LINUX}-cpp", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|891086b4d62e08860c6caaa243ee09bf4d53a9a4a66df94c132f88ed089253c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 218}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131819, "scanner": "repobility-docker", "fingerprint": "ab317312cd1422e34d74acb13affac7af8c53bf8a50cce789623bb399b6c9050", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ab317312cd1422e34d74acb13affac7af8c53bf8a50cce789623bb399b6c9050"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/centos-9-stream/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131817, "scanner": "repobility-docker", "fingerprint": "15146972ddad05c4281dab51b4fa22b7d200e31a6227b992984247c28968fbfc", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|15146972ddad05c4281dab51b4fa22b7d200e31a6227b992984247c28968fbfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/amazon-linux-2023/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131815, "scanner": "repobility-docker", "fingerprint": "935eb7937f143b11b64a64d8734522d3128e02fe6da2e1cf2b184e5ca9c50001", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|935eb7937f143b11b64a64d8734522d3128e02fe6da2e1cf2b184e5ca9c50001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/almalinux-9/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131813, "scanner": "repobility-docker", "fingerprint": "5a1c73e82556eb51718bd413c1a06c6b4e87530a22b3fdd46c4e221c0aede443", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5a1c73e82556eb51718bd413c1a06c6b4e87530a22b3fdd46c4e221c0aede443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/almalinux-8/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131811, "scanner": "repobility-docker", "fingerprint": "7d395fc93456b58bec40e2a05639a73ac2847ea00c51331b2b45b2c42c1e7c84", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|7d395fc93456b58bec40e2a05639a73ac2847ea00c51331b2b45b2c42c1e7c84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/yum/almalinux-10/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131808, "scanner": "repobility-docker", "fingerprint": "4681e5bbe1fe791c3d394eea58cbb402379f1d839512cc442059d205aec38485", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4681e5bbe1fe791c3d394eea58cbb402379f1d839512cc442059d205aec38485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-resolute/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131805, "scanner": "repobility-docker", "fingerprint": "2160b4203c667054f7ea0d88ac681ea1fdfc16e5609eba58d1d78e8f4cae87e4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2160b4203c667054f7ea0d88ac681ea1fdfc16e5609eba58d1d78e8f4cae87e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-noble/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131802, "scanner": "repobility-docker", "fingerprint": "cdce0ef84eadf218d8b3747978b82a3bad28fc48e5f0dd1f7f7eb68d5e5fb846", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cdce0ef84eadf218d8b3747978b82a3bad28fc48e5f0dd1f7f7eb68d5e5fb846"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/ubuntu-jammy/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131798, "scanner": "repobility-docker", "fingerprint": "f09ce8048109b1a1929146a68c58c4f42069bf1d7febeef9512fde7ea27e610d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f09ce8048109b1a1929146a68c58c4f42069bf1d7febeef9512fde7ea27e610d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-trixie/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131794, "scanner": "repobility-docker", "fingerprint": "beb9fe5c08ef483f117f36147513579b1c615d36ae7d7856af071e5bb9e53c39", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|beb9fe5c08ef483f117f36147513579b1c615d36ae7d7856af071e5bb9e53c39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-forky/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 131790, "scanner": "repobility-docker", "fingerprint": "37574dc0b50737a210cd51e15e515c8a09e1527d8f8d35a90a17e73cdc5a85f1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FROM}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|37574dc0b50737a210cd51e15e515c8a09e1527d8f8d35a90a17e73cdc5a85f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow/apt/debian-bookworm/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED022", "level": "none", "message": {"text": "[MINED022] C Strcpy (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 131776, "scanner": "repobility-threat-engine", "fingerprint": "2bb54d96ab13a6373cda3c5978d52bb54cf401263ef239e84f53641b82a9d4c3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2bb54d96ab13a6373cda3c5978d52bb54cf401263ef239e84f53641b82a9d4c3", "aggregated_count": 8}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 131772, "scanner": "repobility-threat-engine", "fingerprint": "29579e2a4af6df15e54ac7b6768d3485c072e1347c93f2e5c5a972f11aa15fa2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|29579e2a4af6df15e54ac7b6768d3485c072e1347c93f2e5c5a972f11aa15fa2", "aggregated_count": 5}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 131771, "scanner": "repobility-threat-engine", "fingerprint": "96900ba2bd707a134439def0cb60b56b17a9d76eb1c26551ea465e1e62175132", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96900ba2bd707a134439def0cb60b56b17a9d76eb1c26551ea465e1e62175132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-across.R"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 131770, "scanner": "repobility-threat-engine", "fingerprint": "dfda3428197b84903c574f7beab32f165017ebb58681b3d6f737c0a43c2e6f65", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dfda3428197b84903c574f7beab32f165017ebb58681b3d6f737c0a43c2e6f65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dataset-scan.R"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 131769, "scanner": "repobility-threat-engine", "fingerprint": "d88c8cb0bf6c31ea881b8251d2f853e116b613d3108ec6a86542228baaee6a09", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d88c8cb0bf6c31ea881b8251d2f853e116b613d3108ec6a86542228baaee6a09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/arrow-object.R"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 131768, "scanner": "repobility-threat-engine", "fingerprint": "61c8139fe2cb34e30e1c3bd8a905b08f12f129c76a0686cd5dbd85e20b783563", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|61c8139fe2cb34e30e1c3bd8a905b08f12f129c76a0686cd5dbd85e20b783563", "aggregated_count": 2}}}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 131767, "scanner": "repobility-threat-engine", "fingerprint": "10f157057dcd33b700221c3631e58803e9871e60c47b0fb855b8b9eb77938732", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10f157057dcd33b700221c3631e58803e9871e60c47b0fb855b8b9eb77938732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-glimpse.R"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 131766, "scanner": "repobility-threat-engine", "fingerprint": "abb11274113ad9f520c2689a0a06aa6d94851f52997efc7d82162522e6897a43", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|abb11274113ad9f520c2689a0a06aa6d94851f52997efc7d82162522e6897a43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-eval.R"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 131765, "scanner": "repobility-threat-engine", "fingerprint": "6bd28eab1939a19fa90bb4a91941a8a4e4a0a2c08eced5e1fa5146926efb2338", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6bd28eab1939a19fa90bb4a91941a8a4e4a0a2c08eced5e1fa5146926efb2338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/arrow-info.R"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 131751, "scanner": "repobility-threat-engine", "fingerprint": "490971beee5f562a857f969994b6f4d885c8146865ed5b73edaa762e459a2d09", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|490971beee5f562a857f969994b6f4d885c8146865ed5b73edaa762e459a2d09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/utils/source.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 131750, "scanner": "repobility-threat-engine", "fingerprint": "52a2f32f6d60c5c04ebc55016077c0764e08b6bb87e76ca6d0dc16efa1a90594", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52a2f32f6d60c5c04ebc55016077c0764e08b6bb87e76ca6d0dc16efa1a90594"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/utils/lint.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 131749, "scanner": "repobility-threat-engine", "fingerprint": "25f822e731b3b11c0145fb057fe3b18b9cba119296b05c14d09e6a498f09ff95", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|25f822e731b3b11c0145fb057fe3b18b9cba119296b05c14d09e6a498f09ff95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/linking.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 131748, "scanner": "repobility-threat-engine", "fingerprint": "e9c338cd1ba34423e5a05dd46ff411c5cd9764f7d90b0c2000bbefe527935d69", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9c338cd1ba34423e5a05dd46ff411c5cd9764f7d90b0c2000bbefe527935d69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/integration/util.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 131746, "scanner": "repobility-threat-engine", "fingerprint": "7fa035b085c0bd9a31a5276c49da091420eed1825fee6f01486426827fccfced", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7fa035b085c0bd9a31a5276c49da091420eed1825fee6f01486426827fccfced", "aggregated_count": 5}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 131742, "scanner": "repobility-threat-engine", "fingerprint": "2c2ffd6d9f63f0d2d82567410dc041d9c9ac9785e9419e398835e2ac32d140c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c2ffd6d9f63f0d2d82567410dc041d9c9ac9785e9419e398835e2ac32d140c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/util.py"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 131741, "scanner": "repobility-threat-engine", "fingerprint": "27f7047d688aec2e156b9428c59374cc4882dd3cbe4d2e29f8b3f66bb3ae3854", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27f7047d688aec2e156b9428c59374cc4882dd3cbe4d2e29f8b3f66bb3ae3854"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/parquet_encryption/sample_vault_kms_client.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 131740, "scanner": "repobility-threat-engine", "fingerprint": "68867d4f442306b4b18535ce29f09ecb42366511d21955d809b8802a60010c07", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68867d4f442306b4b18535ce29f09ecb42366511d21955d809b8802a60010c07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/ci/core.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 131736, "scanner": "repobility-threat-engine", "fingerprint": "41f5e05ef93637a0b1e82273cc10f83e3e9db4606021082078dda9fc83cf7c3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41f5e05ef93637a0b1e82273cc10f83e3e9db4606021082078dda9fc83cf7c3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/tools/parquet/parquet_dump_footer.cc"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 131734, "scanner": "repobility-threat-engine", "fingerprint": "c9cae91cd733d435a9447dd8129f08031b61cb65a6612f50fe8694f62b973f93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c9cae91cd733d435a9447dd8129f08031b61cb65a6612f50fe8694f62b973f93", "aggregated_count": 22}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 131733, "scanner": "repobility-threat-engine", "fingerprint": "0132b9217e5f20756c2bec7bc1a697ce26b4bcfd06f63cb628e14a19955081d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0132b9217e5f20756c2bec7bc1a697ce26b4bcfd06f63cb628e14a19955081d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/benchmark/jmh.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 131732, "scanner": "repobility-threat-engine", "fingerprint": "0375b015ee5ab76a98551619030d37558136ce496339b6ebc7d0e11c9be0138b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0375b015ee5ab76a98551619030d37558136ce496339b6ebc7d0e11c9be0138b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/tools/binary_symbol_explore.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 131731, "scanner": "repobility-threat-engine", "fingerprint": "1a5b5cdadf0c3481c7d033ec74e2125519ef55f15286742b9c7ed8b78275ea35", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a5b5cdadf0c3481c7d033ec74e2125519ef55f15286742b9c7ed8b78275ea35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/util/bpacking_scalar_codegen.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 131729, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 131725, "scanner": "repobility-threat-engine", "fingerprint": "2c8d5e6d667d5a81b82bf1323d5efb79f183afe9c44d68195ff87d1e68f0be31", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "PASSWORD = \"\"", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/flight/sql/odbc/odbc_impl/flight_sql_connection.h"}, "region": {"startLine": 64}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 131719, "scanner": "repobility-threat-engine", "fingerprint": "660240acab6413a56e42e6433a0668db843fb8293390ee3b12cfbd5da595c736", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "organize_tests", "breakdown": {"if": 6, "for": 2, "else": 1, "nested_bonus": 9}, "aggregated": true, "complexity": 18, "correlation_key": "fp|660240acab6413a56e42e6433a0668db843fb8293390ee3b12cfbd5da595c736", "aggregated_count": 29}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "properties": {"repobilityId": 131715, "scanner": "repobility-threat-engine", "fingerprint": "f494fcd6f6945bb6ab6a68f502511f4f782878cbe79f3b9bd80755bb253a2670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f494fcd6f6945bb6ab6a68f502511f4f782878cbe79f3b9bd80755bb253a2670", "aggregated_count": 44}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 131714, "scanner": "repobility-threat-engine", "fingerprint": "265eed12646b96c3dfec4182de29d20f2f269301e0f92961b5ec6afe4033c6a0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|265eed12646b96c3dfec4182de29d20f2f269301e0f92961b5ec6afe4033c6a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/array/builder_binary.cc"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 131713, "scanner": "repobility-threat-engine", "fingerprint": "50f2daa99e8ecd5ddf8fdcecfa8b7a977569ad03702fb341da89565e1f3c528d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50f2daa99e8ecd5ddf8fdcecfa8b7a977569ad03702fb341da89565e1f3c528d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/acero/order_by_impl.cc"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 131712, "scanner": "repobility-threat-engine", "fingerprint": "aea41be8d2036371f14a1e03bb5403f1002af43c09c065075bfc45d316aeaeaf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aea41be8d2036371f14a1e03bb5403f1002af43c09c065075bfc45d316aeaeaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/arrow/flight_grpc_example.cc"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 131708, "scanner": "repobility-threat-engine", "fingerprint": "f366b396433f6a33564dda14f9ede1c44638de07ac793e0eb61c69e2e9e2e1ff", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f366b396433f6a33564dda14f9ede1c44638de07ac793e0eb61c69e2e9e2e1ff", "aggregated_count": 7}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 131707, "scanner": "repobility-threat-engine", "fingerprint": "46902331b954a35656a07b0c965fabb7f5408aaadd710ec9a5ccf735fa842b73", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46902331b954a35656a07b0c965fabb7f5408aaadd710ec9a5ccf735fa842b73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/scripts/install_numba.sh"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 131706, "scanner": "repobility-threat-engine", "fingerprint": "810a25e7c4dc71dd307ee0d3550ea0e0c083b6635b224c672a36ce40abd6c61b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|810a25e7c4dc71dd307ee0d3550ea0e0c083b6635b224c672a36ce40abd6c61b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/scripts/install_dask.sh"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 131705, "scanner": "repobility-threat-engine", "fingerprint": "bbd227f8a8b05c4c7d46517596740d0687bc5a71f5f6212e16dd38f0a2788ec0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bbd227f8a8b05c4c7d46517596740d0687bc5a71f5f6212e16dd38f0a2788ec0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/scripts/install_azurite.sh"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC013", "level": "none", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 131704, "scanner": "repobility-threat-engine", "fingerprint": "c6603497160e8db37ad692c1e87c0eb095e1fac269568c4ea1f768f242785397", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c6603497160e8db37ad692c1e87c0eb095e1fac269568c4ea1f768f242785397"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 169 more): Same pattern found in 169 additional files. Review if needed."}, "properties": {"repobilityId": 131700, "scanner": "repobility-threat-engine", "fingerprint": "9ab6eb42892fffacce9fdbaa0ad7bb6e95944b31cb0d74ff28acb94e82887b9b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 169 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9ab6eb42892fffacce9fdbaa0ad7bb6e95944b31cb0d74ff28acb94e82887b9b", "aggregated_count": 169}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 131699, "scanner": "repobility-threat-engine", "fingerprint": "7a4e5fdb16878c57aeb3ce83b7025e7612c204dee369b9388f3d609a132c656a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a4e5fdb16878c57aeb3ce83b7025e7612c204dee369b9388f3d609a132c656a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "c_glib/example/lua/write-file.lua"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 131698, "scanner": "repobility-threat-engine", "fingerprint": "fe7bca7535a7373394f00181fb1d3515d29e9c50820b7f566a31a5bac1ce3b1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe7bca7535a7373394f00181fb1d3515d29e9c50820b7f566a31a5bac1ce3b1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "c_glib/example/lua/read-stream.lua"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 131697, "scanner": "repobility-threat-engine", "fingerprint": "af496a348757be2448781736f28bef60108fef8da3718adfe6e1f0961c9e7b9d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af496a348757be2448781736f28bef60108fef8da3718adfe6e1f0961c9e7b9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "c_glib/example/lua/read-file.lua"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 131696, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 131692, "scanner": "repobility-threat-engine", "fingerprint": "802362717bb8b9596309b60635fbb04d345013c3d2defa44f95ace1b246cb77c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|802362717bb8b9596309b60635fbb04d345013c3d2defa44f95ace1b246cb77c"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 131688, "scanner": "repobility-threat-engine", "fingerprint": "296e60307149eb08153b55e20aa4b536c98a045246ec52c30c3340debb5abb19", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|296e60307149eb08153b55e20aa4b536c98a045246ec52c30c3340debb5abb19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev_pr/helpers.js"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 131687, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 131683, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `conda-python-no-numpy` unpinned: `container/services image: conda-python-no-numpy` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 132263, "scanner": "repobility-supply-chain", "fingerprint": "eae04b464d11b032c0673acb3502ded000a0029e66d62f5ee2bd216a5fb12251", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eae04b464d11b032c0673acb3502ded000a0029e66d62f5ee2bd216a5fb12251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu-cpp-sanitizer` unpinned: `container/services image: ubuntu-cpp-sanitizer` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 132262, "scanner": "repobility-supply-chain", "fingerprint": "deb986f9b92b6d01ad92bbc769a76ad0416d89f6860a052636c2be03041612e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|deb986f9b92b6d01ad92bbc769a76ad0416d89f6860a052636c2be03041612e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132242, "scanner": "repobility-supply-chain", "fingerprint": "27de4e847b11621c790c30fa1fb659bb6332fba7f3b58b30e559b2abc374f276", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27de4e847b11621c790c30fa1fb659bb6332fba7f3b58b30e559b2abc374f276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132241, "scanner": "repobility-supply-chain", "fingerprint": "282a7bd52861a11b0509c851285016a7d3e15d7f459ada8e70fe507a991300df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|282a7bd52861a11b0509c851285016a7d3e15d7f459ada8e70fe507a991300df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132240, "scanner": "repobility-supply-chain", "fingerprint": "2715fec6fcaea784481131df4b879c0ce995787ba546d41fe58039be18ff53c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2715fec6fcaea784481131df4b879c0ce995787ba546d41fe58039be18ff53c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 231}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132239, "scanner": "repobility-supply-chain", "fingerprint": "4d3ebcba4ccc75f6078fe1c485d93087400ee8a101fa72445f2b4fa67e08199c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d3ebcba4ccc75f6078fe1c485d93087400ee8a101fa72445f2b4fa67e08199c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132238, "scanner": "repobility-supply-chain", "fingerprint": "6686affc441a8bc92f5c1e6ae00772487e790214ce3d9e3caf8d39fecbdd8bb1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6686affc441a8bc92f5c1e6ae00772487e790214ce3d9e3caf8d39fecbdd8bb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ruby/setup-ruby` pinned to mutable ref `@v1`: `uses: ruby/setup-ruby@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132237, "scanner": "repobility-supply-chain", "fingerprint": "1b7e9d9537dc45e357b665b1201aef36c5d34144405dc229c40fea0a57197074", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b7e9d9537dc45e357b665b1201aef36c5d34144405dc229c40fea0a57197074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132236, "scanner": "repobility-supply-chain", "fingerprint": "a081b23092e74a1afae213608eb5ae8e4f6da57b00e448c0f2f97a2c86c20179", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a081b23092e74a1afae213608eb5ae8e4f6da57b00e448c0f2f97a2c86c20179"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132235, "scanner": "repobility-supply-chain", "fingerprint": "564d4785acb037f474cfa7afe2707b7e6bd6e8f928569bf27522d7142a9ddff1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|564d4785acb037f474cfa7afe2707b7e6bd6e8f928569bf27522d7142a9ddff1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132234, "scanner": "repobility-supply-chain", "fingerprint": "52d7e8ecffc53bb01887db312625306fc66e211ff9b9f0c41e1f0c34107f473d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52d7e8ecffc53bb01887db312625306fc66e211ff9b9f0c41e1f0c34107f473d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132233, "scanner": "repobility-supply-chain", "fingerprint": "56595343c953d9bb7a5d77928e57293197a7ebc0325a5379d2948f4a552e3f3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56595343c953d9bb7a5d77928e57293197a7ebc0325a5379d2948f4a552e3f3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132232, "scanner": "repobility-supply-chain", "fingerprint": "e656c938fbe730287736cbb7e6e05b82f761ce75d2d2919a2147c96c6379046e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e656c938fbe730287736cbb7e6e05b82f761ce75d2d2919a2147c96c6379046e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_review_trigger.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132231, "scanner": "repobility-supply-chain", "fingerprint": "5479be68ac2c3d5ee3bbdcd8dc111521a6052e954a8ec5f5eb3f72660e2d31a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5479be68ac2c3d5ee3bbdcd8dc111521a6052e954a8ec5f5eb3f72660e2d31a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify_rc.yml"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132230, "scanner": "repobility-supply-chain", "fingerprint": "b0211bd4d336a996a6c6fe919319a791d2976539ad3a8608b7510357a40aa028", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0211bd4d336a996a6c6fe919319a791d2976539ad3a8608b7510357a40aa028"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify_rc.yml"}, "region": {"startLine": 231}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132229, "scanner": "repobility-supply-chain", "fingerprint": "1f652a16928f7ee0189da66a6dab7ae264f4c0f306c41a1faf146fba6dcfd41a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f652a16928f7ee0189da66a6dab7ae264f4c0f306c41a1faf146fba6dcfd41a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify_rc.yml"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132228, "scanner": "repobility-supply-chain", "fingerprint": "82f7c248124dbb3c622cc1fcda2841b3347666be9ebe61184783876bc8118ea6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82f7c248124dbb3c622cc1fcda2841b3347666be9ebe61184783876bc8118ea6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify_rc.yml"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132227, "scanner": "repobility-supply-chain", "fingerprint": "377211668d59115c4968ca4a6d49ff7f5b79d6b029006956e2fd351a40f3ddd6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|377211668d59115c4968ca4a6d49ff7f5b79d6b029006956e2fd351a40f3ddd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify_rc.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132226, "scanner": "repobility-supply-chain", "fingerprint": "4634c2a2cefbc778e56d7893be7b559c027dd45a30a5ebdcad524fd0744b94fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4634c2a2cefbc778e56d7893be7b559c027dd45a30a5ebdcad524fd0744b94fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify_rc.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132225, "scanner": "repobility-supply-chain", "fingerprint": "4841d17ba10f1f8ae2910131e04775759d15bd8542afb0cfe79ec822c2020893", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4841d17ba10f1f8ae2910131e04775759d15bd8542afb0cfe79ec822c2020893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify_rc.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132224, "scanner": "repobility-supply-chain", "fingerprint": "203a05fcb1ee06d02f747b83686368196050a99bf341236cc303292220cd6113", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|203a05fcb1ee06d02f747b83686368196050a99bf341236cc303292220cd6113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_bot.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132223, "scanner": "repobility-supply-chain", "fingerprint": "1e32affee52d77af02cb7eb96dce0c0535b3d0ba8096cc486f8bb336472094ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e32affee52d77af02cb7eb96dce0c0535b3d0ba8096cc486f8bb336472094ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_bot.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132222, "scanner": "repobility-supply-chain", "fingerprint": "272843d6beb2cff02891337a605cb15e6f575fca72940511c2808799c49756b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|272843d6beb2cff02891337a605cb15e6f575fca72940511c2808799c49756b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_bot.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132215, "scanner": "repobility-supply-chain", "fingerprint": "f55ac67d432a50629df4c9ce58406338e613251c962ebd62933f8fb469eea8b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f55ac67d432a50629df4c9ce58406338e613251c962ebd62933f8fb469eea8b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132214, "scanner": "repobility-supply-chain", "fingerprint": "bf040c23ee729a497758e3574824e108f0ab841d0b0397a8c940ffd921019b04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf040c23ee729a497758e3574824e108f0ab841d0b0397a8c940ffd921019b04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132213, "scanner": "repobility-supply-chain", "fingerprint": "8cfa66d289819c9af2344d0853a980b21d146734689828f84f6a021aeda40273", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cfa66d289819c9af2344d0853a980b21d146734689828f84f6a021aeda40273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 132212, "scanner": "repobility-supply-chain", "fingerprint": "739e1fa97a6d73381dee6edfe103580b174e662b1aa0b15ffd519dba403caa76", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|739e1fa97a6d73381dee6edfe103580b174e662b1aa0b15ffd519dba403caa76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/windows/servercore:ltsc2022` not pinned by digest: `FROM mcr.microsoft.com/windows/servercore:ltsc2022` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132211, "scanner": "repobility-supply-chain", "fingerprint": "9f98fdb3b3e8c432ee2b82140cb3c00d1562602ea54d7d26baccc10770cc0e83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f98fdb3b3e8c432ee2b82140cb3c00d1562602ea54d7d26baccc10770cc0e83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/docker/python-wheel-windows-vs2022-base.dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `amd64/ubuntu:24.04` not pinned by digest: `FROM amd64/ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132210, "scanner": "repobility-supply-chain", "fingerprint": "b474f834581f7badb82cc3a842498579c33c5062740f969215f5de8bf570de47", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b474f834581f7badb82cc3a842498579c33c5062740f969215f5de8bf570de47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/docker/python-sdist.dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/windows/servercore:ltsc2022` not pinned by digest: `FROM mcr.microsoft.com/windows/servercore:ltsc2022` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132209, "scanner": "repobility-supply-chain", "fingerprint": "35521539a37d577405dd753ff07cc6160cc0e8a217d620e1c54be144c83ac42f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35521539a37d577405dd753ff07cc6160cc0e8a217d620e1c54be144c83ac42f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/docker/python-wheel-windows-test-vs2022-base.dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132208, "scanner": "repobility-supply-chain", "fingerprint": "8a3c78496ade9ff0dc358218b6018b0991804ada42253b49944a2665ec15c6e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a3c78496ade9ff0dc358218b6018b0991804ada42253b49944a2665ec15c6e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/tutorial_examples/tutorial.dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132207, "scanner": "repobility-supply-chain", "fingerprint": "f6c616002c4d75b787046d607a96cfecb03487e39aac8119e7ca67fcb45adbc0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6c616002c4d75b787046d607a96cfecb03487e39aac8119e7ca67fcb45adbc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/minimal_build/system_dependency.dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132206, "scanner": "repobility-supply-chain", "fingerprint": "6c192c18028989397d51188a9d8aea21ef51ede424e42b15d07cd888ac8adcfa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c192c18028989397d51188a9d8aea21ef51ede424e42b15d07cd888ac8adcfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/examples/minimal_build/minimal.dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132205, "scanner": "repobility-supply-chain", "fingerprint": "e14e30eeeca9ca3bd8f18945757844564742d00ada0c6848982192c70351b0fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e14e30eeeca9ca3bd8f18945757844564742d00ada0c6848982192c70351b0fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/Dockerfile.ubuntu"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `fedora:42` not pinned by digest: `FROM fedora:42` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132204, "scanner": "repobility-supply-chain", "fingerprint": "cff19d61fae9a1a20c5afef8aa341cedd1929ed632b19e82995a60033d74457f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cff19d61fae9a1a20c5afef8aa341cedd1929ed632b19e82995a60033d74457f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/minimal_build/Dockerfile.fedora"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm` not pinned by digest: `FROM debian:bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132203, "scanner": "repobility-supply-chain", "fingerprint": "9026211c13f2b6b47c754b79575c46fbf537668c8d16ba2a7afa2db600636af8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9026211c13f2b6b47c754b79575c46fbf537668c8d16ba2a7afa2db600636af8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/release/binary/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:trixie` not pinned by digest: `FROM debian:trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132202, "scanner": "repobility-supply-chain", "fingerprint": "1ff6fbae0990612236fed84cb2066c6b564bba70c566d250dbd931230d0ad283", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ff6fbae0990612236fed84cb2066c6b564bba70c566d250dbd931230d0ad283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-trixie/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:noble` not pinned by digest: `FROM ubuntu:noble` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132201, "scanner": "repobility-supply-chain", "fingerprint": "65da1714f8eebbf3d9e856e61090873c5d79004f9ef24ca48f7e459ffa6a5ebd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65da1714f8eebbf3d9e856e61090873c5d79004f9ef24ca48f7e459ffa6a5ebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-noble/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:jammy` not pinned by digest: `FROM ubuntu:jammy` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132200, "scanner": "repobility-supply-chain", "fingerprint": "0a53fd5cc14a683433f620aa6129d319f481fae35422b4dbaec9ee2c6500c5a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a53fd5cc14a683433f620aa6129d319f481fae35422b4dbaec9ee2c6500c5a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-jammy/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:resolute` not pinned by digest: `FROM ubuntu:resolute` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132199, "scanner": "repobility-supply-chain", "fingerprint": "bb664798df392864db75296f966a7eb1b4c2435bd13ef83706b35d1b12b95280", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb664798df392864db75296f966a7eb1b4c2435bd13ef83706b35d1b12b95280"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/ubuntu-resolute/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm` not pinned by digest: `FROM debian:bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132198, "scanner": "repobility-supply-chain", "fingerprint": "cc7c2fa94b08f7e460a3d28413d76b2d8879a3bfdc6defad1784ddd852e42992", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc7c2fa94b08f7e460a3d28413d76b2d8879a3bfdc6defad1784ddd852e42992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-bookworm/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:forky` not pinned by digest: `FROM debian:forky` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132197, "scanner": "repobility-supply-chain", "fingerprint": "a90a60ca1dec125b7fb1892a1179bdf1ff295f6a2ac98b0b0409d11df2e0072b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a90a60ca1dec125b7fb1892a1179bdf1ff295f6a2ac98b0b0409d11df2e0072b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-apt-source/apt/debian-forky/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `almalinux:8` not pinned by digest: `FROM almalinux:8` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132196, "scanner": "repobility-supply-chain", "fingerprint": "257ea997d4a82572b324dea9004f960c847ffc1a9befbab985277d530c492e7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|257ea997d4a82572b324dea9004f960c847ffc1a9befbab985277d530c492e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-8/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `almalinux:9` not pinned by digest: `FROM almalinux:9` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132195, "scanner": "repobility-supply-chain", "fingerprint": "181e227fd7768d60d9ada8228031e59e2c2d6ea613179ef8a03760b9d2871c02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|181e227fd7768d60d9ada8228031e59e2c2d6ea613179ef8a03760b9d2871c02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-9/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `amazonlinux:2023` not pinned by digest: `FROM amazonlinux:2023` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132194, "scanner": "repobility-supply-chain", "fingerprint": "3dbe56ea1500bb42543f140c66a9fae785e459a8a6fbb736a6c75d6c6c971d9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3dbe56ea1500bb42543f140c66a9fae785e459a8a6fbb736a6c75d6c6c971d9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/amazon-linux-2023/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/centos/centos:stream9` not pinned by digest: `FROM quay.io/centos/centos:stream9` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132193, "scanner": "repobility-supply-chain", "fingerprint": "792391d0e12d3b1abf4baa2e09c62aab279b5326176da435f6395a504ab6b915", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|792391d0e12d3b1abf4baa2e09c62aab279b5326176da435f6395a504ab6b915"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/centos-9-stream/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `almalinux:10` not pinned by digest: `FROM almalinux:10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 132192, "scanner": "repobility-supply-chain", "fingerprint": "59bdf1f735adedf870aec13a8d875e017e5e079b6574b721acf283fc5ba07b99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59bdf1f735adedf870aec13a8d875e017e5e079b6574b721acf283fc5ba07b99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/tasks/linux-packages/apache-arrow-release/yum/almalinux-10/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/trim21/pre-commit-mirror-meson` pinned to mutable rev `v1.9.0`: `.pre-commit-config.yaml` references `https://github.com/trim21/pre-commit-mirror-meson` at `rev: v1.9.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132166, "scanner": "repobility-supply-chain", "fingerprint": "4afd184b50530db1a456029bcf9f8ebb76597ac94b8158c058075ea2a682d2bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4afd184b50530db1a456029bcf9f8ebb76597ac94b8158c058075ea2a682d2bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 388}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/koalaman/shellcheck-precommit` pinned to mutable rev `v0.10.0`: `.pre-commit-config.yaml` references `https://github.com/koalaman/shellcheck-precommit` at `rev: v0.10.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132165, "scanner": "repobility-supply-chain", "fingerprint": "80cb94e8c4c71dde612e03e01343c065048ffa5822cea014db827359600e1a3a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80cb94e8c4c71dde612e03e01343c065048ffa5822cea014db827359600e1a3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 286}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/sphinx-contrib/sphinx-lint` pinned to mutable rev `v0.9.1`: `.pre-commit-config.yaml` references `https://github.com/sphinx-contrib/sphinx-lint` at `rev: v0.9.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132164, "scanner": "repobility-supply-chain", "fingerprint": "50fe04aa269f3778ac7996b7faf4b5b8e4c8b67cc3a412a34d45de07e9f27482", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50fe04aa269f3778ac7996b7faf4b5b8e4c8b67cc3a412a34d45de07e9f27482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/cheshirekow/cmake-format-precommit` pinned to mutable rev `v0.6.13`: `.pre-commit-config.yaml` references `https://github.com/cheshirekow/cmake-format-precommit` at `rev: v0.6.13`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132163, "scanner": "repobility-supply-chain", "fingerprint": "ad960acb2b9ed1cbb6673e717e683cb1f0e8d1a22e94563a8ea44cfe4c5dd71b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad960acb2b9ed1cbb6673e717e683cb1f0e8d1a22e94563a8ea44cfe4c5dd71b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/rubocop/rubocop` pinned to mutable rev `v1.71.0`: `.pre-commit-config.yaml` references `https://github.com/rubocop/rubocop` at `rev: v1.71.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132162, "scanner": "repobility-supply-chain", "fingerprint": "ad46e99cc0d81416c2761689dcfd5b697aa4af91f4985e0eca8897eaeac49d97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad46e99cc0d81416c2761689dcfd5b697aa4af91f4985e0eca8897eaeac49d97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/cpplint/cpplint` pinned to mutable rev `1.6.1`: `.pre-commit-config.yaml` references `https://github.com/cpplint/cpplint` at `rev: 1.6.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132161, "scanner": "repobility-supply-chain", "fingerprint": "8068a1f2863d671c045773ef8647f4d6cf9546fc40ed06f299a5e8bc3eeac0b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8068a1f2863d671c045773ef8647f4d6cf9546fc40ed06f299a5e8bc3eeac0b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-clang-format` pinned to mutable rev `v18.1.8`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-clang-format` at `rev: v18.1.8`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132160, "scanner": "repobility-supply-chain", "fingerprint": "3d55ddd8819613236cceb458ca9de5cf2d097371562e6dde92db4d87c0324a53", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d55ddd8819613236cceb458ca9de5cf2d097371562e6dde92db4d87c0324a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/posit-dev/air-pre-commit` pinned to mutable rev `0.8.2`: `.pre-commit-config.yaml` references `https://github.com/posit-dev/air-pre-commit` at `rev: 0.8.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132159, "scanner": "repobility-supply-chain", "fingerprint": "c06d8f1caffc7609f754755ab90ad64c54bc2d589204dbe8f104d23b37faf8ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c06d8f1caffc7609f754755ab90ad64c54bc2d589204dbe8f104d23b37faf8ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/numpy/numpydoc` pinned to mutable rev `v1.8.0`: `.pre-commit-config.yaml` references `https://github.com/numpy/numpydoc` at `rev: v1.8.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132158, "scanner": "repobility-supply-chain", "fingerprint": "05c1476c52c59d70257b58ad0c901e9fedcffd3ae5e7682f5c94b388f5fcd02e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05c1476c52c59d70257b58ad0c901e9fedcffd3ae5e7682f5c94b388f5fcd02e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-clang-format` pinned to mutable rev `v18.1.8`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-clang-format` at `rev: v18.1.8`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132157, "scanner": "repobility-supply-chain", "fingerprint": "4fb3ea85ea612050cbdbb266c2c3d3f551013ab1b8bf5bb6f133f2e29f8468e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fb3ea85ea612050cbdbb266c2c3d3f551013ab1b8bf5bb6f133f2e29f8468e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/MarcoGorelli/cython-lint` pinned to mutable rev `v0.16.2`: `.pre-commit-config.yaml` references `https://github.com/MarcoGorelli/cython-lint` at `rev: v0.16.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132156, "scanner": "repobility-supply-chain", "fingerprint": "af8a6883e163e71e5ef4d01952931a1d4eb7168b3f00463fc2f80c2340796330", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af8a6883e163e71e5ef4d01952931a1d4eb7168b3f00463fc2f80c2340796330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pycqa/flake8` pinned to mutable rev `6.1.0`: `.pre-commit-config.yaml` references `https://github.com/pycqa/flake8` at `rev: 6.1.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132155, "scanner": "repobility-supply-chain", "fingerprint": "28dd4f48f31ac748dfddfa0cbc3b78c46689aaabe2c0b99a184e0aa3a011cee7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28dd4f48f31ac748dfddfa0cbc3b78c46689aaabe2c0b99a184e0aa3a011cee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/hhatto/autopep8` pinned to mutable rev `v2.3.2`: `.pre-commit-config.yaml` references `https://github.com/hhatto/autopep8` at `rev: v2.3.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132154, "scanner": "repobility-supply-chain", "fingerprint": "6a430df8605b3965d1b606fa6498c80b2e9f981865361d8403c595947d3cf75b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a430df8605b3965d1b606fa6498c80b2e9f981865361d8403c595947d3cf75b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-clang-format` pinned to mutable rev `v18.1.8`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-clang-format` at `rev: v18.1.8`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132153, "scanner": "repobility-supply-chain", "fingerprint": "c7409a7719cf2f9bef89dcabea0fc56eda63d323c88127097d1177c7474304ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7409a7719cf2f9bef89dcabea0fc56eda63d323c88127097d1177c7474304ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-clang-format` pinned to mutable rev `v18.1.8`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-clang-format` at `rev: v18.1.8`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132152, "scanner": "repobility-supply-chain", "fingerprint": "4e2878ffe7f01742090f652fea16e8fd96dd721302630ef34a76ce38a7367e29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e2878ffe7f01742090f652fea16e8fd96dd721302630ef34a76ce38a7367e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/cpplint/cpplint` pinned to mutable rev `1.6.1`: `.pre-commit-config.yaml` references `https://github.com/cpplint/cpplint` at `rev: 1.6.1`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132151, "scanner": "repobility-supply-chain", "fingerprint": "c4f1e01321fe590ae9f0f790ae773eefb32919f48fc8a3bdf37e534ac5bdd0c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4f1e01321fe590ae9f0f790ae773eefb32919f48fc8a3bdf37e534ac5bdd0c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/mirrors-clang-format` pinned to mutable rev `v18.1.8`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-clang-format` at `rev: v18.1.8`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132150, "scanner": "repobility-supply-chain", "fingerprint": "e1dc64534c997df48579fc67765e1f8d33af4b1d664b2937d6bfbeab611e909f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1dc64534c997df48579fc67765e1f8d33af4b1d664b2937d6bfbeab611e909f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/hadolint/hadolint` pinned to mutable rev `v2.12.0`: `.pre-commit-config.yaml` references `https://github.com/hadolint/hadolint` at `rev: v2.12.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 132149, "scanner": "repobility-supply-chain", "fingerprint": "0ef8f926a6834c6298355becb5e5316897b8fa85a4ddeed1ccdf51caf3d7f07d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ef8f926a6834c6298355becb5e5316897b8fa85a4ddeed1ccdf51caf3d7f07d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_dataset_factory_inspect_bad_params: Test function `test_dataset_factory_inspect_bad_params` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132122, "scanner": "repobility-ast-engine", "fingerprint": "8a51b6ad0a3ecde15497285f5ad6d573b8137079f8c119c87d59bea6026758f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a51b6ad0a3ecde15497285f5ad6d573b8137079f8c119c87d59bea6026758f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_dataset.py"}, "region": {"startLine": 541}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_filesystem_dataset_no_filesystem_interaction: Test function `test_filesystem_dataset_no_filesystem_interaction` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132121, "scanner": "repobility-ast-engine", "fingerprint": "823713e3d3bc5f895388139c86b8ed7a2d72a1c92b5c222851539cd3e01a5084", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|823713e3d3bc5f895388139c86b8ed7a2d72a1c92b5c222851539cd3e01a5084"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_dataset.py"}, "region": {"startLine": 408}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ARROW_8801: Test function `test_ARROW_8801` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132118, "scanner": "repobility-ast-engine", "fingerprint": "1ea91be0cc1ec2dbb9e0526d1cfc4381bca44316500cea93c94aa3b518dfe0fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ea91be0cc1ec2dbb9e0526d1cfc4381bca44316500cea93c94aa3b518dfe0fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/scripts/test_leak.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_leak3: Test function `test_leak3` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132117, "scanner": "repobility-ast-engine", "fingerprint": "69c6a7dc24b6c59bb61cc40a6b0ba491eb3108ebfa6c542c4574116f5560f36c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|69c6a7dc24b6c59bb61cc40a6b0ba491eb3108ebfa6c542c4574116f5560f36c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/scripts/test_leak.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_leak2: Test function `test_leak2` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132116, "scanner": "repobility-ast-engine", "fingerprint": "5e2ff2ab209a0bcd6ee9da09f24f483e9c42e10a1b2c9138eaab562ae79f4b70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e2ff2ab209a0bcd6ee9da09f24f483e9c42e10a1b2c9138eaab562ae79f4b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/scripts/test_leak.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_leak1: Test function `test_leak1` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132115, "scanner": "repobility-ast-engine", "fingerprint": "4e50398cdb2e281a35b54d0dfa0ea3314314a6919b8595892aaa477bfd926048", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e50398cdb2e281a35b54d0dfa0ea3314314a6919b8595892aaa477bfd926048"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/scripts/test_leak.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_latest_for_prefix: Test function `test_latest_for_prefix` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132113, "scanner": "repobility-ast-engine", "fingerprint": "e94796f970aa53355200dc5951eb322ee3b6a068f800ddb209bf960f159bd563", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e94796f970aa53355200dc5951eb322ee3b6a068f800ddb209bf960f159bd563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/crossbow/tests/test_core.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_config: Test function `test_config` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132112, "scanner": "repobility-ast-engine", "fingerprint": "8c483f4acb571e6b1a522baf50d90c80befe912cc911d0467be2f43beef75435", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c483f4acb571e6b1a522baf50d90c80befe912cc911d0467be2f43beef75435"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/crossbow/tests/test_core.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_image_with_gpu: Test function `test_image_with_gpu` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132111, "scanner": "repobility-ast-engine", "fingerprint": "2c950553f6a994302aec0f0b91038d21c09580751e9a94e75a63cd80509eaaa3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c950553f6a994302aec0f0b91038d21c09580751e9a94e75a63cd80509eaaa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 546}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_push_custom_server: Test function `test_compose_push_custom_server` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132110, "scanner": "repobility-ast-engine", "fingerprint": "79dcffb16b91be4ab86309930596938dd24942de561fa816fcfde5b6dd4f7942", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|79dcffb16b91be4ab86309930596938dd24942de561fa816fcfde5b6dd4f7942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 512}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_push: Test function `test_compose_push` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132109, "scanner": "repobility-ast-engine", "fingerprint": "3787fe1e46383422942e47065ebbbfd632744321e17bbc196df1ba084dc9b953", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3787fe1e46383422942e47065ebbbfd632744321e17bbc196df1ba084dc9b953"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 496}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_run_with_resource_limits: Test function `test_compose_run_with_resource_limits` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132108, "scanner": "repobility-ast-engine", "fingerprint": "106d0e2a944651dfa2eee907726a8a9d30117d0b651b3f4564d7774f3bcfe149", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|106d0e2a944651dfa2eee907726a8a9d30117d0b651b3f4564d7774f3bcfe149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 482}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_run: Test function `test_compose_run` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132107, "scanner": "repobility-ast-engine", "fingerprint": "4b10f6b935eb9335fb4c4ac37f3836da9d6990caa0eba91bbeb0b45daab66817", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4b10f6b935eb9335fb4c4ac37f3836da9d6990caa0eba91bbeb0b45daab66817"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 426}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_build_params: Test function `test_compose_build_params` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132106, "scanner": "repobility-ast-engine", "fingerprint": "d8767a8fd21b0f2a6b7d6ee4f5356ba9cecbe182ba1af07f60c30001da71f2d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8767a8fd21b0f2a6b7d6ee4f5356ba9cecbe182ba1af07f60c30001da71f2d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 400}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_buildkit_inline_cache: Test function `test_compose_buildkit_inline_cache` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132105, "scanner": "repobility-ast-engine", "fingerprint": "f0188dfe46cc5a7865e17be25888434121fab824c167016fe6b35281e9b370ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0188dfe46cc5a7865e17be25888434121fab824c167016fe6b35281e9b370ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_build: Test function `test_compose_build` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132104, "scanner": "repobility-ast-engine", "fingerprint": "58bbe47cfff0934163e6577669f9a635ca27746f693f90b8ba5c10bf62afce85", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58bbe47cfff0934163e6577669f9a635ca27746f693f90b8ba5c10bf62afce85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_pull_params: Test function `test_compose_pull_params` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132103, "scanner": "repobility-ast-engine", "fingerprint": "dde5a0fb6d96224f48bf36a905714f95e744891a732ea0cd8bed9f6d08f9861a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dde5a0fb6d96224f48bf36a905714f95e744891a732ea0cd8bed9f6d08f9861a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compose_pull: Test function `test_compose_pull` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132102, "scanner": "repobility-ast-engine", "fingerprint": "f7b87cd02216dc38e4b4033e1922cc6559203c5b49b6143bbc625ce5e4692098", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f7b87cd02216dc38e4b4033e1922cc6559203c5b49b6143bbc625ce5e4692098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 298}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_arrow_example_validation_passes: Test function `test_arrow_example_validation_passes` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132101, "scanner": "repobility-ast-engine", "fingerprint": "f0bafffc5c68ac9b86e2d4f36b1d10cad1e282645dd535e5807165450960ac7a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0bafffc5c68ac9b86e2d4f36b1d10cad1e282645dd535e5807165450960ac7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_config_validation: Test function `test_config_validation` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132100, "scanner": "repobility-ast-engine", "fingerprint": "b0dfe9e261f3d69c8121a7530c7aa7e000761e558062b4f2d01fc1c182ea2f95", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0dfe9e261f3d69c8121a7530c7aa7e000761e558062b4f2d01fc1c182ea2f95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/docker/tests/test_docker.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_assert_subprocess_calls: Test function `test_assert_subprocess_calls` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132092, "scanner": "repobility-ast-engine", "fingerprint": "4c661e1237906381a85e705e453d9f3b3b247c615743407a44d58c9da70756dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c661e1237906381a85e705e453d9f3b3b247c615743407a44d58c9da70756dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/tests/test_testing.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_issue_comment_with_commands_bot_not_first: Test function `test_issue_comment_with_commands_bot_not_first` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132091, "scanner": "repobility-ast-engine", "fingerprint": "82803033c2dbd62b34673e87465ed2c4ec298c8b77e512d5458ad6256d264edf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|82803033c2dbd62b34673e87465ed2c4ec298c8b77e512d5458ad6256d264edf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/tests/test_bot.py"}, "region": {"startLine": 337}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_noop_events: Test function `test_noop_events` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132090, "scanner": "repobility-ast-engine", "fingerprint": "b8226a884196e48055ad100d3b98187bf54657873a1e054917a719a185669a5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8226a884196e48055ad100d3b98187bf54657873a1e054917a719a185669a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/tests/test_bot.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_gh_already_resolved: Test function `test_gh_already_resolved` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132084, "scanner": "repobility-ast-engine", "fingerprint": "138767b481c18f4711b13713388af4f4ac11ac2d29aaa0cd1275782c732a4330", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|138767b481c18f4711b13713388af4f4ac11ac2d29aaa0cd1275782c732a4330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/test_merge_arrow_pr.py"}, "region": {"startLine": 234}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_gh_invalid_issue: Test function `test_gh_invalid_issue` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 132083, "scanner": "repobility-ast-engine", "fingerprint": "5c600bc3440cf963094f82ba11fcfb1cdb2e326ee254dbc8b8150e8225a4cc58", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5c600bc3440cf963094f82ba11fcfb1cdb2e326ee254dbc8b8150e8225a4cc58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/test_merge_arrow_pr.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.val` used but never assigned in __init__: Method `to_string` of class `FixedSizeBinaryTypePrinter` reads `self.val`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132082, "scanner": "repobility-ast-engine", "fingerprint": "86b340aad8f928fc2065326761351d3fda7474c90eb872b4e1971db537103e2a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86b340aad8f928fc2065326761351d3fda7474c90eb872b4e1971db537103e2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1122}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_unit` used but never assigned in __init__: Method `to_string` of class `TimestampTypePrinter` reads `self._get_unit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132081, "scanner": "repobility-ast-engine", "fingerprint": "a66dbdbd7823c789ca5bf516b46a1437bf5bd310ef9b36e47e2872caa87050a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a66dbdbd7823c789ca5bf516b46a1437bf5bd310ef9b36e47e2872caa87050a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._format_type` used but never assigned in __init__: Method `to_string` of class `TimestampTypePrinter` reads `self._format_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132080, "scanner": "repobility-ast-engine", "fingerprint": "800706015380cf7156549d875e13e32a5f4da72684fb587ee6bb2e495bac1c5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|800706015380cf7156549d875e13e32a5f4da72684fb587ee6bb2e495bac1c5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_unit` used but never assigned in __init__: Method `to_string` of class `TimestampTypePrinter` reads `self._get_unit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132079, "scanner": "repobility-ast-engine", "fingerprint": "d0e27ff9bd906120199cc8ef9a41387efcbdbed3bbefae043e7042e44233cb67", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d0e27ff9bd906120199cc8ef9a41387efcbdbed3bbefae043e7042e44233cb67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._format_type` used but never assigned in __init__: Method `to_string` of class `TimestampTypePrinter` reads `self._format_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132078, "scanner": "repobility-ast-engine", "fingerprint": "def1fb99a70365f11a446169c5043d5966fa7d41f81f3ef9fd2c3acaa6b2cbad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|def1fb99a70365f11a446169c5043d5966fa7d41f81f3ef9fd2c3acaa6b2cbad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.val` used but never assigned in __init__: Method `to_string` of class `TimestampTypePrinter` reads `self.val`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132077, "scanner": "repobility-ast-engine", "fingerprint": "47aaf391c0f73c2fac353b8ce5050f86c0ca580ac751fb1cf04188cfe06f299e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|47aaf391c0f73c2fac353b8ce5050f86c0ca580ac751fb1cf04188cfe06f299e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1109}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_unit` used but never assigned in __init__: Method `to_string` of class `TimeTypePrinter` reads `self._get_unit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132076, "scanner": "repobility-ast-engine", "fingerprint": "eaf385abc1870a9bd251c01b37c7400cb3d1298f1e443c37cf0b65ff550fe884", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eaf385abc1870a9bd251c01b37c7400cb3d1298f1e443c37cf0b65ff550fe884"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._format_type` used but never assigned in __init__: Method `to_string` of class `TimeTypePrinter` reads `self._format_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132075, "scanner": "repobility-ast-engine", "fingerprint": "891d14ab24405eae5f1b4cc3792cfa934803aad97d156e7e89973b354e91c649", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|891d14ab24405eae5f1b4cc3792cfa934803aad97d156e7e89973b354e91c649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.val` used but never assigned in __init__: Method `_get_unit` of class `TimeTypePrinter` reads `self.val`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132074, "scanner": "repobility-ast-engine", "fingerprint": "add82447dbb42048d2ff73c8c9b5fbbce9bdc49ee161e9e554136d70442efda1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|add82447dbb42048d2ff73c8c9b5fbbce9bdc49ee161e9e554136d70442efda1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1097}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._format_type` used but never assigned in __init__: Method `to_string` of class `PrimitiveTypePrinter` reads `self._format_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132073, "scanner": "repobility-ast-engine", "fingerprint": "aceb182ff14e1d8809ce833b4dac79bc4788fe8977903a425c11ac97b771b74d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aceb182ff14e1d8809ce833b4dac79bc4788fe8977903a425c11ac97b771b74d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 1088}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.traits` used but never assigned in __init__: Method `__int__` of class `BaseDecimal` reads `self.traits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132072, "scanner": "repobility-ast-engine", "fingerprint": "af068ee7e1f7c33c063ac283bc06109e96e220834e040f9039c8b132dc602862", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|af068ee7e1f7c33c063ac283bc06109e96e220834e040f9039c8b132dc602862"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 911}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.words` used but never assigned in __init__: Method `__int__` of class `BaseDecimal` reads `self.words`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132071, "scanner": "repobility-ast-engine", "fingerprint": "57d1ba0294cc499f587634bd346f04a9e845bb20ce3d76eae5a0702bc7836dbb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57d1ba0294cc499f587634bd346f04a9e845bb20ce3d76eae5a0702bc7836dbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 910}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.traits` used but never assigned in __init__: Method `words` of class `BaseDecimal` reads `self.traits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132070, "scanner": "repobility-ast-engine", "fingerprint": "7e93ff936e91142ff0a4c9dfabd38a54fd5a6b1378382fa0e100fea0ea344128", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e93ff936e91142ff0a4c9dfabd38a54fd5a6b1378382fa0e100fea0ea344128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 896}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.traits` used but never assigned in __init__: Method `words` of class `BaseDecimal` reads `self.traits`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132069, "scanner": "repobility-ast-engine", "fingerprint": "58653949d31de17925dccf1434617397493110907dd71e7268c25830d3a1eae8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58653949d31de17925dccf1434617397493110907dd71e7268c25830d3a1eae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 897}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.view` used but never assigned in __init__: Method `__getitem__` of class `NullBitmap` reads `self.view`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132068, "scanner": "repobility-ast-engine", "fingerprint": "eecf72f39075023e33bce38135135027cd54dd7db6f3dc4f234e06b6454e0acb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eecf72f39075023e33bce38135135027cd54dd7db6f3dc4f234e06b6454e0acb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 805}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._check_index` used but never assigned in __init__: Method `__getitem__` of class `NullBitmap` reads `self._check_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132067, "scanner": "repobility-ast-engine", "fingerprint": "ce322469ae1b733fd3dac1074d9cdb68be1e8a9af8eb14c378cbfb4765738b08", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce322469ae1b733fd3dac1074d9cdb68be1e8a9af8eb14c378cbfb4765738b08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 804}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._check_index` used but never assigned in __init__: Method `__getitem__` of class `Bitmap` reads `self._check_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132066, "scanner": "repobility-ast-engine", "fingerprint": "a9374bd891417fb7b538842ffec7d4ebf9b87c986a2f8d19a8406379bee0b49c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9374bd891417fb7b538842ffec7d4ebf9b87c986a2f8d19a8406379bee0b49c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 760}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._check_index` used but never assigned in __init__: Method `__getitem__` of class `TypedView` reads `self._check_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132065, "scanner": "repobility-ast-engine", "fingerprint": "aa7f7f6d3cc7ac261ca3e590471b3e5228f2829a65fba0dc41c7230704953960", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa7f7f6d3cc7ac261ca3e590471b3e5228f2829a65fba0dc41c7230704953960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 733}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.bytes_view` used but never assigned in __init__: Method `view` of class `TypedBuffer` reads `self.bytes_view`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132064, "scanner": "repobility-ast-engine", "fingerprint": "c6ae43c7a4431fffdc50171885a3dae455e6c40667efe2ba4d08bfbdb7cffc7e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6ae43c7a4431fffdc50171885a3dae455e6c40667efe2ba4d08bfbdb7cffc7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 704}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.bytes_view` used but never assigned in __init__: Method `view` of class `TypedBuffer` reads `self.bytes_view`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132063, "scanner": "repobility-ast-engine", "fingerprint": "6217ed5c233b1390354f30c628ed59f74054c4224de5769585611b9230058806", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6217ed5c233b1390354f30c628ed59f74054c4224de5769585611b9230058806"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 702}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.is_boolean` used but never assigned in __init__: Method `view` of class `TypedBuffer` reads `self.is_boolean`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132062, "scanner": "repobility-ast-engine", "fingerprint": "1bd2695133c301fe04576f05f471a42d53baa9bd48640808702a7c98e8e306b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1bd2695133c301fe04576f05f471a42d53baa9bd48640808702a7c98e8e306b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 697}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._check_index` used but never assigned in __init__: Method `eval_at` of class `StdVector` reads `self._check_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132061, "scanner": "repobility-ast-engine", "fingerprint": "0d1baf4715a5ff9ac9c9dd8895aef23ddf9e26d5eb6be1bfbcfe384a5bae6eb0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0d1baf4715a5ff9ac9c9dd8895aef23ddf9e26d5eb6be1bfbcfe384a5bae6eb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 537}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._check_index` used but never assigned in __init__: Method `__getitem__` of class `StdVector` reads `self._check_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132060, "scanner": "repobility-ast-engine", "fingerprint": "2247f284ebba489b6b5b0d12769056073ee5cab9f826df51096e474b47f42ea4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2247f284ebba489b6b5b0d12769056073ee5cab9f826df51096e474b47f42ea4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 527}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.bytes_literal` used but never assigned in __init__: Method `__format__` of class `StdString` reads `self.bytes_literal`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132059, "scanner": "repobility-ast-engine", "fingerprint": "e16685aeab5a3b9142b6aab03499e0e2f829604e34436f8fd6d75ffb4e5d83c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e16685aeab5a3b9142b6aab03499e0e2f829604e34436f8fd6d75ffb4e5d83c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 496}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.bytes_literal` used but never assigned in __init__: Method `__format__` of class `CString` reads `self.bytes_literal`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 132058, "scanner": "repobility-ast-engine", "fingerprint": "6b21d564f00dc944f31a39a131f53887044541ba969fcb3d5a3f9191dc10b59c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b21d564f00dc944f31a39a131f53887044541ba969fcb3d5a3f9191dc10b59c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/gdb_arrow.py"}, "region": {"startLine": 366}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 132023, "scanner": "repobility-docker", "fingerprint": "5c688133457ca91f88135f15cddc46c72640b231fc953a9a9e5080be094bd730", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|5c688133457ca91f88135f15cddc46c72640b231fc953a9a9e5080be094bd730", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1883}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 132022, "scanner": "repobility-docker", "fingerprint": "466d8ea8bb24cfe3787ede8a66c39eb6b829c6585a19ae15c7ec4b9b0f1abc9e", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|466d8ea8bb24cfe3787ede8a66c39eb6b829c6585a19ae15c7ec4b9b0f1abc9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1883}}}]}, {"ruleId": "DKC005", "level": "error", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 132017, "scanner": "repobility-docker", "fingerprint": "fd90373f170951a836b894725eadf4650209b1e58d4b6daa0024c93ab989dccf", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "debian-docs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["SYS_ADMIN"], "correlation_key": "fp|fd90373f170951a836b894725eadf4650209b1e58d4b6daa0024c93ab989dccf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1839}}}]}, {"ruleId": "DKC005", "level": "error", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 131985, "scanner": "repobility-docker", "fingerprint": "9bce8790bee9ae0ab0c830ac449019409262573c6e191347b8c3f6f28c34e39b", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "conda-python-docs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["SYS_ADMIN"], "correlation_key": "fp|9bce8790bee9ae0ab0c830ac449019409262573c6e191347b8c3f6f28c34e39b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1492}}}]}, {"ruleId": "DKC005", "level": "error", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 131873, "scanner": "repobility-docker", "fingerprint": "007be581c41fab3bdeec81b6ddb6f7ae2753e6019af556656546d59668bd9e9e", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "ubuntu-cpp-odbc", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["SYS_ADMIN"], "correlation_key": "fp|007be581c41fab3bdeec81b6ddb6f7ae2753e6019af556656546d59668bd9e9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 497}}}]}, {"ruleId": "DKC005", "level": "error", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 131863, "scanner": "repobility-docker", "fingerprint": "884316e5c169616c1631ae9a627531eb12ca28e6db177ea542ad4b9b75cf51b4", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "ubuntu-cpp-static", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["SYS_ADMIN"], "correlation_key": "fp|884316e5c169616c1631ae9a627531eb12ca28e6db177ea542ad4b9b75cf51b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 409}}}]}, {"ruleId": "DKC005", "level": "error", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 131859, "scanner": "repobility-docker", "fingerprint": "f222dcfc8c0ce1c319cac3206589bb3f498ff3155bdaab5337a5f5bcc5178f39", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "ubuntu-cpp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["SYS_ADMIN"], "correlation_key": "fp|f222dcfc8c0ce1c319cac3206589bb3f498ff3155bdaab5337a5f5bcc5178f39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 131778, "scanner": "repobility-threat-engine", "fingerprint": "aeda19229a53167c1308fcb587167c89f77ec8b2ee7df6f5238ca74f35cfe7a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aeda19229a53167c1308fcb587167c89f77ec8b2ee7df6f5238ca74f35cfe7a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/install-arrow.R"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 131777, "scanner": "repobility-threat-engine", "fingerprint": "08e311be674184838e14645176ca2f3a25c42daf6bf31f43574e03b1f4caf2bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08e311be674184838e14645176ca2f3a25c42daf6bf31f43574e03b1f4caf2bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-mutate.R"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 131764, "scanner": "repobility-threat-engine", "fingerprint": "f7496e01af6a02204d385f84b24684059262b2bc1c5be2bab4d417b4e632a827", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7496e01af6a02204d385f84b24684059262b2bc1c5be2bab4d417b4e632a827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/scripts/run_emscripten_tests.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 131755, "scanner": "repobility-threat-engine", "fingerprint": "6db2366d28cb6d3de95406eccf646cbc4e7cfcf87fcbe5a567bf2855fa248f73", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "StrictHostKeyChecking=no", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|dev/release/utils-binary.sh|39|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/release/utils-binary.sh"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 131754, "scanner": "repobility-threat-engine", "fingerprint": "8326c4ed2f4abbddfc286c5b6c892fb8b5c8bd888f9c0ba216c590e13de6aff3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8326c4ed2f4abbddfc286c5b6c892fb8b5c8bd888f9c0ba216c590e13de6aff3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/install-arrow.R"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 131753, "scanner": "repobility-threat-engine", "fingerprint": "da24ddfa1a831c5a7762b17326ab6a43cf1e835b3fa0655cd4be3ad0d0fa2328", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da24ddfa1a831c5a7762b17326ab6a43cf1e835b3fa0655cd4be3ad0d0fa2328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/release/test-helper.rb"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 131752, "scanner": "repobility-threat-engine", "fingerprint": "597a78b2e0a53b59039fe4c9e4a3f354d565b361a1c931b91313435607b16887", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"curl (\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|151|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/release/download_rc_binaries.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 131745, "scanner": "repobility-threat-engine", "fingerprint": "40965b34508d24a0946d5e572d243da2f4c226504df82c6ac697b3c79aa3c1fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40965b34508d24a0946d5e572d243da2f4c226504df82c6ac697b3c79aa3c1fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/utils/lint.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 131744, "scanner": "repobility-threat-engine", "fingerprint": "3034dd0188b590bfa17992efb6619142a6fa7909f7f2fe296f57a3856c9bcec8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3034dd0188b590bfa17992efb6619142a6fa7909f7f2fe296f57a3856c9bcec8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/linking.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 131743, "scanner": "repobility-threat-engine", "fingerprint": "121c0e614b4bf77d70f983765bc0b5a01612e1b6109090191e9fb5361df55d3c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|121c0e614b4bf77d70f983765bc0b5a01612e1b6109090191e9fb5361df55d3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/compat.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 131739, "scanner": "repobility-threat-engine", "fingerprint": "b4590fa4b766657aae4fc5f526355c5d07476531a331b32b1d53e58d500995e0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b4590fa4b766657aae4fc5f526355c5d07476531a331b32b1d53e58d500995e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/util.py"}, "region": {"startLine": 243}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 131738, "scanner": "repobility-threat-engine", "fingerprint": "524262d0e2efa103b3b289ef63a28540a36ca87b718606d88f052d49d07e9b99", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|524262d0e2efa103b3b289ef63a28540a36ca87b718606d88f052d49d07e9b99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/examples/parquet_encryption/sample_vault_kms_client.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 131737, "scanner": "repobility-threat-engine", "fingerprint": "fdc173c6dc5e2007dae680a565395f740be5abab818814d2c34170610fbc2af2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fdc173c6dc5e2007dae680a565395f740be5abab818814d2c34170610fbc2af2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/ci/core.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 131728, "scanner": "repobility-threat-engine", "fingerprint": "2fed97124d2a5e6896229a3d6bc1ecd25963746f5fe7c7df82dbd47d75245931", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "kwargs.update(shell=True)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2fed97124d2a5e6896229a3d6bc1ecd25963746f5fe7c7df82dbd47d75245931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/integration/tester.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 131727, "scanner": "repobility-threat-engine", "fingerprint": "3295d772ead5f9597997444587e3cae0b699833523f8791501129b3feb98cf74", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "raw_data.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3295d772ead5f9597997444587e3cae0b699833523f8791501129b3feb98cf74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/util/ubsan.h"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 131726, "scanner": "repobility-threat-engine", "fingerprint": "ef0c037aed037ec60cbe1a3c5ab615bd610f8d074b4b1e39f9340514a4dc316b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.Create();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef0c037aed037ec60cbe1a3c5ab615bd610f8d074b4b1e39f9340514a4dc316b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/flight/sql/odbc/odbc_impl/win_system_dsn.cc"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 131723, "scanner": "repobility-threat-engine", "fingerprint": "cf864c80cdc4c91ecc584329a67c551bf6f4ef7fa617f0503cf74d94ad32bd3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf864c80cdc4c91ecc584329a67c551bf6f4ef7fa617f0503cf74d94ad32bd3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/filesystem/s3_test_cert_internal.h"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 131711, "scanner": "repobility-threat-engine", "fingerprint": "3123bdd1c7d66b9609fc93c31216d03e8462456caeb444537e5651a46cb00b66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3123bdd1c7d66b9609fc93c31216d03e8462456caeb444537e5651a46cb00b66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/release/02-source.sh"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 131710, "scanner": "repobility-threat-engine", "fingerprint": "7eab4a5c979a73af6226abca9eb6fabda700a39f194e55782c05772cc219e850", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7eab4a5c979a73af6226abca9eb6fabda700a39f194e55782c05772cc219e850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/parquet/chunker_internal_codegen.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 131709, "scanner": "repobility-threat-engine", "fingerprint": "14658b288b278603e674f10b6cb2e3b88201d74c032f3b26081ee60f846b62fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14658b288b278603e674f10b6cb2e3b88201d74c032f3b26081ee60f846b62fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/build-support/fuzzing/pack_corpus.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 131703, "scanner": "repobility-threat-engine", "fingerprint": "0a3f7606952fb94bfda245bf8f46832cfa4042d52104721f6a9555647443e581", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(std::move(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|52|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/dataset/file_orc.cc"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 131702, "scanner": "repobility-threat-engine", "fingerprint": "fe13c0fb1b7d96fdabfdfecd7f75f5604cff2fc78c708ab7058aa8699eb84993", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(std::move(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|55|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/dataset/file_ipc.cc"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 131701, "scanner": "repobility-threat-engine", "fingerprint": "5c9602a98788a43a1aa5eb40539e04e252f1fbe4283150531098d340e9b3e5f6", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(args.input, \"r\", encoding=\"utf-8\") as input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|51|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "c_glib/tool/generate-version-header.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 131695, "scanner": "repobility-threat-engine", "fingerprint": "4daf9bdff375df37d8170db91b4a2ac55d0167ec109e77733e1abfca3623d178", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4daf9bdff375df37d8170db91b4a2ac55d0167ec109e77733e1abfca3623d178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/utils/cache.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 131694, "scanner": "repobility-threat-engine", "fingerprint": "d788bb49cdf26781bcc9232f0ec68947b6f7df269e0eee083702a001facb37d9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(self.jobs_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d788bb49cdf26781bcc9232f0ec68947b6f7df269e0eee083702a001facb37d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/ci/core.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 131693, "scanner": "repobility-threat-engine", "fingerprint": "4038b184513e10eeb37fe308dd539eaaf1f81e308e692b9c13d4ddf839c82b74", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4038b184513e10eeb37fe308dd539eaaf1f81e308e692b9c13d4ddf839c82b74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev_pr/link.js"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 131686, "scanner": "repobility-threat-engine", "fingerprint": "07c7c6eab5f66b12c6e0539363747a8f40b514b32425485140da7b312f309b73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(KernelContext", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07c7c6eab5f66b12c6e0539363747a8f40b514b32425485140da7b312f309b73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/compute/kernels/scalar_cast_internal.h"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 131685, "scanner": "repobility-threat-engine", "fingerprint": "b038de0e9883d11de09d20b490654aac428a4bb57b34c733052497a3c00eb652", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(const", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b038de0e9883d11de09d20b490654aac428a4bb57b34c733052497a3c00eb652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/compute/kernels/scalar_cast_internal.cc"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 131684, "scanner": "repobility-threat-engine", "fingerprint": "f49033f22275c8a948c9740c9fbc3d60de3e3c48682c356dd79beb915b28bc4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(title", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f49033f22275c8a948c9740c9fbc3d60de3e3c48682c356dd79beb915b28bc4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev_pr/helpers.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132261, "scanner": "repobility-supply-chain", "fingerprint": "298aff4523d28591c02f1ea39ac1bef13054f82b6d4993ea47f02bec825ada44", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|298aff4523d28591c02f1ea39ac1bef13054f82b6d4993ea47f02bec825ada44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132260, "scanner": "repobility-supply-chain", "fingerprint": "7395e245275cfc03d2e3dff0a85cbe30ea7e803f5d97058f80b692f049875e6f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7395e245275cfc03d2e3dff0a85cbe30ea7e803f5d97058f80b692f049875e6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132259, "scanner": "repobility-supply-chain", "fingerprint": "6cd6cd85498854abdc5b2f19fa1b87afaa8e0eb0002fbf87a3fc9ceda8f30598", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6cd6cd85498854abdc5b2f19fa1b87afaa8e0eb0002fbf87a3fc9ceda8f30598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ARROW_ZULIP_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ARROW_ZULIP_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132258, "scanner": "repobility-supply-chain", "fingerprint": "319354c7916d615ad1e48aae8df6ed07d02a5b7eaa596248bf6be3c5f9e78338", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|319354c7916d615ad1e48aae8df6ed07d02a5b7eaa596248bf6be3c5f9e78338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 848}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ARROW_SMTP_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ARROW_SMTP_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132257, "scanner": "repobility-supply-chain", "fingerprint": "b6e79c6bb02e459b278399edbddd879ac169277c158492f9dd996d4062a3b398", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6e79c6bb02e459b278399edbddd879ac169277c158492f9dd996d4062a3b398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 847}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NIGHTLIES_RSYNC_HOST_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NIGHTLIES_RSYNC_HOST_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132256, "scanner": "repobility-supply-chain", "fingerprint": "482b5d0beda5d24cb8a355d2f13935bd2a6d02b97c6cdc9cbf491730014c2336", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|482b5d0beda5d24cb8a355d2f13935bd2a6d02b97c6cdc9cbf491730014c2336"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 798}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NIGHTLIES_RSYNC_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NIGHTLIES_RSYNC_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132255, "scanner": "repobility-supply-chain", "fingerprint": "a38cd7aa2366269b89a098c0f09c0886b1c7e9bc188986edabc673d7f2e704c9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a38cd7aa2366269b89a098c0f09c0886b1c7e9bc188986edabc673d7f2e704c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 797}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NIGHTLIES_RSYNC_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NIGHTLIES_RSYNC_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132254, "scanner": "repobility-supply-chain", "fingerprint": "88bdbb7788d32ce5a7e527b0cde4b2e4b13d6dac81cb67f975282e9e62c49271", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88bdbb7788d32ce5a7e527b0cde4b2e4b13d6dac81cb67f975282e9e62c49271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 796}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NIGHTLIES_RSYNC_PORT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NIGHTLIES_RSYNC_PORT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132253, "scanner": "repobility-supply-chain", "fingerprint": "4eb99cf7b357fa73c7f121f559a1a2f11fd1665a89eb9b4976886bc7e42b4c98", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4eb99cf7b357fa73c7f121f559a1a2f11fd1665a89eb9b4976886bc7e42b4c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 795}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NIGHTLIES_RSYNC_HOST` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NIGHTLIES_RSYNC_HOST }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132252, "scanner": "repobility-supply-chain", "fingerprint": "6c37b01c1532b5deede43373e604106bac9721f74e0ca3f4f05a25878ceecac5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c37b01c1532b5deede43373e604106bac9721f74e0ca3f4f05a25878ceecac5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 794}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NIGHTLIES_RSYNC_PATH` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NIGHTLIES_RSYNC_PATH }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132251, "scanner": "repobility-supply-chain", "fingerprint": "769942ef53afdb401fef223d977c476de59cff21a6fb61e3656c89a71be05054", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|769942ef53afdb401fef223d977c476de59cff21a6fb61e3656c89a71be05054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 793}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132250, "scanner": "repobility-supply-chain", "fingerprint": "7fc0683aa577e157dcc63cbecd7292dc4789419414c43cb69abeafa4e314e44d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7fc0683aa577e157dcc63cbecd7292dc4789419414c43cb69abeafa4e314e44d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 433}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132249, "scanner": "repobility-supply-chain", "fingerprint": "1e331fbde575992adc2f4422a718bcd5fa132d08e14dd8ead2aca67aec42c787", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e331fbde575992adc2f4422a718bcd5fa132d08e14dd8ead2aca67aec42c787"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 432}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132248, "scanner": "repobility-supply-chain", "fingerprint": "17318fcbfc2f34599836800722e269ed27419a507a5aae52415cb48d60385d3f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|17318fcbfc2f34599836800722e269ed27419a507a5aae52415cb48d60385d3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 411}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132247, "scanner": "repobility-supply-chain", "fingerprint": "5dba6e85ce28e82356070f4c1f9b2112804639c6c43a2f9a6b220be05328f4da", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5dba6e85ce28e82356070f4c1f9b2112804639c6c43a2f9a6b220be05328f4da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 410}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132246, "scanner": "repobility-supply-chain", "fingerprint": "24b0e0e83d19224bc67113402dabc45a90157955f704a9b1ead50b0ea31d1d0c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24b0e0e83d19224bc67113402dabc45a90157955f704a9b1ead50b0ea31d1d0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132245, "scanner": "repobility-supply-chain", "fingerprint": "7aaf6ca2de9a3eaaf078cbf7e648d8b1fa4b64bad4000ae2440cfe81fb01e051", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7aaf6ca2de9a3eaaf078cbf7e648d8b1fa4b64bad4000ae2440cfe81fb01e051"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132244, "scanner": "repobility-supply-chain", "fingerprint": "89d48afbe768cdd1bee747a395afd7baba952df076d1131a2d95e0dc68b13d73", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89d48afbe768cdd1bee747a395afd7baba952df076d1131a2d95e0dc68b13d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132243, "scanner": "repobility-supply-chain", "fingerprint": "a90b60e04d2c17f087b8d59f95f2f8d729456bff7911c8a03196d081189b7509", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a90b60e04d2c17f087b8d59f95f2f8d729456bff7911c8a03196d081189b7509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cpp_extra.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ARROW_ZULIP_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ARROW_ZULIP_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132221, "scanner": "repobility-supply-chain", "fingerprint": "91d37cf536b01ee7ec7166e8d54e153c4c21cb875b69cd4120763214c7a6630b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91d37cf536b01ee7ec7166e8d54e153c4c21cb875b69cd4120763214c7a6630b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ARROW_SMTP_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ARROW_SMTP_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132220, "scanner": "repobility-supply-chain", "fingerprint": "0f6009333be4cb263eaf3e812d064b0e757ce6b131cd19fe5ae0d07876568dd0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f6009333be4cb263eaf3e812d064b0e757ce6b131cd19fe5ae0d07876568dd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132219, "scanner": "repobility-supply-chain", "fingerprint": "406c79878f463b5b5041e521fafe11cac7b4abf5a33b184b6e9eff9f1d21fed4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|406c79878f463b5b5041e521fafe11cac7b4abf5a33b184b6e9eff9f1d21fed4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132218, "scanner": "repobility-supply-chain", "fingerprint": "6794acf095c9ebd4137f1937eeaefe18376ee505b0d59a42b8331405f585d479", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6794acf095c9ebd4137f1937eeaefe18376ee505b0d59a42b8331405f585d479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132217, "scanner": "repobility-supply-chain", "fingerprint": "e3b0b013c4f6195fb81625e3518227dc2755d22afa4baa14683be0e5aa896412", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3b0b013c4f6195fb81625e3518227dc2755d22afa4baa14683be0e5aa896412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 132216, "scanner": "repobility-supply-chain", "fingerprint": "ffda245ac6c4c72bfa766650f8ca9721226041e8d13ac212f71d6404b1330d25", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffda245ac6c4c72bfa766650f8ca9721226041e8d13ac212f71d6404b1330d25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/r_extra.yml"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132139, "scanner": "repobility-ast-engine", "fingerprint": "ac8584fc3a5d3b03e91c5d4a8b026418169161111dae471eda9eac533b9f9656", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ac8584fc3a5d3b03e91c5d4a8b026418169161111dae471eda9eac533b9f9656"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/parquet/test_metadata.py"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132136, "scanner": "repobility-ast-engine", "fingerprint": "67e8bf3db627a0b444c3a1c1b0d30f525f11ce27bd44782ca5763c38ce345294", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67e8bf3db627a0b444c3a1c1b0d30f525f11ce27bd44782ca5763c38ce345294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_convert_builtin.py"}, "region": {"startLine": 2086}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `struct` used but not imported: The file uses `struct.something(...)` but never imports `struct`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132135, "scanner": "repobility-ast-engine", "fingerprint": "8ec6037e5bb6e6618fa52c44b5bcd9a4fc8d24d339b05e0f8331185a00217b8d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ec6037e5bb6e6618fa52c44b5bcd9a4fc8d24d339b05e0f8331185a00217b8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_pandas.py"}, "region": {"startLine": 4090}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132134, "scanner": "repobility-ast-engine", "fingerprint": "4cb385768c7427222162aecc453bd4f852d60662d495241166f18c6f0e21745d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4cb385768c7427222162aecc453bd4f852d60662d495241166f18c6f0e21745d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_pandas.py"}, "region": {"startLine": 1057}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132133, "scanner": "repobility-ast-engine", "fingerprint": "b067279a3dcb28966a4d05d1c70e645ddab408c4c971e17e221031ce91c201db", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b067279a3dcb28966a4d05d1c70e645ddab408c4c971e17e221031ce91c201db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_array.py"}, "region": {"startLine": 675}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `uuid` used but not imported: The file uses `uuid.something(...)` but never imports `uuid`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132132, "scanner": "repobility-ast-engine", "fingerprint": "f1cec37d196df9c30acfc881f9b2cea1ab83385c9ba3e16796240dea4e5ec5b1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1cec37d196df9c30acfc881f9b2cea1ab83385c9ba3e16796240dea4e5ec5b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_extension_type.py"}, "region": {"startLine": 308}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132131, "scanner": "repobility-ast-engine", "fingerprint": "eccb411423c0c2e34395c8bf2e458eee543896fe4d44affc826865faad0da749", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eccb411423c0c2e34395c8bf2e458eee543896fe4d44affc826865faad0da749"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_extension_type.py"}, "region": {"startLine": 695}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132130, "scanner": "repobility-ast-engine", "fingerprint": "d3c4c6558c3562ecbde66566dde1321667627a68a5fb598830b2eb7879b2ff08", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3c4c6558c3562ecbde66566dde1321667627a68a5fb598830b2eb7879b2ff08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_strategies.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132129, "scanner": "repobility-ast-engine", "fingerprint": "4ee55e973cabf216c646fbf9a0d26f52d2e890817e8bd5521b89385bb73eec1e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ee55e973cabf216c646fbf9a0d26f52d2e890817e8bd5521b89385bb73eec1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_io.py"}, "region": {"startLine": 482}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `csv` used but not imported: The file uses `csv.something(...)` but never imports `csv`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132127, "scanner": "repobility-ast-engine", "fingerprint": "6c8cf5ad693807c20717c0fd09cf6103af156c5bc7199e71dc0cc54a4e5d6e8d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c8cf5ad693807c20717c0fd09cf6103af156c5bc7199e71dc0cc54a4e5d6e8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_csv.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132126, "scanner": "repobility-ast-engine", "fingerprint": "f4ffcd439c91d22d7cfe4c47e5131f3d3fd452d0c22ef54ca9d90832f2e01e51", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4ffcd439c91d22d7cfe4c47e5131f3d3fd452d0c22ef54ca9d90832f2e01e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_table.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `struct` used but not imported: The file uses `struct.something(...)` but never imports `struct`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132125, "scanner": "repobility-ast-engine", "fingerprint": "45cf5659b55abde2dd974627bd66b61c880354f9a61d4c5cc736be6dcd3ea8af", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|45cf5659b55abde2dd974627bd66b61c880354f9a61d4c5cc736be6dcd3ea8af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_compute.py"}, "region": {"startLine": 1257}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132124, "scanner": "repobility-ast-engine", "fingerprint": "b1b1b23a012fc28c4478b080c1817c06ae383e3525b1867086e6a77f8f6c1410", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b1b1b23a012fc28c4478b080c1817c06ae383e3525b1867086e6a77f8f6c1410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/tests/test_compute.py"}, "region": {"startLine": 2086}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `array` used but not imported: The file uses `array.something(...)` but never imports `array`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132120, "scanner": "repobility-ast-engine", "fingerprint": "c548273784370ea1a550dda20b453b8230d1b15f14cf2a5e3852875b40c831c1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c548273784370ea1a550dda20b453b8230d1b15f14cf2a5e3852875b40c831c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pyarrow/interchange/column.py"}, "region": {"startLine": 480}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132114, "scanner": "repobility-ast-engine", "fingerprint": "13543447b0ff01f49705cebf51ed81f23e1dba00d100e4274e18a4b7d61b2d98", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13543447b0ff01f49705cebf51ed81f23e1dba00d100e4274e18a4b7d61b2d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/crossbow/tests/test_core.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132088, "scanner": "repobility-ast-engine", "fingerprint": "da8be62d87aab7c2a149be2721a8b33efb2804ce6347cb23dd5cff415d858622", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da8be62d87aab7c2a149be2721a8b33efb2804ce6347cb23dd5cff415d858622"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/crossbow/core.py"}, "region": {"startLine": 1155}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132087, "scanner": "repobility-ast-engine", "fingerprint": "c24eedd135449f09e92bddc1e0f40b5db3b721cd71c7b299413abac7c4042a82", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c24eedd135449f09e92bddc1e0f40b5db3b721cd71c7b299413abac7c4042a82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/crossbow/cli.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 132086, "scanner": "repobility-ast-engine", "fingerprint": "9dbb81e6c78606b6598bcf33db604bdd2cfe5cd72b1f07bc09dbe378bb096558", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9dbb81e6c78606b6598bcf33db604bdd2cfe5cd72b1f07bc09dbe378bb096558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/archery/archery/bot.py"}, "region": {"startLine": 416}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 132027, "scanner": "repobility-docker", "fingerprint": "117442fe2b67601153b408aef3a1ef9ebfdf2465dec875861a6c708fa08b0a05", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "impala", "variable": "PGPASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|117442fe2b67601153b408aef3a1ef9ebfdf2465dec875861a6c708fa08b0a05", "compose_secrets_declared": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1891}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 132021, "scanner": "repobility-docker", "fingerprint": "e25363acf7c5aad968f7cb64d60ecf884eb929bbd7716bc7b07ffa0fd98c3737", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|e25363acf7c5aad968f7cb64d60ecf884eb929bbd7716bc7b07ffa0fd98c3737", "compose_secrets_declared": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yaml"}, "region": {"startLine": 1883}}}]}, {"ruleId": "SEC009", "level": "error", "message": {"text": "[SEC009] .env File Committed: .env file with secrets committed to repository."}, "properties": {"repobilityId": 131779, "scanner": "repobility-threat-engine", "fingerprint": "5d2991e6b2f00e4b61d743d1035228f1df1aa036f7a4897f3fc085baaab5fc55", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": ".env file exists in repository root", "evidence": {"reason": ".env file exists in repository root", "rule_id": "SEC009", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d2991e6b2f00e4b61d743d1035228f1df1aa036f7a4897f3fc085baaab5fc55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 131775, "scanner": "repobility-threat-engine", "fingerprint": "aa9ecb7489ef4a09cfba51f2c846b4d62d85f539e74e63e657fe358a4efd9130", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa9ecb7489ef4a09cfba51f2c846b4d62d85f539e74e63e657fe358a4efd9130"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-glimpse.R"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 131774, "scanner": "repobility-threat-engine", "fingerprint": "de95807eaa3719fb5dca785dbb34419f48b0f526c3e0d0934b83220fdf026522", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de95807eaa3719fb5dca785dbb34419f48b0f526c3e0d0934b83220fdf026522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-funcs-simple.R"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 131773, "scanner": "repobility-threat-engine", "fingerprint": "a38dfcea28ec2d2c4a3886ae2cfc5a738236ccf217b459e4da279f4495764541", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a38dfcea28ec2d2c4a3886ae2cfc5a738236ccf217b459e4da279f4495764541"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/arrow-tabular.R"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED025", "level": "error", "message": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "properties": {"repobilityId": 131761, "scanner": "repobility-threat-engine", "fingerprint": "e9e3021f86ea857523b011e2db285bf90a778788e7986d9015f6aee4c5de7fe5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-eval", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347956+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 164}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9e3021f86ea857523b011e2db285bf90a778788e7986d9015f6aee4c5de7fe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-eval.R"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED025", "level": "error", "message": {"text": "[MINED025] Php Eval: eval() executes arbitrary PHP. Code injection."}, "properties": {"repobilityId": 131760, "scanner": "repobility-threat-engine", "fingerprint": "d32ad65a6ad2dcca962dcabb48d829875c1b9df5b6635bf89fa9310fcdb33236", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-eval", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347956+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 164}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d32ad65a6ad2dcca962dcabb48d829875c1b9df5b6635bf89fa9310fcdb33236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "matlab/src/matlab/+arrow/+internal/+test/+tabular/createAllSupportedArrayTypes.m"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 131759, "scanner": "repobility-threat-engine", "fingerprint": "05555a395d621ba51b0218d7882ed504a5149343ee33e98b10aaf23569c10341", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05555a395d621ba51b0218d7882ed504a5149343ee33e98b10aaf23569c10341"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-eval.R"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 131758, "scanner": "repobility-threat-engine", "fingerprint": "83f380c3a4129fb9c4dab5e2420b42174d9ea7f2f2f2be2511a94eca75d5dc42", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83f380c3a4129fb9c4dab5e2420b42174d9ea7f2f2f2be2511a94eca75d5dc42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "matlab/src/matlab/+arrow/+internal/+test/+tabular/createAllSupportedArrayTypes.m"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 131757, "scanner": "repobility-threat-engine", "fingerprint": "95e2a130c3f80b10b4e60fe3e855e803193742008bab14ec5fd64a0b85fe5918", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95e2a130c3f80b10b4e60fe3e855e803193742008bab14ec5fd64a0b85fe5918"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "r/R/dplyr-eval.R"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 131756, "scanner": "repobility-threat-engine", "fingerprint": "1b2f00375f9a9ef44a6fe5d221591c3d3ee8281613f1e64c3c06c9da39d394ad", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b2f00375f9a9ef44a6fe5d221591c3d3ee8281613f1e64c3c06c9da39d394ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "matlab/src/matlab/+arrow/+internal/+test/+tabular/createAllSupportedArrayTypes.m"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 131721, "scanner": "repobility-threat-engine", "fingerprint": "9f33198598fcc58e151829ad9fd648023aee51a66f332082c70caecdac1d1f2b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f33198598fcc58e151829ad9fd648023aee51a66f332082c70caecdac1d1f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/io/compressed_benchmark.cc"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 131720, "scanner": "repobility-threat-engine", "fingerprint": "6a3e198c1f9631396e1f7d8cfd9c7d2dad9b9eab5b620e0d03a376b42417991e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a3e198c1f9631396e1f7d8cfd9c7d2dad9b9eab5b620e0d03a376b42417991e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/src/arrow/acero/pivot_longer_node.cc"}, "region": {"startLine": 212}}}]}, {"ruleId": "CORE_ENV_FILE", "level": "error", "message": {"text": ".env file committed to repository"}, "properties": {"repobilityId": 131679, "scanner": "repobility-core", "fingerprint": "23cf83b5b9ef2fbf14bfabb5febcb625a2b459499bad568b550a990d3c7e1f81", "category": "security", "severity": "critical", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_ENV_FILE", "scanner": "repobility-core", "correlation_key": "fp|23cf83b5b9ef2fbf14bfabb5febcb625a2b459499bad568b550a990d3c7e1f81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env"}, "region": {"startLine": 1}}}]}]}]}