{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 41 more): Same pattern found in 41 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/422"}, "properties": {"repository": "ktorio/ktor", "repoUrl": "https://github.com/ktorio/ktor.git", "branch": "main"}, "results": [{"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 22699, "scanner": "repobility-threat-engine", "fingerprint": "061f3188c28b2aca0b98e98140e00e009de75afee522655b6e721deb990a6f39", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.trace(\"OAuth2 request access token failed\", cause)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|20|logger.trace oauth2 request access token failed cause"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ktor-server/ktor-server-plugins/ktor-server-auth/common/src/io/ktor/server/auth/OAuthProcedure.kt"}, "region": {"startLine": 205}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "properties": {"repobilityId": 22698, "scanner": "repobility-threat-engine", "fingerprint": "d7607273fe5f14fcf46e7f8983176d1b193e6925004b1a1c1ea7f0f836f04911", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d7607273fe5f14fcf46e7f8983176d1b193e6925004b1a1c1ea7f0f836f04911"}}}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 22700, "scanner": "repobility-threat-engine", "fingerprint": "faa6348add3523f5c61bca4a194d61e7c4b922f2a0a00b14eb6e1938f23f0180", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[input.size] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|faa6348add3523f5c61bca4a194d61e7c4b922f2a0a00b14eb6e1938f23f0180"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ktor-utils/web/src/io/ktor/util/Crypto.web.kt"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22697, "scanner": "repobility-threat-engine", "fingerprint": "2342ec2fb111ce68a6c924e4b67747ac119085673166ffd9fd5f8d3b451c0b63", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2342ec2fb111ce68a6c924e4b67747ac119085673166ffd9fd5f8d3b451c0b63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ktor-http/common/src/io/ktor/http/Url.kt"}, "region": {"startLine": 286}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22696, "scanner": "repobility-threat-engine", "fingerprint": "fc453ebb77e83a8f8d05d7a487c879e0692a2c462f37de7250b4e8b0a32d42c0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc453ebb77e83a8f8d05d7a487c879e0692a2c462f37de7250b4e8b0a32d42c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ktor-http/common/src/io/ktor/http/URLUtils.kt"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22695, "scanner": "repobility-threat-engine", "fingerprint": "fc6f62d04276ab1f1d682f08c8c064a5ef893f8df635acf895f49f93dcabf132", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc6f62d04276ab1f1d682f08c8c064a5ef893f8df635acf895f49f93dcabf132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ktor-http/jvm/src/io/ktor/http/URLUtilsJvm.kt"}, "region": {"startLine": 73}}}]}]}]}