{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ap"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/prompts/search/."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/{rating_id}"}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/{rating_id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 519 lines (recommend <300)", "shortDescription": {"text": "Average file size is 519 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `query_history_by_kb` has cognitive complexity 8 (SonarSource scale). Cogn", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `query_history_by_kb` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recu"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 14 more): Same pattern found in 14 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 10 more): Same pattern found in 10 additional files", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /rating/{rating_id}."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /rating/{rating_id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC082", "name": "[SEC082] Python: paramiko AutoAddPolicy or no host-key verification: AutoAddPolicy / WarningPolicy disables SSH host-key", "shortDescription": {"text": "[SEC082] Python: paramiko AutoAddPolicy or no host-key verification: AutoAddPolicy / WarningPolicy disables SSH host-key verification \u2014 vulnerable to MITM. Ported from bandit B507 / dlint DUO133 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `paramiko.RejectPolicy()` and pre-populate known_hosts via `client.load_system_host_keys()`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-python` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/setup-python` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST /{kb_name} has no auth", "shortDescription": {"text": "FastAPI POST /{kb_name} has no auth"}, "fullDescription": {"text": "Handler `create_kb_query_interface` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "Blocking call `time.sleep` inside async function `on_message_send_stream`", "shortDescription": {"text": "Blocking call `time.sleep` inside async function `on_message_send_stream`"}, "fullDescription": {"text": "`time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_close", "shortDescription": {"text": "Phantom test coverage: test_close"}, "fullDescription": {"text": "Test function `test_close` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self._get_hits_total` used but never assigned in __init__", "shortDescription": {"text": "`self._get_hits_total` used but never assigned in __init__"}, "fullDescription": {"text": "Method `get_rating_stats` of class `EvaluationManager` reads `self._get_hits_total`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "MINED030", "name": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.", "shortDescription": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC081", "name": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary co", "shortDescription": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "fullDescription": {"text": "Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `queue` used but not imported", "shortDescription": {"text": "Missing import: `queue` used but not imported"}, "fullDescription": {"text": "The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/211"}, "properties": {"repository": "jd-opensource/OxyGent", "repoUrl": "https://github.com/jd-opensource/OxyGent", "branch": "main"}, "results": [{"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/prompts/search/."}, "properties": {"repobilityId": 48542, "scanner": "repobility-access-control", "fingerprint": "acaddbfa1378389c76b1135c47a8f464805d72afe64d3560effcafdec4a078cc", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/search/", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|654|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 654}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/{rating_id}."}, "properties": {"repobilityId": 48541, "scanner": "repobility-access-control", "fingerprint": "12c28a3f203fa78b8ab4d1991f8f2de29622e60b79b6662a25efbbb320ddc2c5", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{rating_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1395|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1395}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /rating/setup_indices."}, "properties": {"repobilityId": 48540, "scanner": "repobility-access-control", "fingerprint": "4c54d54c5cd066d1f6ba2b55d4ed5718a5e0d6bdbac774bfbc94ee22a8089a13", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/setup_indices", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1054|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1054}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/clear_all."}, "properties": {"repobilityId": 48539, "scanner": "repobility-access-control", "fingerprint": "c6f4fc1c275d1253733e5e746b95c5a4aa2a6d9a57bdb2222e532a367d039d9e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/clear_all", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1031|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1031}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /debug/rating_stats/{trace_id}."}, "properties": {"repobilityId": 48538, "scanner": "repobility-access-control", "fingerprint": "e2c958d77c98c14aeaa546f53d40c83a651f97536bc0fec387844084ee546d46", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/rating_stats/{trace_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|986|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 986}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /rating."}, "properties": {"repobilityId": 48537, "scanner": "repobility-access-control", "fingerprint": "9a0c10e3963ac370a8450a6ff95c4a9534724c50350ea343c38a0d2be894b43d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|842|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 842}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/prompts/{prompt_key}/history."}, "properties": {"repobilityId": 48536, "scanner": "repobility-access-control", "fingerprint": "9f2e3a4173f373df79c3ee5db32a873fb2ae4a3b7f012e0aaf203c0425cfbec8", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/{prompt_key}/history", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|681|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 681}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api/prompts/{prompt_key}."}, "properties": {"repobilityId": 48535, "scanner": "repobility-access-control", "fingerprint": "323457a315bd7fdd01de89aa9adfd521bad308b50ef11070bf461451d756b0c7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/{prompt_key}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|630|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 630}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/prompts/{prompt_key}."}, "properties": {"repobilityId": 48534, "scanner": "repobility-access-control", "fingerprint": "6fa751338289948718d35bcf261735c0a71b249a0b317350aed213ff661334f3", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/{prompt_key}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|541|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 541}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/prompts/."}, "properties": {"repobilityId": 48533, "scanner": "repobility-access-control", "fingerprint": "cb4d6e13459c8053090248ddfc2899d26445d4e8b1176a6b195e590ee9a046fe", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|500|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/prompts/{prompt_key}."}, "properties": {"repobilityId": 48532, "scanner": "repobility-access-control", "fingerprint": "eedcf8de518bc7959ecaa99e92380c3d18dabbf1b5e3bf4abbd08ae35ad08735", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/{prompt_key}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|476|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 476}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 48521, "scanner": "repobility-threat-engine", "fingerprint": "99dc263318dedd956a43fcbb63b56775e430ebe8d39d89bcc7725beb84b461aa", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|26|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/preset_tools/python_tools.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 48515, "scanner": "repobility-threat-engine", "fingerprint": "d34fe8c0403b22693bb6f7e73f1559232d57412b09d378624a8b5c01095f6dc4", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|oxygent/embedding_cache.py|128|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 48514, "scanner": "repobility-threat-engine", "fingerprint": "65c8aaac2a142efde7a9c751fc615b7eb81a6da856108ba111025ecede65cab1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        with open(path, \"r\", encoding=\"utf-8\") as f:\n            raw = f.read()\n    except Exce", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65c8aaac2a142efde7a9c751fc615b7eb81a6da856108ba111025ecede65cab1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/kubernetes_mcp_server/config_tools.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 48507, "scanner": "repobility-threat-engine", "fingerprint": "1171d3e456264b1fabc64b0d3bd43844982ac3fc93a13ac7820ac9e8e605f98a", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(f\"Running shell command: {args", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1171d3e456264b1fabc64b0d3bd43844982ac3fc93a13ac7820ac9e8e605f98a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/preset_tools/shell_tools.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 48506, "scanner": "repobility-threat-engine", "fingerprint": "69d8fd831a1397e85f637f56e52d994db883e4bca164f8e4fe8a54bd34a6a06e", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(f\"The current query is: {query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|69d8fd831a1397e85f637f56e52d994db883e4bca164f8e4fe8a54bd34a6a06e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/backend/demo_logger_setup.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 48505, "scanner": "repobility-threat-engine", "fingerprint": "41f7ffe948021c934ac242c9a03f421219069cd8046b7ec0870740ce332f4282", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "(.*)*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41f7ffe948021c934ac242c9a03f421219069cd8046b7ec0870740ce332f4282"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/router/routes.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 48491, "scanner": "repobility-threat-engine", "fingerprint": "beef948cf607a17558f003e51e4e06ad57b877b9997b7993e9c80ecf83fc4d67", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|beef948cf607a17558f003e51e4e06ad57b877b9997b7993e9c80ecf83fc4d67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 48452, "scanner": "repobility-agent-runtime", "fingerprint": "fcf8e56ca5f0b209789a5f002b579a2c6aea1d169a87da7d868f59ee9898619b", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fcf8e56ca5f0b209789a5f002b579a2c6aea1d169a87da7d868f59ee9898619b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/google_sdk_interop/demo_google_sdk_a2a_server.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 48451, "scanner": "repobility-agent-runtime", "fingerprint": "652e9da6b2f489b7c1b4ac258047056414b22c0a8bcaf6e3c2bae459852a6d6c", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|652e9da6b2f489b7c1b4ac258047056414b22c0a8bcaf6e3c2bae459852a6d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/agentscope_interop/demo_agentscope_a2a_server.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 48450, "scanner": "repobility-agent-runtime", "fingerprint": "947905ac0e8a0fe51639ffab36bb414f0ba0cac61c016985faab35ecda07766d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|947905ac0e8a0fe51639ffab36bb414f0ba0cac61c016985faab35ecda07766d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs_zh/introduction/tools/opensource-mcp-tools.md"}, "region": {"startLine": 21}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 48449, "scanner": "repobility-agent-runtime", "fingerprint": "d82f8432c3468e1baf883b9b59d92ac7c2d4e5d5f829ba70452d8bf4f641875d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d82f8432c3468e1baf883b9b59d92ac7c2d4e5d5f829ba70452d8bf4f641875d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs_zh/introduction/getting-started/install.md"}, "region": {"startLine": 15}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 48448, "scanner": "repobility-agent-runtime", "fingerprint": "baf69cb4759e1f2d273b762f2714670b509ff9def714797e0a7892e9d5ef4e09", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|baf69cb4759e1f2d273b762f2714670b509ff9def714797e0a7892e9d5ef4e09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs_en/introduction/tools/opensource-mcp-tools.md"}, "region": {"startLine": 21}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 48447, "scanner": "repobility-agent-runtime", "fingerprint": "2673500e10d60289d4b70fb2f2a621a7536fa49477a41a85ad6185703da7d6d3", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2673500e10d60289d4b70fb2f2a621a7536fa49477a41a85ad6185703da7d6d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs_en/introduction/getting-started/install.md"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48384, "scanner": "repobility-ast-engine", "fingerprint": "43a4f32497fb388e175ebf5f54d176e3e7c8b6154c4156798b0cebab44871124", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|43a4f32497fb388e175ebf5f54d176e3e7c8b6154c4156798b0cebab44871124"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/train_ticket_tools.py"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48383, "scanner": "repobility-ast-engine", "fingerprint": "ee045ae2cef52e484523d7d82c44b50aaf3eed107f1bbdfc43c520d289fec368", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee045ae2cef52e484523d7d82c44b50aaf3eed107f1bbdfc43c520d289fec368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 651}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48382, "scanner": "repobility-ast-engine", "fingerprint": "f7894dbfcf494e8913f7957b560f7ca51d45d756ff2efb4202936fed5d01e6eb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f7894dbfcf494e8913f7957b560f7ca51d45d756ff2efb4202936fed5d01e6eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 631}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48381, "scanner": "repobility-ast-engine", "fingerprint": "b4f1d150ae754b3253b1fbefe8ef59c36ce58b84e8cc13b15b17da08d29038cf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4f1d150ae754b3253b1fbefe8ef59c36ce58b84e8cc13b15b17da08d29038cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48380, "scanner": "repobility-ast-engine", "fingerprint": "b0bfcffa9d6c066fdd806179ad406b7ce3000e8f16b9113ca44e6ea467fe2cdf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0bfcffa9d6c066fdd806179ad406b7ce3000e8f16b9113ca44e6ea467fe2cdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 599}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48379, "scanner": "repobility-ast-engine", "fingerprint": "235233d0c5cf5ffc2d7608644786687c15e9e35555859387c7fa419cf151bdb2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|235233d0c5cf5ffc2d7608644786687c15e9e35555859387c7fa419cf151bdb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48378, "scanner": "repobility-ast-engine", "fingerprint": "5a29133c1f2403682d3bf80c2315f349454f70b7cd7c457bb9add6ce09826d73", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a29133c1f2403682d3bf80c2315f349454f70b7cd7c457bb9add6ce09826d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 878}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48377, "scanner": "repobility-ast-engine", "fingerprint": "6ccdfa8c2d46d18fccbda3190f7f80fc8198379e14fcdb44b5467c7d796e225e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ccdfa8c2d46d18fccbda3190f7f80fc8198379e14fcdb44b5467c7d796e225e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48376, "scanner": "repobility-ast-engine", "fingerprint": "dc102c426b66576f892d3da2fcc6694d5dc5e743b9d027114874805aa58649f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc102c426b66576f892d3da2fcc6694d5dc5e743b9d027114874805aa58649f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48375, "scanner": "repobility-ast-engine", "fingerprint": "b1eca4a7b0ccbf03d1b8caa4f6f5d0a594b9cac870bb2ad713590a871b2ad7a9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b1eca4a7b0ccbf03d1b8caa4f6f5d0a594b9cac870bb2ad713590a871b2ad7a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48374, "scanner": "repobility-ast-engine", "fingerprint": "2623f5560bb9e40a94db69fd7bd8ec57b2f76ec0cb8f371901240865514eae63", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2623f5560bb9e40a94db69fd7bd8ec57b2f76ec0cb8f371901240865514eae63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 966}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48373, "scanner": "repobility-ast-engine", "fingerprint": "0b6df3a77d072d214dca05eccd5884a3702aab6c5514f74e84cc306243e847d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b6df3a77d072d214dca05eccd5884a3702aab6c5514f74e84cc306243e847d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 806}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48372, "scanner": "repobility-ast-engine", "fingerprint": "06f7fce64fe1cfdf64fa73e86de16fdf4266b20a65084432c58504f1e31b2f85", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06f7fce64fe1cfdf64fa73e86de16fdf4266b20a65084432c58504f1e31b2f85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 525}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48371, "scanner": "repobility-ast-engine", "fingerprint": "db2acf58cd890ddeb645e68aef945dbd337ce0551599e919a23d754f2f654142", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|db2acf58cd890ddeb645e68aef945dbd337ce0551599e919a23d754f2f654142"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 299}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48370, "scanner": "repobility-ast-engine", "fingerprint": "b48e7aa972a05859ab585add8e34376376d08bce43aa3cd2a5ef89b630a42936", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b48e7aa972a05859ab585add8e34376376d08bce43aa3cd2a5ef89b630a42936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 1117}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48369, "scanner": "repobility-ast-engine", "fingerprint": "1763bfcd95fe266e48fc3eaf487c458c9aa77f53c36964b070bba3d03164facd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1763bfcd95fe266e48fc3eaf487c458c9aa77f53c36964b070bba3d03164facd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 1093}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48368, "scanner": "repobility-ast-engine", "fingerprint": "142fbb76e8bb852125c176b4b1ad853fe64c9821175f71213e87c919dd054bff", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|142fbb76e8bb852125c176b4b1ad853fe64c9821175f71213e87c919dd054bff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 1042}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48367, "scanner": "repobility-ast-engine", "fingerprint": "b903822d0296dcd47328e844b8138e8031d31b6744a76c711fc923562f9be077", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b903822d0296dcd47328e844b8138e8031d31b6744a76c711fc923562f9be077"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 957}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48366, "scanner": "repobility-ast-engine", "fingerprint": "9ae5767f6543bbab179578afe461b63bf5e12f04c2d6b34aa815196fa70ceb5f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ae5767f6543bbab179578afe461b63bf5e12f04c2d6b34aa815196fa70ceb5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 892}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48365, "scanner": "repobility-ast-engine", "fingerprint": "cc3582df066b835910c45d78dbee501c1f548d449a76e54e4cb8ee191a17ae93", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cc3582df066b835910c45d78dbee501c1f548d449a76e54e4cb8ee191a17ae93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 760}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48364, "scanner": "repobility-ast-engine", "fingerprint": "d4b9c0e8c2cd2e91ba159551569de71a2856ab6fac444a3fab27448c4f8b2367", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4b9c0e8c2cd2e91ba159551569de71a2856ab6fac444a3fab27448c4f8b2367"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 659}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48363, "scanner": "repobility-ast-engine", "fingerprint": "97f5e2bb42165e6a39ea98813200dc533a298274e43d00194e9ff19d11dfa4db", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97f5e2bb42165e6a39ea98813200dc533a298274e43d00194e9ff19d11dfa4db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 605}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48362, "scanner": "repobility-ast-engine", "fingerprint": "8dc37083d0c9784ddb13a297236df5c697248b8d55a0312a8ee85c1896064de0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8dc37083d0c9784ddb13a297236df5c697248b8d55a0312a8ee85c1896064de0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 458}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48361, "scanner": "repobility-ast-engine", "fingerprint": "2b468674a649104a97857a2a9ad0f63fcbc7e4bb685a845562f20812fdd47179", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2b468674a649104a97857a2a9ad0f63fcbc7e4bb685a845562f20812fdd47179"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 428}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 48360, "scanner": "repobility-ast-engine", "fingerprint": "93bc0fea4104774a9f6c5df4ec046d713fd3dc60de78224cd77ae382078be9cd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|93bc0fea4104774a9f6c5df4ec046d713fd3dc60de78224cd77ae382078be9cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 6568, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6567, "scanner": "repobility-journey-contract", "fingerprint": "c4798136701b3c778f131e3219eec43654ed92b1116673c110eb14ce55cc19ab", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/deposit", "correlation_key": "fp|c4798136701b3c778f131e3219eec43654ed92b1116673c110eb14ce55cc19ab", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6566, "scanner": "repobility-journey-contract", "fingerprint": "44004d824662191bcdfa7f70ad689be3cbe38dc971430beb3c01f3617781dd09", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/query_interface/{param}", "correlation_key": "fp|44004d824662191bcdfa7f70ad689be3cbe38dc971430beb3c01f3617781dd09", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6565, "scanner": "repobility-journey-contract", "fingerprint": "87da555f39510cf00940625225591dfece6f29d5a42f5e05f236c1be5083272e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/query_interface/{param}", "correlation_key": "fp|87da555f39510cf00940625225591dfece6f29d5a42f5e05f236c1be5083272e", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6564, "scanner": "repobility-journey-contract", "fingerprint": "ce5887890211c41d22de2d332fe2c9ead5458dcdd2016a8ac4d2de0e9c55f6c5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/chunks", "correlation_key": "fp|ce5887890211c41d22de2d332fe2c9ead5458dcdd2016a8ac4d2de0e9c55f6c5", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6563, "scanner": "repobility-journey-contract", "fingerprint": "0641d1664fa2c5d9c26f379299fe8e04a178216b0ab7034a35a17ab56324c56c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/file/{param}/chunks", "correlation_key": "fp|0641d1664fa2c5d9c26f379299fe8e04a178216b0ab7034a35a17ab56324c56c", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6562, "scanner": "repobility-journey-contract", "fingerprint": "0e5e143a3d29044e84325d55177e2699f60a65bd9f9189a9475d81c99ef0f302", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/ingest_data", "correlation_key": "fp|0e5e143a3d29044e84325d55177e2699f60a65bd9f9189a9475d81c99ef0f302", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6561, "scanner": "repobility-journey-contract", "fingerprint": "239a1a6206c450da4b59964c089598f75362475dfb7346da01b8af53afaf44a4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/ingest_file", "correlation_key": "fp|239a1a6206c450da4b59964c089598f75362475dfb7346da01b8af53afaf44a4", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6560, "scanner": "repobility-journey-contract", "fingerprint": "3abbe25217ef452b881413e8f3d7aa01c831e207daf559609bb40edf9bb9d038", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/upload_file/{param}", "correlation_key": "fp|3abbe25217ef452b881413e8f3d7aa01c831e207daf559609bb40edf9bb9d038", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6559, "scanner": "repobility-journey-contract", "fingerprint": "c30e1773283a63be403c411268a65a37f0c1bd0d977237e91785e784f97f252e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/upload_file", "correlation_key": "fp|c30e1773283a63be403c411268a65a37f0c1bd0d977237e91785e784f97f252e", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6558, "scanner": "repobility-journey-contract", "fingerprint": "76cb698d679e659e06a0d323ba7305612ea17c7ae6e246360e180f2da5a0db63", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/kb_file", "correlation_key": "fp|76cb698d679e659e06a0d323ba7305612ea17c7ae6e246360e180f2da5a0db63", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6557, "scanner": "repobility-journey-contract", "fingerprint": "e438e2eaf290d6e280e37d8f31f827ce01a12a562eaf2ef209e162ee2da07b3b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/schema/exists", "correlation_key": "fp|e438e2eaf290d6e280e37d8f31f827ce01a12a562eaf2ef209e162ee2da07b3b", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6556, "scanner": "repobility-journey-contract", "fingerprint": "bfd2c12c6e6df3007714de560f59906694f90eddd5ac366777a211c7cff700f9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}/schema", "correlation_key": "fp|bfd2c12c6e6df3007714de560f59906694f90eddd5ac366777a211c7cff700f9", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6555, "scanner": "repobility-journey-contract", "fingerprint": "4853876621e4393120a747a36bb2c7219cb029c541842eb004105624d0ffe7a9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base/{param}", "correlation_key": "fp|4853876621e4393120a747a36bb2c7219cb029c541842eb004105624d0ffe7a9", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6554, "scanner": "repobility-journey-contract", "fingerprint": "088d8822856dc4c14d96b19dc29530e210638f9f3e1ed134ba130d1582087590", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base", "correlation_key": "fp|088d8822856dc4c14d96b19dc29530e210638f9f3e1ed134ba130d1582087590", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6553, "scanner": "repobility-journey-contract", "fingerprint": "c88b7b0a57168efe39a0d6adc4337dead15d56edf0d93d32fb1509472fb84cc6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/kb_base", "correlation_key": "fp|c88b7b0a57168efe39a0d6adc4337dead15d56edf0d93d32fb1509472fb84cc6", "backend_endpoint_count": 67}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/apiDefinitions.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 6552, "scanner": "repobility-journey-contract", "fingerprint": "ae4d2b63adc67e1be7ec2e0df30f30df30a2c7eecdbde2299e38e2930ed437a8", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|253|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/views/knowledge/recall/index.vue"}, "region": {"startLine": 253}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 6551, "scanner": "repobility-journey-contract", "fingerprint": "ff934d66b262985bac30e06e1815aa33599b81d551d9d9cb8929a5ac1baae62c", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|387|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/views/annotation/index.vue"}, "region": {"startLine": 387}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 6550, "scanner": "repobility-journey-contract", "fingerprint": "cbd022bf3c8c257ae5d0fc33223fbe9bb53058bce08f73c08a21848806503a53", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|20|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/utils/auth.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 6549, "scanner": "repobility-journey-contract", "fingerprint": "77fd614ea76d3d8c254b71cb180c2bfde6a43cb4a3f890239372f3f852c85e21", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|13|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/utils/auth.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 6548, "scanner": "repobility-journey-contract", "fingerprint": "d4ab91fb2a2c3fa128c0628857b4118bd8a85930feb5b300601784aa2f850a51", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|60|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/index.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 6547, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 1444, "file_path": "oxygent/mas.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 5, "file_path": "applications/bank_manager_by_api_router.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 5, "file_path": "applications/bank_manager_by_manual_api.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 48, "file_path": "tests/e2e/test_api_e2e.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 110, "file_path": "tests/e2e/test_api_e2e.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /{kb_name}/{trigger_id}/disable."}, "properties": {"repobilityId": 6546, "scanner": "repobility-access-control", "fingerprint": "397577a6785d3c48145cb8c8a143e33b1e064c815474ba3aca5fa888867b2935", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{kb_name}/{trigger_id}/disable", "method": "PATCH", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|247|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/trigger/crud.py"}, "region": {"startLine": 247}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /{kb_name}/{trigger_id}/enable."}, "properties": {"repobilityId": 6545, "scanner": "repobility-access-control", "fingerprint": "4e31019dc3a287c64769166d77fcf84dd44e5a847899e3ba5e5d70be378b467a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{kb_name}/{trigger_id}/enable", "method": "PATCH", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|211|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/trigger/crud.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{kb_name}/{trigger_id}."}, "properties": {"repobilityId": 6544, "scanner": "repobility-access-control", "fingerprint": "90233a67e558d452e348405ec8306b592579beb519f55ec18d3815907ae18895", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{kb_name}/{trigger_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|168|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/trigger/crud.py"}, "region": {"startLine": 168}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/prompts/search/."}, "properties": {"repobilityId": 6543, "scanner": "repobility-access-control", "fingerprint": "fdf81fa5d2fb74e981b1a1bb6b17e9f43a2ae63fa5c1ac8a1f51c3f1c189ea97", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/search/", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|661|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 661}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/{rating_id}."}, "properties": {"repobilityId": 6542, "scanner": "repobility-access-control", "fingerprint": "c1b5bdb0e46852118b7d88a31c5e6aa6c07c111ce646163b247abf0e933b2155", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{rating_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1389|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1389}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /rating/setup_indices."}, "properties": {"repobilityId": 6541, "scanner": "repobility-access-control", "fingerprint": "6a483b1c547524c26c7a8297271cb08addfe53893c826abfd4ff2890077c9b3f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/setup_indices", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1047|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1047}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /rating/clear_all."}, "properties": {"repobilityId": 6540, "scanner": "repobility-access-control", "fingerprint": "3fbe39fcb1e2113943b9e091a892731822eee14753907047fb720c3e11c5703d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/clear_all", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1023|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1023}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /debug/rating_stats/{trace_id}."}, "properties": {"repobilityId": 6539, "scanner": "repobility-access-control", "fingerprint": "6f0e758c293e68eab0e4d3a4b14d304f3d22cde36667a93cf0d4d9b99a9b9930", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/rating_stats/{trace_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|976|cwe-285", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 976}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /rating."}, "properties": {"repobilityId": 6538, "scanner": "repobility-access-control", "fingerprint": "5f1a7d9ef4d6aae56e1ada5b023d8d84600550a34ee81942d2c9df3323673c84", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|843|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 843}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/prompts/{prompt_key}/history."}, "properties": {"repobilityId": 6537, "scanner": "repobility-access-control", "fingerprint": "7833223c34b7d019cc370b3152101c533ecd63f5e7fbd0b4554205b27269198d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/{prompt_key}/history", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|686|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 686}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api/prompts/{prompt_key}."}, "properties": {"repobilityId": 6536, "scanner": "repobility-access-control", "fingerprint": "982132803b0c71235cabd6ba227e1988080c64d38fd41b524226486897ab06ec", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/{prompt_key}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|637|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 637}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/prompts/{prompt_key}."}, "properties": {"repobilityId": 6535, "scanner": "repobility-access-control", "fingerprint": "0d717225bc67b497dc1a54571634e73354d4c92ddbd6c4200e9eebbf665d0776", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/{prompt_key}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|548|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 548}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/prompts/."}, "properties": {"repobilityId": 6534, "scanner": "repobility-access-control", "fingerprint": "ce11a88ef49035fb3a926724c5fa3c4636debfae4d90b918f56806ae7df63dd9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|509|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 509}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/prompts/{prompt_key}."}, "properties": {"repobilityId": 6533, "scanner": "repobility-access-control", "fingerprint": "c0cfec4fd1570998675c55e4a43be96b7014809d6abeefaa903c82df5d4ee1ad", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/prompts/{prompt_key}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|485|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 485}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 6522, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 67, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 6521, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 6520, "scanner": "repobility-threat-engine", "fingerprint": "d8a9f05a46e101d7afc9955ef6ddef180bd0cdab7a9f63849e5c28099c71e406", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify=False", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|909|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/databases/db_vector/vearch_db.py"}, "region": {"startLine": 909}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 6519, "scanner": "repobility-threat-engine", "fingerprint": "c1f893e9a21256f8cbec4ec26948a025a2cb7cd4cc4300c703f1af40a13e6907", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(\n            args,\n            capture_output=True,\n            encoding=\"utf8\",", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|26|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/preset_tools/shell_tools.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 6507, "scanner": "repobility-threat-engine", "fingerprint": "7ed34c200e5e0f4b015007e896f67bcc174975aa80879b420d25cf01f5e3de3e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ed34c200e5e0f4b015007e896f67bcc174975aa80879b420d25cf01f5e3de3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/kubernetes_mcp_server/config_tools.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 6506, "scanner": "repobility-threat-engine", "fingerprint": "6c5f813457326982221431ccdd82ca787141afbbf066024232424d703ce8c9b7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6c5f813457326982221431ccdd82ca787141afbbf066024232424d703ce8c9b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/code_interpreter_tools.py"}, "region": {"startLine": 251}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 6505, "scanner": "repobility-threat-engine", "fingerprint": "30f60f7d0c77f86c3c248b2422ce3c853d3608cf24caf9bacc1465dd3d37bd7f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|30f60f7d0c77f86c3c248b2422ce3c853d3608cf24caf9bacc1465dd3d37bd7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/tts_tools.py"}, "region": {"startLine": 568}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 6504, "scanner": "repobility-threat-engine", "fingerprint": "f618a9ac22c2f08a686788df5f4f7a597f179fb5f53ec7846cdea4d2b5c11344", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|oxygent/embedding_cache.py|123|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 6503, "scanner": "repobility-agent-runtime", "fingerprint": "622a3704a7a26034196877a38e0e6fab06214a6ef7c0efd6c55f6e9b9bc37c63", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|622a3704a7a26034196877a38e0e6fab06214a6ef7c0efd6c55f6e9b9bc37c63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/_mcp_testing_utilities/mcp_server_show_headers.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 6502, "scanner": "repobility-agent-runtime", "fingerprint": "61b9532ceb27a4d3f7512330958cf503cb5dcb0264672dc3552ac60964d3ae6c", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|61b9532ceb27a4d3f7512330958cf503cb5dcb0264672dc3552ac60964d3ae6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/google_sdk_interop/demo_google_sdk_a2a_server.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 6501, "scanner": "repobility-agent-runtime", "fingerprint": "0d28b7602c1284e89e3a8b349ab40ccda33918dbf443971a00555036e7c11661", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0d28b7602c1284e89e3a8b349ab40ccda33918dbf443971a00555036e7c11661"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/agentscope_interop/demo_agentscope_a2a_server.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6500, "scanner": "repobility-agent-runtime", "fingerprint": "56eb51feec02315379a11e6cf77be8d111b5e952d95377610dd6ab90674f51b3", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|56eb51feec02315379a11e6cf77be8d111b5e952d95377610dd6ab90674f51b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs_zh/0_install.md"}, "region": {"startLine": 15}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6499, "scanner": "repobility-agent-runtime", "fingerprint": "d88eefc7ba241e3a9e577ea59c2d2322a469c257653d49de2ca540ba54f115da", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d88eefc7ba241e3a9e577ea59c2d2322a469c257653d49de2ca540ba54f115da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README_zh.md"}, "region": {"startLine": 89}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6498, "scanner": "repobility-agent-runtime", "fingerprint": "1f6756be6d328df5c74b1e9d751324511364045815def8b521117f6371788f1f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1f6756be6d328df5c74b1e9d751324511364045815def8b521117f6371788f1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 91}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 519 lines (recommend <300)"}, "properties": {"repobilityId": 6485, "scanner": "repobility-core", "fingerprint": "58a80fbef35803cc95c3cadf9863bc2c85e645d789b0aa27929337e94388d20c", "category": "quality", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|58a80fbef35803cc95c3cadf9863bc2c85e645d789b0aa27929337e94388d20c"}}}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 48520, "scanner": "repobility-threat-engine", "fingerprint": "9a4abbcbda0bf2394bd029f9acb3933a751536c161702df6d02c25a2f4174210", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.isfile(path):\n            os.remove(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a4abbcbda0bf2394bd029f9acb3933a751536c161702df6d02c25a2f4174210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/preset_tools/file_tools.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 48508, "scanner": "repobility-threat-engine", "fingerprint": "feda81d1606d32e3ea052f6b97cb244d98ca97cd4ddafdd9aeae7ac472c3b769", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = i", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|oxygent/web/js/cascader.js|155|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/web/js/cascader.js"}, "region": {"startLine": 155}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `query_history_by_kb` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=4, if=2, nested_bonus=2."}, "properties": {"repobilityId": 48459, "scanner": "repobility-threat-engine", "fingerprint": "77dd0497f880c3e2213059c795a76d63a0667c8fea14c1d6c99faf8e7c5cda8f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "query_history_by_kb", "breakdown": {"if": 2, "except": 4, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|77dd0497f880c3e2213059c795a76d63a0667c8fea14c1d6c99faf8e7c5cda8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/trigger/history.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `create_kb_query_interface` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=6, for=1, if=5, nested_bonus=1, or=1."}, "properties": {"repobilityId": 48458, "scanner": "repobility-threat-engine", "fingerprint": "7d0b8c80cacd90d8a29644be611bfa1940ce67d3377442d4e271964faa0a9aff", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "create_kb_query_interface", "breakdown": {"if": 5, "or": 1, "for": 1, "except": 6, "nested_bonus": 1}, "complexity": 14, "correlation_key": "fp|7d0b8c80cacd90d8a29644be611bfa1940ce67d3377442d4e271964faa0a9aff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/dynamic/query_endpoint.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48332, "scanner": "repobility-ai-code-hygiene", "fingerprint": "813640040ac3d8198373ac0a0b05cf1c1af9ae57e35eae9d63eccb2e2d57f17b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "function_hubs/chart/__init__.py", "duplicate_line": 7, "correlation_key": "fp|813640040ac3d8198373ac0a0b05cf1c1af9ae57e35eae9d63eccb2e2d57f17b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/preset_tools/__init__.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48331, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac1195e4ce58af9745c6a2088f4eaf9056f3337ed13899a9db242f2632d6198f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "oxygent/oxy/llms/http_llm.py", "duplicate_line": 129, "correlation_key": "fp|ac1195e4ce58af9745c6a2088f4eaf9056f3337ed13899a9db242f2632d6198f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/oxy/llms/openai_llm.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48330, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a32a9fc3b14fbf7c4b5b22f9ff22bbf282b52aef555f922a9fa0f0354de6656b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "oxygent/oxy/agents/react_agent.py", "duplicate_line": 274, "correlation_key": "fp|a32a9fc3b14fbf7c4b5b22f9ff22bbf282b52aef555f922a9fa0f0354de6656b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/oxy/agents/shell_use_agent.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48329, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1243fa9ea75ba9ded8c41269993ffbbda29fa0a2a9216cc4cfc7ebc31fceff64", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "oxygent/oxy/agents/local_agent.py", "duplicate_line": 275, "correlation_key": "fp|1243fa9ea75ba9ded8c41269993ffbbda29fa0a2a9216cc4cfc7ebc31fceff64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/oxy/agents/react_agent.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48328, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c9a118d3201f112cd5b503f4958fbc19743c2d8d0dbca42d8bf8a1fcb35cebc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp_servers/math_tools.py", "duplicate_line": 6, "correlation_key": "fp|7c9a118d3201f112cd5b503f4958fbc19743c2d8d0dbca42d8bf8a1fcb35cebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/math_tools_streamable.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48327, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4abc5c6ae02b566f24e03bc325f30c6304feccaabe8c3d15db80e9dbc0fefe96", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp_servers/math_tools_sse.py", "duplicate_line": 1, "correlation_key": "fp|4abc5c6ae02b566f24e03bc325f30c6304feccaabe8c3d15db80e9dbc0fefe96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/math_tools_streamable.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48326, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1d12f5677459588d871d6f994c237128787b1deefa5d94c83ab124a05a1c1d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp_servers/math_tools.py", "duplicate_line": 6, "correlation_key": "fp|c1d12f5677459588d871d6f994c237128787b1deefa5d94c83ab124a05a1c1d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/math_tools_sse.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48325, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f89b4c5ac29d922a566b32019b41869411d9fead9a81e1710d30395f80f4630", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp_servers/kubernetes_mcp_server/core_tools/resources.py", "duplicate_line": 17, "correlation_key": "fp|0f89b4c5ac29d922a566b32019b41869411d9fead9a81e1710d30395f80f4630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/kubernetes_mcp_server/helm_tools.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48324, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37899e684137a8c99d7a07729c8317d7c09561b8a1501cb1b862191d186738e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp_servers/kubernetes_mcp_server/core_tools/nodes.py", "duplicate_line": 76, "correlation_key": "fp|37899e684137a8c99d7a07729c8317d7c09561b8a1501cb1b862191d186738e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/kubernetes_mcp_server/core_tools/pods.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48323, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f9512105e20e28e88351d48dcd89cc53535ea503b467f7ddc6edd76af22c7d0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp_servers/kubernetes_mcp_server/core_tools/events.py", "duplicate_line": 7, "correlation_key": "fp|2f9512105e20e28e88351d48dcd89cc53535ea503b467f7ddc6edd76af22c7d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/kubernetes_mcp_server/core_tools/nodes.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 48322, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64317af185c33340043c712e276451366a5ad507471697d0f3031f92a42df98d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp_servers/kubernetes_mcp_server/core_tools/events.py", "duplicate_line": 7, "correlation_key": "fp|64317af185c33340043c712e276451366a5ad507471697d0f3031f92a42df98d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/kubernetes_mcp_server/core_tools/namespaces.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 6511, "scanner": "repobility-threat-engine", "fingerprint": "0ce3057f08215c751b858770e7ae3527e85bfdaa1dd4d09df31ea2089fa3d10f", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|457|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/web/js/mermaid-sdk-flowchart.js"}, "region": {"startLine": 457}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 6510, "scanner": "repobility-threat-engine", "fingerprint": "17e12a9c9d2e193afb32fbc82b5bfdf70142329a32d260082a9585de9301fe8c", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|28|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/chart/web/js/app.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 6509, "scanner": "repobility-threat-engine", "fingerprint": "5204d80242a3272d391f17e816b4e3e1a28c8a189015937f76741b071eedd3d4", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|123|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/chart/static_files_utils.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6497, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3101cca22364f1b160a8bd45b8dbdc60952e7a803ecee4372341c5c72de6ebfc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp_servers/browser/navigation.py", "duplicate_line": 168, "correlation_key": "fp|3101cca22364f1b160a8bd45b8dbdc60952e7a803ecee4372341c5c72de6ebfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/browser/search.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6496, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1069cc244522ea34acb91fb8c73433cc696727a12caa8447b92c884dee2b9f8c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "function_hubs/chart/static_files_utils.py", "duplicate_line": 80, "correlation_key": "fp|1069cc244522ea34acb91fb8c73433cc696727a12caa8447b92c884dee2b9f8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/chart/web/js/app.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6495, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be3f03f050ed62e77407ccb2349102cef3482d878d1df05782fb4569b4776767", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/web/src/views/knowledge/create/components/StepRetrievalConfig.vue", "duplicate_line": 50, "correlation_key": "fp|be3f03f050ed62e77407ccb2349102cef3482d878d1df05782fb4569b4776767"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/views/knowledge/types.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6494, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0720fed5579b34df8393b193575a7d9d673ed264c7159a68db746e2904eba1e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/web/src/views/knowledge/detail/components/DocumentTable.vue", "duplicate_line": 43, "correlation_key": "fp|0720fed5579b34df8393b193575a7d9d673ed264c7159a68db746e2904eba1e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/views/knowledge/index.vue"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6493, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f0c5038df72a91ec90b39bfd7a2bc1c9fbbbd358e546f7df8a4d24bd26ff30c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/web/src/views/knowledge/detail/components/DocumentTable.vue", "duplicate_line": 43, "correlation_key": "fp|1f0c5038df72a91ec90b39bfd7a2bc1c9fbbbd358e546f7df8a4d24bd26ff30c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/views/knowledge/detail/index.vue"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6492, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c002bd67c66a1d81f0b6a43a36760e536f42100dd6caa29790e14ed6bf714dea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/web/src/views/knowledge/create/components/StepProcessing.vue", "duplicate_line": 38, "correlation_key": "fp|c002bd67c66a1d81f0b6a43a36760e536f42100dd6caa29790e14ed6bf714dea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/views/knowledge/detail/components/DocumentTable.vue"}, "region": {"startLine": 160}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6491, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73d393958dd832fc04dee63f26b324417123d9dc04725cbf779db5b8ed6fecbf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/web/src/views/error/404.vue", "duplicate_line": 50, "correlation_key": "fp|73d393958dd832fc04dee63f26b324417123d9dc04725cbf779db5b8ed6fecbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/views/error/500.vue"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6490, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34790a86e3a4e62d7ef8b35cf61d1c45dbc853c92c28fbd212e9dfef2bb415ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/utils/file_util.py", "duplicate_line": 7, "correlation_key": "fp|34790a86e3a4e62d7ef8b35cf61d1c45dbc853c92c28fbd212e9dfef2bb415ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/utils/files_process.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6489, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75a8e129d5ac36ebe5b677e14fb94dad782c637a53cd48e457267dc25392a2b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py", "duplicate_line": 106, "correlation_key": "fp|75a8e129d5ac36ebe5b677e14fb94dad782c637a53cd48e457267dc25392a2b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/storer/doc_manager/es_kb_file_manager.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6488, "scanner": "repobility-ai-code-hygiene", "fingerprint": "215509758eb86c359b12ed7bee3f5c6ea3edba5cbc463d828cab9ac435d1f091", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py", "duplicate_line": 119, "correlation_key": "fp|215509758eb86c359b12ed7bee3f5c6ea3edba5cbc463d828cab9ac435d1f091"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/storer/doc_manager/es_kb_chunk_manager.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6487, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f1642ee5e998a70c0d221f54dd96cb413937e3c4fb9dc69b34db392397e80e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/core/services/annotation_service.py", "duplicate_line": 67, "correlation_key": "fp|8f1642ee5e998a70c0d221f54dd96cb413937e3c4fb9dc69b34db392397e80e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/storer/doc_manager/annotation_manager.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6486, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8fa6e5bdee3baeb250bd328965843731d1202a5d4277823452f0f4aa2a9727ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "applications/oxybank/app/api/dynamic/query_endpoint.py", "duplicate_line": 92, "correlation_key": "fp|8fa6e5bdee3baeb250bd328965843731d1202a5d4277823452f0f4aa2a9727ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/knowledge_base.py"}, "region": {"startLine": 427}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 48524, "scanner": "repobility-threat-engine", "fingerprint": "972aea4ecc0d261ae5f688480b9a8b2edecf5d8c6e0f0f33b5f19834bea31d80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|972aea4ecc0d261ae5f688480b9a8b2edecf5d8c6e0f0f33b5f19834bea31d80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/schemas/usage.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 48509, "scanner": "repobility-threat-engine", "fingerprint": "d9f1affcacb96541cb9dfea69fa7d055adaca1abde44138d49cbaaea5562cb22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d9f1affcacb96541cb9dfea69fa7d055adaca1abde44138d49cbaaea5562cb22"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 48504, "scanner": "repobility-threat-engine", "fingerprint": "616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "aggregated_count": 5}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 48503, "scanner": "repobility-threat-engine", "fingerprint": "b41fe32b4025038270c47cfdb66aeab7b265d656c3c942352165105db15e08eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b41fe32b4025038270c47cfdb66aeab7b265d656c3c942352165105db15e08eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/views/knowledge/create/composables/useRetrival.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 48502, "scanner": "repobility-threat-engine", "fingerprint": "e3a8489bedee928cd10e2b03e181c71ffe022facbb388bbe05667471a2acd927", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e3a8489bedee928cd10e2b03e181c71ffe022facbb388bbe05667471a2acd927"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/stores/modules/user.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 48501, "scanner": "repobility-threat-engine", "fingerprint": "d101fa248836b4dee823281520f2f2c54993cceb71732b52900b276338121905", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d101fa248836b4dee823281520f2f2c54993cceb71732b52900b276338121905"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/composables/useFileUpload.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 48500, "scanner": "repobility-threat-engine", "fingerprint": "cfb98e20e8d649581f873c3b59827d12ee1ead6f6c2da2adfba255b1da316dbd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cfb98e20e8d649581f873c3b59827d12ee1ead6f6c2da2adfba255b1da316dbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/config/theme.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 48499, "scanner": "repobility-threat-engine", "fingerprint": "1a1cca784979086294238693b4f078482e41b4ac6ddd851ac629d8caacb83a07", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a1cca784979086294238693b4f078482e41b4ac6ddd851ac629d8caacb83a07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/composables/useFileUpload.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 48498, "scanner": "repobility-threat-engine", "fingerprint": "1aef4ff0b2dec98f61e7bb15b153dd2a50a3ef02a2f910519526c9e4742de6f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1aef4ff0b2dec98f61e7bb15b153dd2a50a3ef02a2f910519526c9e4742de6f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/createApis.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 48497, "scanner": "repobility-threat-engine", "fingerprint": "976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "aggregated_count": 1}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 48496, "scanner": "repobility-threat-engine", "fingerprint": "8734d9d6b695b88987272a591dff39b3b7e78aa486fca37b8a9d80d8c740be65", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8734d9d6b695b88987272a591dff39b3b7e78aa486fca37b8a9d80d8c740be65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/utils/storage.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 48495, "scanner": "repobility-threat-engine", "fingerprint": "823079320ba8d2c99147c79a2c1d8df4e01d8525e7493111c972622decb84491", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|823079320ba8d2c99147c79a2c1d8df4e01d8525e7493111c972622decb84491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/utils/auth.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 48494, "scanner": "repobility-threat-engine", "fingerprint": "f5ad06d0d5f14e5effdec47f76ab8b009052ba93c3a5c5027377a5f4c58224c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5ad06d0d5f14e5effdec47f76ab8b009052ba93c3a5c5027377a5f4c58224c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/createApis.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 48493, "scanner": "repobility-threat-engine", "fingerprint": "37508877f885a01709b33cee172c41bea9b27456847ceaa843445db9f985e9f2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37508877f885a01709b33cee172c41bea9b27456847ceaa843445db9f985e9f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/index.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 48492, "scanner": "repobility-threat-engine", "fingerprint": "572d115ef1d5df04ed0787b425acc71305eb364c1398a31d1f1f16a928ffcf2a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|572d115ef1d5df04ed0787b425acc71305eb364c1398a31d1f1f16a928ffcf2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/api/createApis.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 48490, "scanner": "repobility-threat-engine", "fingerprint": "e10200e022b2afd9482a95bf1b2174577b53d235a45a49f9aa0f16efee464544", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e10200e022b2afd9482a95bf1b2174577b53d235a45a49f9aa0f16efee464544", "aggregated_count": 17}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 48489, "scanner": "repobility-threat-engine", "fingerprint": "0b9e982015aa7078f6722641d07d082ac0be1795d825a8d6351df2e22733bb00", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b9e982015aa7078f6722641d07d082ac0be1795d825a8d6351df2e22733bb00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/browser/tabs.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 48488, "scanner": "repobility-threat-engine", "fingerprint": "233b02836b56a6f1909c8d188ef25a655a30dbd8559a49803f4d8ba52eea92d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|233b02836b56a6f1909c8d188ef25a655a30dbd8559a49803f4d8ba52eea92d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/browser/core.py"}, "region": {"startLine": 327}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 48487, "scanner": "repobility-threat-engine", "fingerprint": "a807d5a87224560bf597637b52408dc4ef8894f289ab6145f3557adef217bd2f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a807d5a87224560bf597637b52408dc4ef8894f289ab6145f3557adef217bd2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 48486, "scanner": "repobility-threat-engine", "fingerprint": "cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "aggregated_count": 5}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 48485, "scanner": "repobility-threat-engine", "fingerprint": "525cacf901dc894803725cd44ae38ce59806b0c7bc34527d45e7f4cae19ae643", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|525cacf901dc894803725cd44ae38ce59806b0c7bc34527d45e7f4cae19ae643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/langchain_interop/demo_langchain_a2a_server.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 48484, "scanner": "repobility-threat-engine", "fingerprint": "94bef64f93d8db68c90d960e23f5b8282611708ad361865a1767d49a39429b6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94bef64f93d8db68c90d960e23f5b8282611708ad361865a1767d49a39429b6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/utils/url_util.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 48483, "scanner": "repobility-threat-engine", "fingerprint": "c604934be219931e6cc69f0d84992b0b5d29d9b5e08e791e4a0cae3713b1a58d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c604934be219931e6cc69f0d84992b0b5d29d9b5e08e791e4a0cae3713b1a58d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/model/trigger.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 48482, "scanner": "repobility-threat-engine", "fingerprint": "2c299a917f541f1e4818e840925e68fb89c2951d78f43fb2f13437943ad7bf89", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c299a917f541f1e4818e840925e68fb89c2951d78f43fb2f13437943ad7bf89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/train_ticket_tools.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 48481, "scanner": "repobility-threat-engine", "fingerprint": "72e27ec8e972b97f3bea7f06c3878b4a42e0e01581df87a6af440e59aacd2ea4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72e27ec8e972b97f3bea7f06c3878b4a42e0e01581df87a6af440e59aacd2ea4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/backend/demo_human_in_the_loop.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 48480, "scanner": "repobility-threat-engine", "fingerprint": "b9f9490c7202f3c624c276c230b394ad42289c48267e13f8081df2bb1c9b009a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b9f9490c7202f3c624c276c230b394ad42289c48267e13f8081df2bb1c9b009a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/model/embedding/glm_embedding.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 48476, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 48472, "scanner": "repobility-threat-engine", "fingerprint": "60d3535791d57daecb7571f76beae1cc0e0c1ff976eb68234272a7f7e7d25fca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|60d3535791d57daecb7571f76beae1cc0e0c1ff976eb68234272a7f7e7d25fca"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 48468, "scanner": "repobility-threat-engine", "fingerprint": "c99e84751a1f49acb2a05f8e16365a1ec0085c51b7a83f3c71cbd43d21478817", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c99e84751a1f49acb2a05f8e16365a1ec0085c51b7a83f3c71cbd43d21478817", "aggregated_count": 4}}}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 48464, "scanner": "repobility-threat-engine", "fingerprint": "bd632c4ade7e75e1a901d5e2da5e3e85b36e57e91ccdfbe5098de1738a5edc96", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bd632c4ade7e75e1a901d5e2da5e3e85b36e57e91ccdfbe5098de1738a5edc96", "aggregated_count": 3}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 78 more): Same pattern found in 78 additional files. Review if needed."}, "properties": {"repobilityId": 48460, "scanner": "repobility-threat-engine", "fingerprint": "0eab5350e440371f1ce6cbff38a6ea5844641f86c36547d62dc2aad434fbaca2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 78 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "get_banks_from_router", "breakdown": {"if": 3, "or": 1, "for": 2, "elif": 3, "else": 1, "nested_bonus": 18}, "aggregated": true, "complexity": 28, "correlation_key": "fp|0eab5350e440371f1ce6cbff38a6ea5844641f86c36547d62dc2aad434fbaca2", "aggregated_count": 78}}}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 48456, "scanner": "repobility-threat-engine", "fingerprint": "550ecfd8593a509bacd163c93bb3338f1f385a4eb987bc65f5c7838b17c74243", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|550ecfd8593a509bacd163c93bb3338f1f385a4eb987bc65f5c7838b17c74243"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6518, "scanner": "repobility-threat-engine", "fingerprint": "6db4fa73babe87936685b939570c8fe4143cb14baead165a55c4350fb8bc4f42", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|68|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/web/src/composables/useFileUpload.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6515, "scanner": "repobility-threat-engine", "fingerprint": "068e5cde19f894198002230ec5208f5a38343fbcdd7c19608268d00002271375", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "logger.debug(\"tiktoken not installed, using character-based estimation\")", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|20|logger.debug tiktoken not installed using character-based estimation"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/utils/token_utils.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6514, "scanner": "repobility-threat-engine", "fingerprint": "f0eebd64cf1a703e21793dccaab00f4d1a702e2e4a6aac3620007ba04f751672", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Type definition or interface declaration", "evidence": {"match": "logger.info(\"No file type metadata found, using token parser\")", "reason": "Type definition or interface declaration", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|9|logger.info no file type metadata found using token parser"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/parser/factory.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 6512, "scanner": "repobility-threat-engine", "fingerprint": "ba3aacacd2a33ee50afdca6450d1bdf5da55ce372033095b443ee81ae02c9f49", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ba3aacacd2a33ee50afdca6450d1bdf5da55ce372033095b443ee81ae02c9f49"}}}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 6508, "scanner": "repobility-threat-engine", "fingerprint": "8a4bd872da419130753367ef5a61efa729f221dd8f26dbedd7003551d50a5f41", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a4bd872da419130753367ef5a61efa729f221dd8f26dbedd7003551d50a5f41"}}}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /rating/{rating_id}."}, "properties": {"repobilityId": 48531, "scanner": "repobility-access-control", "fingerprint": "f655b33edf68928ed57ffb05a50efb58ec0e858b07006fa7f01b1c5f083ad22c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{rating_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1395|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1395}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /rating/{trace_id}/rebuild_stats."}, "properties": {"repobilityId": 48530, "scanner": "repobility-access-control", "fingerprint": "8fd84bbb20724fcdcd7e7baff0b4b468967401b8b81680835a5525470bbb3691", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{trace_id}/rebuild_stats", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1363|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1363}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /debug/trace/{trace_id}."}, "properties": {"repobilityId": 48529, "scanner": "repobility-access-control", "fingerprint": "5cbfd64c0d727dd72a7570e48e00c8c1b295644c6ae80a6a46db12d669076d87", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/trace/{trace_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1003|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1003}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /debug/rating_stats/{trace_id}."}, "properties": {"repobilityId": 48528, "scanner": "repobility-access-control", "fingerprint": "fc67c4c2d6b8b5106b27fe889637b018103b77b6ed17aec35b26be61b546af1f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/rating_stats/{trace_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|986|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 986}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}/history."}, "properties": {"repobilityId": 48527, "scanner": "repobility-access-control", "fingerprint": "718a4e7bdb4767c83edb15f4053d525702afcab3255fb50f1d2e48d6fb100445", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{trace_id}/history", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|951|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 951}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}/current."}, "properties": {"repobilityId": 48526, "scanner": "repobility-access-control", "fingerprint": "d969d947797f25658519d3e9ea1c598135667803f039911a08c7cb74b4e181c1", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{trace_id}/current", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|919|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 919}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}."}, "properties": {"repobilityId": 48525, "scanner": "repobility-access-control", "fingerprint": "66239f81c0409d3b50b2bd92f656462f116b85a248639eb88fea89fd7d592b69", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{trace_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|883|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 883}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 48523, "scanner": "repobility-threat-engine", "fingerprint": "e53bff38d0b7f9988bd4b8649c10c26e21767445da3ac02e1909b518356aed19", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e53bff38d0b7f9988bd4b8649c10c26e21767445da3ac02e1909b518356aed19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/preset_tools/shell_tools.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 48522, "scanner": "repobility-threat-engine", "fingerprint": "91c1999400217d1a29b00ea25cd36993d416355ea30f772ae148bef969f9d668", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(code", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91c1999400217d1a29b00ea25cd36993d416355ea30f772ae148bef969f9d668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/preset_tools/python_tools.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 48519, "scanner": "repobility-threat-engine", "fingerprint": "827435f214ca328cceefa01dc3f2e6749dad607a98f7de7b056ef3595cf786d9", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".set_missing_host_key_policy(paramiko.AutoAddPolicy", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|40|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/oxy/agents/shell_use_agent.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC082", "level": "error", "message": {"text": "[SEC082] Python: paramiko AutoAddPolicy or no host-key verification: AutoAddPolicy / WarningPolicy disables SSH host-key verification \u2014 vulnerable to MITM. Ported from bandit B507 / dlint DUO133 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 48518, "scanner": "repobility-threat-engine", "fingerprint": "1962a0846b6ab955b707d497041d8d66657e6b49e8e5da081c0e48f081df34c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "paramiko.AutoAddPolicy(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC082", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1962a0846b6ab955b707d497041d8d66657e6b49e8e5da081c0e48f081df34c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/oxy/agents/shell_use_agent.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 48513, "scanner": "repobility-threat-engine", "fingerprint": "76b2b2ea3391ddfda8b2b19fb625764eaa8d0cf922d8135555cc94ac2c48d7ac", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'(/script/core/common/station_name.+?\\.js)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|139|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/train_ticket_tools.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 48512, "scanner": "repobility-threat-engine", "fingerprint": "471c549a46a040ea0094282a89a0be5e1789fa1d216af33d9c45b3d2b02bff4a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n                ${preImg}\n                <span>${displayName}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|471c549a46a040ea0094282a89a0be5e1789fa1d216af33d9c45b3d2b02bff4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/web/js/flowchart.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 48511, "scanner": "repobility-threat-engine", "fingerprint": "24a9e431f556812d50f26ef66acddd4b00af99fb0917c1f6b6f1df3414466b23", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n                    <p>\u6d41\u7a0b\u56fe\u5df2\u751f\u6210\uff01</p>\n                    <p>\u6587\u4ef6\u8def\u5f84: ${data.file_path}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24a9e431f556812d50f26ef66acddd4b00af99fb0917c1f6b6f1df3414466b23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/chart/web/js/app.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 48510, "scanner": "repobility-threat-engine", "fingerprint": "9cf3f5d8005e292543b263fa0e2d1d77413dac24119f6f76280008fe8cb8356a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n                    <p>\u6d41\u7a0b\u56fe\u5df2\u751f\u6210\uff01</p>\n                    <p>\u6587\u4ef6\u8def\u5f84: ${data.file_path}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9cf3f5d8005e292543b263fa0e2d1d77413dac24119f6f76280008fe8cb8356a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/chart/static_files_utils.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 48479, "scanner": "repobility-threat-engine", "fingerprint": "e8960eff1cea7ec8d3a65558485e789b11b16539d5e782ba82941bbd65620d33", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8960eff1cea7ec8d3a65558485e789b11b16539d5e782ba82941bbd65620d33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/train_ticket_tools.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 48478, "scanner": "repobility-threat-engine", "fingerprint": "be60348d25cb1feb4432ac0305ba15c32055cad9106f011224bbea058cd424b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be60348d25cb1feb4432ac0305ba15c32055cad9106f011224bbea058cd424b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/backend/demo_human_in_the_loop.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 48477, "scanner": "repobility-threat-engine", "fingerprint": "edc982fcc710097136435b51ea1a8068415a11cb164f02e21b859fbb12154f25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|edc982fcc710097136435b51ea1a8068415a11cb164f02e21b859fbb12154f25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/model/embedding/glm_embedding.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 48475, "scanner": "repobility-threat-engine", "fingerprint": "906c78e38aa2cb01ca7e0bf779128e8f25ca1347f3ac3e5ca7c64886ae941e7d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(main_page_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|906c78e38aa2cb01ca7e0bf779128e8f25ca1347f3ac3e5ca7c64886ae941e7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/train_ticket_tools.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 48474, "scanner": "repobility-threat-engine", "fingerprint": "c9e0ab54e0cfb5d663814fda74ea7d60d823a360ea081f4bd497c7c945d2ed74", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9e0ab54e0cfb5d663814fda74ea7d60d823a360ea081f4bd497c7c945d2ed74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/model/trigger.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 48473, "scanner": "repobility-threat-engine", "fingerprint": "03275bfe8bc113a3a5604ce52cd72f3890c9e77baa71cbf58d7649dcf71ec4f7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|03275bfe8bc113a3a5604ce52cd72f3890c9e77baa71cbf58d7649dcf71ec4f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/model/embedding/glm_embedding.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 48471, "scanner": "repobility-threat-engine", "fingerprint": "d49b8cc80c59815c87e92ae4c68ba5d31a4e39977b8dfc40dde530baabb60b71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.client.update(\n                        index=self.index_name,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d49b8cc80c59815c87e92ae4c68ba5d31a4e39977b8dfc40dde530baabb60b71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 48470, "scanner": "repobility-threat-engine", "fingerprint": "951299a2d693e19e0e5d276f1d1ff9a970ee7401eef721ee8767a8d2d7a20e12", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "parent_kwargs.update(kwargs)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|951299a2d693e19e0e5d276f1d1ff9a970ee7401eef721ee8767a8d2d7a20e12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/model/embedding/glm_embedding.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 48469, "scanner": "repobility-threat-engine", "fingerprint": "107a0ecc7ba4805e3c63741d170e6ac0def8ea59dfbd28ab8461c5d79c704560", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "field_info.update({\n            field_name: field_type_str\n        })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|107a0ecc7ba4805e3c63741d170e6ac0def8ea59dfbd28ab8461c5d79c704560"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/interface/endpoint_show.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 48467, "scanner": "repobility-threat-engine", "fingerprint": "17e398f03ae70f08f1f50c861b37e625e2c9c14caf6c451ba205efc11adbe448", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17e398f03ae70f08f1f50c861b37e625e2c9c14caf6c451ba205efc11adbe448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/utils/files_process.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 48466, "scanner": "repobility-threat-engine", "fingerprint": "f6e10d71ba8b4ee44b0742ca2bfd8bd7d24b7590a37291df83fe7f6e6ed11dea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6e10d71ba8b4ee44b0742ca2bfd8bd7d24b7590a37291df83fe7f6e6ed11dea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/utils/file_util.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 48465, "scanner": "repobility-threat-engine", "fingerprint": "0a7d7332be8891857b70ef047316483012fae85a550e3db69755695af75c8ab8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a7d7332be8891857b70ef047316483012fae85a550e3db69755695af75c8ab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/models.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 48463, "scanner": "repobility-threat-engine", "fingerprint": "0679720a28558f038292dc2b19419f86e0649c0a7366a93e8f831a70f3d68eea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0679720a28558f038292dc2b19419f86e0649c0a7366a93e8f831a70f3d68eea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/kubernetes_mcp_server/config_tools.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 48462, "scanner": "repobility-threat-engine", "fingerprint": "f1913575dfbb7dc956664672d1663cdea32d1b79c28137a4e3cf10a2ec3fc7c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f1913575dfbb7dc956664672d1663cdea32d1b79c28137a4e3cf10a2ec3fc7c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/storer/doc_manager/es_kb_base_manager.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 48461, "scanner": "repobility-threat-engine", "fingerprint": "5084853e0bde3166c89902ce9c08d4a842d6d05f21a01c02e611bffa56d6dc0b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5084853e0bde3166c89902ce9c08d4a842d6d05f21a01c02e611bffa56d6dc0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/log/log_config.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `get_banks_from_router` has cognitive complexity 28 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=3, else=1, for=2, if=3, nested_bonus=18, or=1."}, "properties": {"repobilityId": 48457, "scanner": "repobility-threat-engine", "fingerprint": "7bc64f797e6c8720bc4936b4abd67b06d031566f8dc47309e54127ffbbf64f18", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 28 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_banks_from_router", "breakdown": {"if": 3, "or": 1, "for": 2, "elif": 3, "else": 1, "nested_bonus": 18}, "complexity": 28, "correlation_key": "fp|7bc64f797e6c8720bc4936b4abd67b06d031566f8dc47309e54127ffbbf64f18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_api_router.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 48455, "scanner": "repobility-threat-engine", "fingerprint": "b5a52fd325fd90d6d2738f5d33958621b8f0b570a8670eddae290b43d276941c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/user_profile_retrieve\")\ndef user_profile_retrieve(request: RetrievalRequest)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5a52fd325fd90d6d2738f5d33958621b8f0b570a8670eddae290b43d276941c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_manual_api.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 48454, "scanner": "repobility-threat-engine", "fingerprint": "da679aca13872f2e29049a50c0a97b8e551bcf4efd2356a8b2f308a41e2b5fae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"/user_profile_retrieve\", description=\"A tool for querying user profile\")\ndef user_prof", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da679aca13872f2e29049a50c0a97b8e551bcf4efd2356a8b2f308a41e2b5fae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_bank_router.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 48453, "scanner": "repobility-threat-engine", "fingerprint": "e63f2b045bf6b44c97442144c5d5feb93cc1dd3eaa8650f2c8f84e6cce1a6d6f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"/user_profile_retrieve\", description=\"A tool for querying user profile\")\ndef user_prof", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e63f2b045bf6b44c97442144c5d5feb93cc1dd3eaa8650f2c8f84e6cce1a6d6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_api_router.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 48446, "scanner": "repobility-supply-chain", "fingerprint": "dc70bca9c03c820ee632dd124be9ce2f206f99b76874ca8af19f1bd830b78383", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc70bca9c03c820ee632dd124be9ce2f206f99b76874ca8af19f1bd830b78383"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 48445, "scanner": "repobility-supply-chain", "fingerprint": "76bd6164d0a7c17fa02ee6f928d43667d989ad4a75753c09e4af6aae9918b86e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76bd6164d0a7c17fa02ee6f928d43667d989ad4a75753c09e4af6aae9918b86e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 48444, "scanner": "repobility-supply-chain", "fingerprint": "cdeee18991735f8730425fee383c99772b1bbf4f1d254dd9a8f456dd73d19731", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cdeee18991735f8730425fee383c99772b1bbf4f1d254dd9a8f456dd73d19731"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-manage-issues.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /{kb_name} has no auth"}, "properties": {"repobilityId": 48443, "scanner": "repobility-route-auth", "fingerprint": "3678ba7154133ff047b0c77d9dcf4d6d836a502397a872ac57098fa232501581", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|3678ba7154133ff047b0c77d9dcf4d6d836a502397a872ac57098fa232501581"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/dynamic/query_endpoint.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /level has no auth"}, "properties": {"repobilityId": 48442, "scanner": "repobility-route-auth", "fingerprint": "96cfa5f1740a54b296a9fe3bb8d28b0f216ea3ed97ac5abe264ea59538b3ca9f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|96cfa5f1740a54b296a9fe3bb8d28b0f216ea3ed97ac5abe264ea59538b3ca9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/log/log_config.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST (unknown path) has no auth"}, "properties": {"repobilityId": 48441, "scanner": "repobility-route-auth", "fingerprint": "a4052c24235d4b29293e13c1480fa9d8c3acc0a728c8fe30e605bf2aaf3b88ee", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a4052c24235d4b29293e13c1480fa9d8c3acc0a728c8fe30e605bf2aaf3b88ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/langchain_interop/demo_langchain_a2a_server.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST (unknown path) has no auth"}, "properties": {"repobilityId": 48440, "scanner": "repobility-route-auth", "fingerprint": "bedf6661b210eb5a6bbf81ec1bf0c09191cbfd0b6dbc68ccf0ade35fa9ca9685", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|bedf6661b210eb5a6bbf81ec1bf0c09191cbfd0b6dbc68ccf0ade35fa9ca9685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/langgraph_interop/demo_langgraph_a2a_server.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /generate has no auth"}, "properties": {"repobilityId": 48439, "scanner": "repobility-route-auth", "fingerprint": "48064df158e6f56c94ae399cf1bc98717a841ef669e3cdc43af1fa2cd2de0135", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|48064df158e6f56c94ae399cf1bc98717a841ef669e3cdc43af1fa2cd2de0135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/chart/flowchart_api.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /save-flowchart has no auth"}, "properties": {"repobilityId": 48438, "scanner": "repobility-route-auth", "fingerprint": "4aeda3dc7213b6c58e4d558f20a99ebd4477ee373c165135d12207e8ec430aad", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4aeda3dc7213b6c58e4d558f20a99ebd4477ee373c165135d12207e8ec430aad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/chart/flowchart_api.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /user_profile_deposit has no auth"}, "properties": {"repobilityId": 48437, "scanner": "repobility-route-auth", "fingerprint": "db1fdaef425d115a3c2f4e6c1c6eaeb9f574b523f67251eb5bce76d9ce0e1aef", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|db1fdaef425d115a3c2f4e6c1c6eaeb9f574b523f67251eb5bce76d9ce0e1aef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_bank_router.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /user_profile_retrieve has no auth"}, "properties": {"repobilityId": 48436, "scanner": "repobility-route-auth", "fingerprint": "ab5037d2c8ac86632f1202e1134ad038f9401cbdb754fcef17faffc50cf52941", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ab5037d2c8ac86632f1202e1134ad038f9401cbdb754fcef17faffc50cf52941"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_bank_router.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /user_profile_deposit has no auth"}, "properties": {"repobilityId": 48435, "scanner": "repobility-route-auth", "fingerprint": "11ffd211cb68ed748067904d1b48b5c895e2bcc2cc6c583858262f7e0c5098ea", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|11ffd211cb68ed748067904d1b48b5c895e2bcc2cc6c583858262f7e0c5098ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_manual_api.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /user_profile_retrieve has no auth"}, "properties": {"repobilityId": 48434, "scanner": "repobility-route-auth", "fingerprint": "d0ba388a636fe467fbfb9737c785d22be0c499acc6ec23a710aceb34b3e47403", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|d0ba388a636fe467fbfb9737c785d22be0c499acc6ec23a710aceb34b3e47403"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_manual_api.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /user_profile_deposit has no auth"}, "properties": {"repobilityId": 48433, "scanner": "repobility-route-auth", "fingerprint": "6e003368acc5fea648a1683734708230049b73ed090cd685fb236152088d2e2d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|6e003368acc5fea648a1683734708230049b73ed090cd685fb236152088d2e2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_api_router.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /user_profile_retrieve has no auth"}, "properties": {"repobilityId": 48432, "scanner": "repobility-route-auth", "fingerprint": "b44e669e70ee57c6b1bf2d730ae6997c0300fc252c25805cc0fe60fe5bdd265b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|b44e669e70ee57c6b1bf2d730ae6997c0300fc252c25805cc0fe60fe5bdd265b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/bank_manager_by_api_router.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/prompts/optimize has no auth"}, "properties": {"repobilityId": 48431, "scanner": "repobility-route-auth", "fingerprint": "9c716ce7e5579bb695827f3699269504b8a178ea579f98282629e364712d4448", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|9c716ce7e5579bb695827f3699269504b8a178ea579f98282629e364712d4448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1440}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /rating/{rating_id} has no auth"}, "properties": {"repobilityId": 48430, "scanner": "repobility-route-auth", "fingerprint": "71d920e98a4c319f802b8d42c3d149bf3419daf7efef0c7f8bc76635d89893ec", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|71d920e98a4c319f802b8d42c3d149bf3419daf7efef0c7f8bc76635d89893ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1396}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /rating/{trace_id}/rebuild_stats has no auth"}, "properties": {"repobilityId": 48429, "scanner": "repobility-route-auth", "fingerprint": "c38e9d816caa406fdec3274a064859d95d5fe65faff6e8bca8f218b250233392", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c38e9d816caa406fdec3274a064859d95d5fe65faff6e8bca8f218b250233392"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1364}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /rating/setup_indices has no auth"}, "properties": {"repobilityId": 48428, "scanner": "repobility-route-auth", "fingerprint": "279f4fb8fb4451d7b223f683ce44e2e59e1bd88ab0b22ec5bcebaf727f8cc377", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|279f4fb8fb4451d7b223f683ce44e2e59e1bd88ab0b22ec5bcebaf727f8cc377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1055}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /rating/clear_all has no auth"}, "properties": {"repobilityId": 48427, "scanner": "repobility-route-auth", "fingerprint": "9b087bbba71fa1b2bb03ea7dc14692527186f93b08ab9196201bb8848550c445", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|9b087bbba71fa1b2bb03ea7dc14692527186f93b08ab9196201bb8848550c445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1032}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /rating has no auth"}, "properties": {"repobilityId": 48426, "scanner": "repobility-route-auth", "fingerprint": "ca27d2faf622d3de6eea24bb05be8951aa37a4f9214daafcf0a2473e99784c7f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ca27d2faf622d3de6eea24bb05be8951aa37a4f9214daafcf0a2473e99784c7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 843}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/prompts/{prompt_key}/revert/{target_version} has no auth"}, "properties": {"repobilityId": 48425, "scanner": "repobility-route-auth", "fingerprint": "627929290c34c1a3fdba421bd5cbdbfc016fb338306f527585da2f7bad06cd96", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|627929290c34c1a3fdba421bd5cbdbfc016fb338306f527585da2f7bad06cd96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 704}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /api/prompts/{prompt_key} has no auth"}, "properties": {"repobilityId": 48424, "scanner": "repobility-route-auth", "fingerprint": "ef8070afa6065c3ce8d83b5d5964dbe5f9d4d925c47de8fb59722362e592d427", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ef8070afa6065c3ce8d83b5d5964dbe5f9d4d925c47de8fb59722362e592d427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 631}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PUT /api/prompts/{prompt_key} has no auth"}, "properties": {"repobilityId": 48423, "scanner": "repobility-route-auth", "fingerprint": "c99069d5a870fd9ce857579fa24402ab5295edb25a1fc018c0cb06ecdbac2416", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c99069d5a870fd9ce857579fa24402ab5295edb25a1fc018c0cb06ecdbac2416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 542}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/prompts/ has no auth"}, "properties": {"repobilityId": 48422, "scanner": "repobility-route-auth", "fingerprint": "c32fc06d1d386303ca0c27b28e9326e96efd80c7cdcecb499e0e8a394a56b9bc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c32fc06d1d386303ca0c27b28e9326e96efd80c7cdcecb499e0e8a394a56b9bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 501}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /save_script has no auth"}, "properties": {"repobilityId": 48421, "scanner": "repobility-route-auth", "fingerprint": "5eb0f17e4aef968e8c9af1c053314d354cdff4938ccd8ed63f73ac880f2727f4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|5eb0f17e4aef968e8c9af1c053314d354cdff4938ccd8ed63f73ac880f2727f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /call has no auth"}, "properties": {"repobilityId": 48420, "scanner": "repobility-route-auth", "fingerprint": "c67cb19a0f6ee8f0345a1c2cf7d4aea55b8ff827d31f6924fba0f5a7a6a7ecc9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c67cb19a0f6ee8f0345a1c2cf7d4aea55b8ff827d31f6924fba0f5a7a6a7ecc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 272}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /upload has no auth"}, "properties": {"repobilityId": 48419, "scanner": "repobility-route-auth", "fingerprint": "cc66c644dfcd70de644d3db48e5a23ceae0aadabe05f19d760ce3edb5a633f98", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|cc66c644dfcd70de644d3db48e5a23ceae0aadabe05f19d760ce3edb5a633f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `on_message_send_stream`"}, "properties": {"repobilityId": 48417, "scanner": "repobility-ast-engine", "fingerprint": "a2c11bf6536b3159aa61069bef809ed3700a7b5d8efaca044473f0c373445d28", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2c11bf6536b3159aa61069bef809ed3700a7b5d8efaca044473f0c373445d28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/google_sdk_interop/demo_google_sdk_a2a_server.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `main`"}, "properties": {"repobilityId": 48416, "scanner": "repobility-ast-engine", "fingerprint": "d7da39e8a32481a2ad8aba209333b1f44bd8e8fcb2bd392ca6dd435bfe6ca452", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7da39e8a32481a2ad8aba209333b1f44bd8e8fcb2bd392ca6dd435bfe6ca452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a/demo_a2a_oxygent_task_followup_client.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_expiry`"}, "properties": {"repobilityId": 48415, "scanner": "repobility-ast-engine", "fingerprint": "21fc8b2fa440bd7eca52ffaff3cf5f1b9620ea34f3152fa44e685842d02c9db3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21fc8b2fa440bd7eca52ffaff3cf5f1b9620ea34f3152fa44e685842d02c9db3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_local_redis.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_close"}, "properties": {"repobilityId": 48414, "scanner": "repobility-ast-engine", "fingerprint": "8d5b65d07a4cb74d3cfaed5e3056e7e52d88d52605d0712214bda28d712ca8ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8d5b65d07a4cb74d3cfaed5e3056e7e52d88d52605d0712214bda28d712ca8ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_jimdb_redis.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_lpush_unsupported_type"}, "properties": {"repobilityId": 48413, "scanner": "repobility-ast-engine", "fingerprint": "9d961c120fc6af892562f8db82f74b0f6615483eeceaca3596f4b461213770a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d961c120fc6af892562f8db82f74b0f6615483eeceaca3596f4b461213770a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_jimdb_redis.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_execute_without_client_raises"}, "properties": {"repobilityId": 48412, "scanner": "repobility-ast-engine", "fingerprint": "de1e44d60f4a4d8b7bc09f13e7de97f061dacc133f6b6818b3ce8f0e059838fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de1e44d60f4a4d8b7bc09f13e7de97f061dacc133f6b6818b3ce8f0e059838fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_mcp_tools.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_url_validation"}, "properties": {"repobilityId": 48411, "scanner": "repobility-ast-engine", "fingerprint": "6510bcebe50499574c3deae1bfc44f044e0d4766a1512ec7867cd063fc028f4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6510bcebe50499574c3deae1bfc44f044e0d4766a1512ec7867cd063fc028f4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_sse_agent.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_from_frontmatter_missing_description"}, "properties": {"repobilityId": 48410, "scanner": "repobility-ast-engine", "fingerprint": "01ae5b67db5d069b847a4169a11b2d87039727fd867b0414af097e642a18b910", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01ae5b67db5d069b847a4169a11b2d87039727fd867b0414af097e642a18b910"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_skill_agent.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_from_frontmatter_missing_name"}, "properties": {"repobilityId": 48409, "scanner": "repobility-ast-engine", "fingerprint": "f45d7bc82887d82d4f09c0d2d0d06e03e03f9aa5270987e3711d6651d59b9490", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f45d7bc82887d82d4f09c0d2d0d06e03e03f9aa5270987e3711d6651d59b9490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_skill_agent.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_different_type_raises"}, "properties": {"repobilityId": 48408, "scanner": "repobility-ast-engine", "fingerprint": "a6da5bcaa27a9d50bb18fba9fa31aaf519aa1b34766fb4e5866fcedb61dec5db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6da5bcaa27a9d50bb18fba9fa31aaf519aa1b34766fb4e5866fcedb61dec5db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_db_factory.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_rating_request_missing_required"}, "properties": {"repobilityId": 48407, "scanner": "repobility-ast-engine", "fingerprint": "5beda6e83ab735c4d0f1df3d301c907c68a138e05727f7fa098ea1d37e67c1a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5beda6e83ab735c4d0f1df3d301c907c68a138e05727f7fa098ea1d37e67c1a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_evaluation.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_conversation_rating_missing_required"}, "properties": {"repobilityId": 48406, "scanner": "repobility-ast-engine", "fingerprint": "f7cd428f44fd6f6ba84c6c77af3722bd39c96f295f2f9b3d93270a2aa7c6768f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f7cd428f44fd6f6ba84c6c77af3722bd39c96f295f2f9b3d93270a2aa7c6768f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_evaluation.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_send_message_no_mas"}, "properties": {"repobilityId": 48405, "scanner": "repobility-ast-engine", "fingerprint": "14ded4f1c0c41c4efa72658169bf50bff6d8c9b93e1b48b2b3821c8ca468ab07", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|14ded4f1c0c41c4efa72658169bf50bff6d8c9b93e1b48b2b3821c8ca468ab07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_sse_retry.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_unknown_class_raises_security_error"}, "properties": {"repobilityId": 48404, "scanner": "repobility-ast-engine", "fingerprint": "6efdfe03dc360866d50037951ac623b7d77c5e915c2b224c4ad0e64a2fe38140", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6efdfe03dc360866d50037951ac623b7d77c5e915c2b224c4ad0e64a2fe38140"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_oxy_factory.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_dangerous_classes_raise_security_error"}, "properties": {"repobilityId": 48403, "scanner": "repobility-ast-engine", "fingerprint": "85e909ccfa12a93ab3c058fb94d4322cf1e59e23e84e36e1d9dbed6a4711d564", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|85e909ccfa12a93ab3c058fb94d4322cf1e59e23e84e36e1d9dbed6a4711d564"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_oxy_factory.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_post_save_data"}, "properties": {"repobilityId": 48402, "scanner": "repobility-ast-engine", "fingerprint": "d9d3b4585ba7b739fa4112884978cb5fd86f6bc79f7f8b9e78f64723bcfe459e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d9d3b4585ba7b739fa4112884978cb5fd86f6bc79f7f8b9e78f64723bcfe459e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_base_agent.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_pre_save_data"}, "properties": {"repobilityId": 48401, "scanner": "repobility-ast-engine", "fingerprint": "73721ebc81853ba5c3b8c7aa35dce3eb77b4b34976e1f8472f2fe7dc25701dfd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73721ebc81853ba5c3b8c7aa35dce3eb77b4b34976e1f8472f2fe7dc25701dfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_base_agent.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_execute_not_implemented"}, "properties": {"repobilityId": 48400, "scanner": "repobility-ast-engine", "fingerprint": "0f6633883003aaef76386e3f59bd47f5fc6fc441d77643333b9ae53ceaa5946a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0f6633883003aaef76386e3f59bd47f5fc6fc441d77643333b9ae53ceaa5946a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_llm.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_headers_invalid_type_raises"}, "properties": {"repobilityId": 48399, "scanner": "repobility-ast-engine", "fingerprint": "8a909a2dc6f08f494192f2babd93d32622403c696d70a088fd2599faf654bcad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a909a2dc6f08f494192f2babd93d32622403c696d70a088fd2599faf654bcad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_llm.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_model_name_whitespace_raises"}, "properties": {"repobilityId": 48398, "scanner": "repobility-ast-engine", "fingerprint": "26dcb4395e85a988ca5fef97902a10ba48e55b6141b9de6954841630f61cbf35", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|26dcb4395e85a988ca5fef97902a10ba48e55b6141b9de6954841630f61cbf35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_llm.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_model_name_empty_raises"}, "properties": {"repobilityId": 48397, "scanner": "repobility-ast-engine", "fingerprint": "d8850d08f52fd6a1eef05d7c441163cd72535f23c8f1584db258ca5a6e5668e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8850d08f52fd6a1eef05d7c441163cd72535f23c8f1584db258ca5a6e5668e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_llm.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_model_name_none_raises"}, "properties": {"repobilityId": 48396, "scanner": "repobility-ast-engine", "fingerprint": "2abdd9cc7e603f1f1fae679d649a1f1087bf8b2635ac42fa28b36e3c93c39bcb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2abdd9cc7e603f1f1fae679d649a1f1087bf8b2635ac42fa28b36e3c93c39bcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_llm.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_base_url_whitespace_raises"}, "properties": {"repobilityId": 48395, "scanner": "repobility-ast-engine", "fingerprint": "8ed5c3a4358a5a8f22c39c4b4ea50163c1e7cf67299f9c786f2e6ba815f4b83e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ed5c3a4358a5a8f22c39c4b4ea50163c1e7cf67299f9c786f2e6ba815f4b83e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_llm.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_base_url_empty_raises"}, "properties": {"repobilityId": 48394, "scanner": "repobility-ast-engine", "fingerprint": "f131c62f42f6038948e6caf7469c1fc454bd276c9d9a55b9bb90231faefb763f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f131c62f42f6038948e6caf7469c1fc454bd276c9d9a55b9bb90231faefb763f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_llm.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_base_url_none_raises"}, "properties": {"repobilityId": 48393, "scanner": "repobility-ast-engine", "fingerprint": "7b599b507474291500419263cfb4d9ac5043ebb0a639c8c60b9bd61bace359b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b599b507474291500419263cfb4d9ac5043ebb0a639c8c60b9bd61bace359b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_llm.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_execute_without_session_raises"}, "properties": {"repobilityId": 48392, "scanner": "repobility-ast-engine", "fingerprint": "08f3b1762571c715bae50ce80b0d63267774d0cd27effa67a81b9485ddcdd62f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08f3b1762571c715bae50ce80b0d63267774d0cd27effa67a81b9485ddcdd62f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_base_mcp_client.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_init_missing_file_raises"}, "properties": {"repobilityId": 48391, "scanner": "repobility-ast-engine", "fingerprint": "c37c91be2fa33c25d7d917f4b4315963d5814cef4a691f0a75b4c77be8430813", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c37c91be2fa33c25d7d917f4b4315963d5814cef4a691f0a75b4c77be8430813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_stdio_mcp_client.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_server_url_validation"}, "properties": {"repobilityId": 48390, "scanner": "repobility-ast-engine", "fingerprint": "8a21954c003f43fef79909c5d5eaf4b8f4cd8a7c5bb0af96fad142d735c79b7a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a21954c003f43fef79909c5d5eaf4b8f4cd8a7c5bb0af96fad142d735c79b7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_remote_agent.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_concurrent_sync_function_execution`"}, "properties": {"repobilityId": 48389, "scanner": "repobility-ast-engine", "fingerprint": "02e30d57868ac786c1ec8456e87143eebe37fb18e0b5dd5cbfb2ab9f96a5cc1b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|02e30d57868ac786c1ec8456e87143eebe37fb18e0b5dd5cbfb2ab9f96a5cc1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_function_hub.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_sync_function_with_kwargs_in_thread_pool`"}, "properties": {"repobilityId": 48388, "scanner": "repobility-ast-engine", "fingerprint": "0ca4ecba9be405b57b9cf7d4c9c53d99c56fc8d400b89e230c4863cef06b94a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ca4ecba9be405b57b9cf7d4c9c53d99c56fc8d400b89e230c4863cef06b94a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_function_hub.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_sync_function_execution_with_thread_pool`"}, "properties": {"repobilityId": 48387, "scanner": "repobility-ast-engine", "fingerprint": "a9902496a0cabf6b30c9583c4b78902caad7544d2bb4434d9c95197b48b4a92f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9902496a0cabf6b30c9583c4b78902caad7544d2bb4434d9c95197b48b4a92f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_function_hub.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `input` inside async function `start_cli_mode`"}, "properties": {"repobilityId": 48359, "scanner": "repobility-ast-engine", "fingerprint": "ae8280ae01acccb5db1daaf45bd12859099474d8b0fd4a41ab77a61a48afa06c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae8280ae01acccb5db1daaf45bd12859099474d8b0fd4a41ab77a61a48afa06c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/mas.py"}, "region": {"startLine": 1245}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_hits_total` used but never assigned in __init__"}, "properties": {"repobilityId": 48357, "scanner": "repobility-ast-engine", "fingerprint": "042d3eb04aeb9beaa4247a582b8a108a22a57c29bc5f6654bf3597ed00d7bd03", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|042d3eb04aeb9beaa4247a582b8a108a22a57c29bc5f6654bf3597ed00d7bd03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 359}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_es_client` used but never assigned in __init__"}, "properties": {"repobilityId": 48356, "scanner": "repobility-ast-engine", "fingerprint": "ebd5ee4ae4c0a0e96fc1de2281a44859b7922368336b4c0401cabf8796b08744", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebd5ee4ae4c0a0e96fc1de2281a44859b7922368336b4c0401cabf8796b08744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._create_empty_stats` used but never assigned in __init__"}, "properties": {"repobilityId": 48355, "scanner": "repobility-ast-engine", "fingerprint": "36ad7329c9b3308389b9e75987db96e2d2e13ab568f2580f5f84c9ce4b0c1ba0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|36ad7329c9b3308389b9e75987db96e2d2e13ab568f2580f5f84c9ce4b0c1ba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._refresh_index` used but never assigned in __init__"}, "properties": {"repobilityId": 48354, "scanner": "repobility-ast-engine", "fingerprint": "f4fc339761e00ff7f9878c1b43c337582a66414194514d2c8ed821271c21bb77", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4fc339761e00ff7f9878c1b43c337582a66414194514d2c8ed821271c21bb77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._create_empty_stats` used but never assigned in __init__"}, "properties": {"repobilityId": 48353, "scanner": "repobility-ast-engine", "fingerprint": "a4b5c4b44041238205529727c2ac524b151006e3b546fb8b228deb9c062e8cd2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4b5c4b44041238205529727c2ac524b151006e3b546fb8b228deb9c062e8cd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_hits_total` used but never assigned in __init__"}, "properties": {"repobilityId": 48352, "scanner": "repobility-ast-engine", "fingerprint": "d025d96ad8a4c1cf9f102113333d80f944194363c3e7eaf4d630c3007386aba4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d025d96ad8a4c1cf9f102113333d80f944194363c3e7eaf4d630c3007386aba4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 295}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_hits_total` used but never assigned in __init__"}, "properties": {"repobilityId": 48351, "scanner": "repobility-ast-engine", "fingerprint": "d53bbf5e75e3d9cacc5ac1f7c81469cf1a4d3c53505bb10444758bca0071ea1f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d53bbf5e75e3d9cacc5ac1f7c81469cf1a4d3c53505bb10444758bca0071ea1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_client_ip` used but never assigned in __init__"}, "properties": {"repobilityId": 48350, "scanner": "repobility-ast-engine", "fingerprint": "bceed20c6a62c6d91c8a4033af3dee2771e61a2c8b295313ea0acdbc49b86ce8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bceed20c6a62c6d91c8a4033af3dee2771e61a2c8b295313ea0acdbc49b86ce8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._update_rating_stats` used but never assigned in __init__"}, "properties": {"repobilityId": 48349, "scanner": "repobility-ast-engine", "fingerprint": "b369f41c902b2e642bc7c47a2af28c027a479edcd93fcfa177ece6bd90d841cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b369f41c902b2e642bc7c47a2af28c027a479edcd93fcfa177ece6bd90d841cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._refresh_index` used but never assigned in __init__"}, "properties": {"repobilityId": 48348, "scanner": "repobility-ast-engine", "fingerprint": "58d700ccee922c7c2afc9f8aae691903e66643fedac31e6a6dc750eac228bbe4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58d700ccee922c7c2afc9f8aae691903e66643fedac31e6a6dc750eac228bbe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._check_trace_exists` used but never assigned in __init__"}, "properties": {"repobilityId": 48347, "scanner": "repobility-ast-engine", "fingerprint": "a0c8d1a60e8b5b290cbf4cfce291073c3243b17113e19b8929c0ede008ea9c02", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0c8d1a60e8b5b290cbf4cfce291073c3243b17113e19b8929c0ede008ea9c02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_es_client` used but never assigned in __init__"}, "properties": {"repobilityId": 48346, "scanner": "repobility-ast-engine", "fingerprint": "80593fdd623e5854bb65f9b9eee3fa24c7bd6b8814cca3006c419fac60feef6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80593fdd623e5854bb65f9b9eee3fa24c7bd6b8814cca3006c419fac60feef6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/evaluation_manager.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.save` used but never assigned in __init__"}, "properties": {"repobilityId": 48345, "scanner": "repobility-ast-engine", "fingerprint": "572e86071a3d3161509469b88e2a1a3e23e6b82bd21dfcd0de6bd9754de953a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|572e86071a3d3161509469b88e2a1a3e23e6b82bd21dfcd0de6bd9754de953a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.set` used but never assigned in __init__"}, "properties": {"repobilityId": 48344, "scanner": "repobility-ast-engine", "fingerprint": "1de9f273ade3ab29634b10d571bcea1161e6bad22a3eff5b2bb035eec359ec63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1de9f273ade3ab29634b10d571bcea1161e6bad22a3eff5b2bb035eec359ec63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_md5` used but never assigned in __init__"}, "properties": {"repobilityId": 48343, "scanner": "repobility-ast-engine", "fingerprint": "8e6776a808ad2d5ee269bf5076818bd441b69d50528cd8771fad0596a46655d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e6776a808ad2d5ee269bf5076818bd441b69d50528cd8771fad0596a46655d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.set` used but never assigned in __init__"}, "properties": {"repobilityId": 48342, "scanner": "repobility-ast-engine", "fingerprint": "e961cf334ec62da59c746eebf9ec7287fc59a3d7de44486a155205b47964a2c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e961cf334ec62da59c746eebf9ec7287fc59a3d7de44486a155205b47964a2c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_md5` used but never assigned in __init__"}, "properties": {"repobilityId": 48341, "scanner": "repobility-ast-engine", "fingerprint": "9b39172986b0accc0c5fa55bc20a94650dd4c2b8fd9c5a4202bca7d4ef066f58", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b39172986b0accc0c5fa55bc20a94650dd4c2b8fd9c5a4202bca7d4ef066f58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._embed_and_cache` used but never assigned in __init__"}, "properties": {"repobilityId": 48340, "scanner": "repobility-ast-engine", "fingerprint": "c3495c7547c9e9cf8de4b80add8e1c4e648fe1e0cd27f7d92c193efee8884c18", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3495c7547c9e9cf8de4b80add8e1c4e648fe1e0cd27f7d92c193efee8884c18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._embed_and_cache` used but never assigned in __init__"}, "properties": {"repobilityId": 48339, "scanner": "repobility-ast-engine", "fingerprint": "0412ea1aa691d5f82611899cfe22f8c2795e75b1f3b1e1da638cbb956c9f5919", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0412ea1aa691d5f82611899cfe22f8c2795e75b1f3b1e1da638cbb956c9f5919"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_or_queue` used but never assigned in __init__"}, "properties": {"repobilityId": 48338, "scanner": "repobility-ast-engine", "fingerprint": "a2d1cef6ff0a5e42dd2b6dc3c8a4ee51e57bc438810cda842f793e4a70cd92e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2d1cef6ff0a5e42dd2b6dc3c8a4ee51e57bc438810cda842f793e4a70cd92e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_single` used but never assigned in __init__"}, "properties": {"repobilityId": 48337, "scanner": "repobility-ast-engine", "fingerprint": "8d239a2246f231c05f40a47453b9b9cccc51be2003377e0f69b5213ad73c3ef3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8d239a2246f231c05f40a47453b9b9cccc51be2003377e0f69b5213ad73c3ef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_multiple` used but never assigned in __init__"}, "properties": {"repobilityId": 48336, "scanner": "repobility-ast-engine", "fingerprint": "22897ea62e276c7d8cfebe79eb52d9ccfe7dfa58560fbbbb14895a49f81506ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22897ea62e276c7d8cfebe79eb52d9ccfe7dfa58560fbbbb14895a49f81506ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.save` used but never assigned in __init__"}, "properties": {"repobilityId": 48335, "scanner": "repobility-ast-engine", "fingerprint": "9c44477b8067402690cf3ccbe02c2b798e019c23fea8b215db7fd6fe45cf6835", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9c44477b8067402690cf3ccbe02c2b798e019c23fea8b215db7fd6fe45cf6835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_md5` used but never assigned in __init__"}, "properties": {"repobilityId": 48334, "scanner": "repobility-ast-engine", "fingerprint": "24e2e727a8c71cfc0c48c38fb336f14738c62869e16b707109ab56d03197c968", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24e2e727a8c71cfc0c48c38fb336f14738c62869e16b707109ab56d03197c968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_md5` used but never assigned in __init__"}, "properties": {"repobilityId": 48333, "scanner": "repobility-ast-engine", "fingerprint": "4ad15d7fd339483b8fd1d1f4895bd1b0a054ef2b018cf27a97370eefffbba564", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ad15d7fd339483b8fd1d1f4895bd1b0a054ef2b018cf27a97370eefffbba564"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{kb_name}/{trigger_id}."}, "properties": {"repobilityId": 6532, "scanner": "repobility-access-control", "fingerprint": "3ba668cbdb2ecc448d79d3a4be8f9db3ba422c26ca643d9c35da9727fcbf827a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{kb_name}/{trigger_id}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|130|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/trigger/crud.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{kb_name}/{trigger_id}."}, "properties": {"repobilityId": 6531, "scanner": "repobility-access-control", "fingerprint": "2e1baf46ad98a0da00b368af5bc25a2b248167349b29ffcbe83af0afd4032669", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{kb_name}/{trigger_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|87|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/trigger/crud.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /history/{kb_name}/{trigger_id}."}, "properties": {"repobilityId": 6530, "scanner": "repobility-access-control", "fingerprint": "bb4ffc5046a10bc70a3824c9fa10336413c291125cc3429f130053f37a4782bd", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/history/{kb_name}/{trigger_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|91|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/trigger/history.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /rating/{rating_id}."}, "properties": {"repobilityId": 6529, "scanner": "repobility-access-control", "fingerprint": "48baf0aef82666c757bcfee5639c2c8288cf2634b605bb7b39666e7f5d191cea", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{rating_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1389|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1389}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /rating/{trace_id}/rebuild_stats."}, "properties": {"repobilityId": 6528, "scanner": "repobility-access-control", "fingerprint": "2c8e7703163e13eb695f123820b853c3591423f34085580715d35d094c2bd8fb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{trace_id}/rebuild_stats", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|1358|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 1358}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /debug/trace/{trace_id}."}, "properties": {"repobilityId": 6527, "scanner": "repobility-access-control", "fingerprint": "846c343f948bb2f32b1109165ce2a093f74d4de59291c721ec75f3bfd61608b9", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/trace/{trace_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|994|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 994}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /debug/rating_stats/{trace_id}."}, "properties": {"repobilityId": 6526, "scanner": "repobility-access-control", "fingerprint": "1dd1b72543aa9019a900f8bdb9bfd1becb7c2a99b91464e1fce27c01a4d7b4b0", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/rating_stats/{trace_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|976|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 976}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}/history."}, "properties": {"repobilityId": 6525, "scanner": "repobility-access-control", "fingerprint": "f35bb1f17a0045c8c3d2d48abfb04647847e4286f074d48cfab3fc3b4f02a5b3", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{trace_id}/history", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|942|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 942}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}/current."}, "properties": {"repobilityId": 6524, "scanner": "repobility-access-control", "fingerprint": "56d68e3c37cd8c123079e771359e6fef3f45db3872086482c9f7b027f0ec3e85", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{trace_id}/current", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|913|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 913}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /rating/{trace_id}."}, "properties": {"repobilityId": 6523, "scanner": "repobility-access-control", "fingerprint": "880b3bfb2855c3cb1806123db1cb2413ae6c899c96792abb2c52793bdac77c64", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/rating/{trace_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|oxygent/routes.py|878|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/routes.py"}, "region": {"startLine": 878}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 6517, "scanner": "repobility-threat-engine", "fingerprint": "64bba13b146367cb7e64af9d7fcbbfc82a68ace2d13a2600c66bd332b1fdb0b3", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "description=f\"Delete", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|1784|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/core/storer/doc_manager/rule_query_infer.py"}, "region": {"startLine": 1784}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 6516, "scanner": "repobility-threat-engine", "fingerprint": "d4f1411feea5383776948f5d503046dad5a5d48cc77be5b8a00b7a0d8b4b2378", "category": "injection", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "evidence": {"match": "detail=f\"Update", "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "code|injection|token|175|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "applications/oxybank/app/api/endpoints/annotation/data.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6513, "scanner": "repobility-threat-engine", "fingerprint": "ff9b8862299ffa607d56a89f1ea065cc440203a14387fec7b261a645cf0cac41", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Formatted expression outputs a credential-bearing value directly.", "evidence": {"match": "print(f\"\u672a\u627e\u5230\u5bc6\u7801\u8f93\u5165\u6846: {password_selector}\")", "reason": "Formatted expression outputs a credential-bearing value directly.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|token|9|print f : password_selector"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp_servers/browser/login.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 48517, "scanner": "repobility-threat-engine", "fingerprint": "4b64e97b6348092b2ff287f7967929ea8b77f83b9760c9ee1af8981d845a1bcb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b64e97b6348092b2ff287f7967929ea8b77f83b9760c9ee1af8981d845a1bcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 48516, "scanner": "repobility-threat-engine", "fingerprint": "de685f21ebd42b81e56d627564568c357fe3a5c5f9e182c22ceeef7f7d4fb7e7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de685f21ebd42b81e56d627564568c357fe3a5c5f9e182c22ceeef7f7d4fb7e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/embedding_cache.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `queue` used but not imported"}, "properties": {"repobilityId": 48418, "scanner": "repobility-ast-engine", "fingerprint": "b643365f61472c88d15dcf8e014458ddfe29922c17eb403ebeb3e69aa85061fb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b643365f61472c88d15dcf8e014458ddfe29922c17eb403ebeb3e69aa85061fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/schemas/oxy.py"}, "region": {"startLine": 576}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `sys` used but not imported"}, "properties": {"repobilityId": 48386, "scanner": "repobility-ast-engine", "fingerprint": "68c4cf503cd9fdf0e32093ee2342a25c85553a2bf04593241ce0416fda7a83a4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68c4cf503cd9fdf0e32093ee2342a25c85553a2bf04593241ce0416fda7a83a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_memory.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `asyncio` used but not imported"}, "properties": {"repobilityId": 48385, "scanner": "repobility-ast-engine", "fingerprint": "25d423fa03e0d0c28e2132359f68eafe3a052449d527c779fd1ba4543dfb9c0c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|25d423fa03e0d0c28e2132359f68eafe3a052449d527c779fd1ba4543dfb9c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "function_hubs/chart/flow_image_gen_tools.py"}, "region": {"startLine": 984}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `queue` used but not imported"}, "properties": {"repobilityId": 48358, "scanner": "repobility-ast-engine", "fingerprint": "a2b701f271d8437bbe4e1de251741d37b6c3b86cc6022920c3a2363985bbab2a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2b701f271d8437bbe4e1de251741d37b6c3b86cc6022920c3a2363985bbab2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "oxygent/mas.py"}, "region": {"startLine": 1733}}}]}]}]}