{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 521 lines (recommend <300)", "shortDescription": {"text": "Average file size is 521 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 42 more): Same pattern found in 42 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `svelte` pulled from URL/Git: `dependencies.svelte` = `git+ssh://git@gitlab.com/dylan-conway", "shortDescription": {"text": "[MINED122] package.json dep `svelte` pulled from URL/Git: `dependencies.svelte` = `git+ssh://git@gitlab.com/dylan-conway/public-install-test.git#93f3aa4ec9ca8a0bacc010776db48bfcd915c44c` bypasses the npm registry. No integrity hash, no vers"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.elem_size` used but never assigned in __init__: Method `update` of class `zig_Slice_SynthProvider` read", "shortDescription": {"text": "[MINED108] `self.elem_size` used but never assigned in __init__: Method `update` of class `zig_Slice_SynthProvider` reads `self.elem_size`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError"}, "fullDescription": {"text": "Initialize `self.elem_size = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED120", "name": "[MINED120] package.json `scripts.install` runs network/exec on install: `scripts.install: node-gyp rebuild --debug -j ma", "shortDescription": {"text": "[MINED120] package.json `scripts.install` runs network/exec on install: `scripts.install: node-gyp rebuild --debug -j max` runs during `npm install` on every developer's machine and in every CI build. Common crypto-miner / data-exfiltration"}, "fullDescription": {"text": "Move the logic to an explicit build step (npm run build), or remove the hook. Run with `--ignore-scripts` in CI to audit what depends on these hooks."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `struct` used but not imported: The file uses `struct.something(...)` but never imports `stru", "shortDescription": {"text": "[MINED107] Missing import: `struct` used but not imported: The file uses `struct.something(...)` but never imports `struct`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import struct` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/780"}, "properties": {"repository": "oven-sh/bun", "repoUrl": "https://github.com/oven-sh/bun", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65675, "scanner": "repobility-ast-engine", "fingerprint": "c06d1f91d91e545b8338bccf02da02f98e4d90625d44645023be7aa8b31ab8c1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c06d1f91d91e545b8338bccf02da02f98e4d90625d44645023be7aa8b31ab8c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_webkit.py"}, "region": {"startLine": 468}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65674, "scanner": "repobility-ast-engine", "fingerprint": "01998ce377d3e864e1f80adfcae9be636068d8f5f9df5dfea10b73653635e71d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01998ce377d3e864e1f80adfcae9be636068d8f5f9df5dfea10b73653635e71d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_webkit.py"}, "region": {"startLine": 446}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65673, "scanner": "repobility-ast-engine", "fingerprint": "e8ee930b0256826255bee1a2f31968a7ebf88b892105f2bf298b1a6d1d942907", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8ee930b0256826255bee1a2f31968a7ebf88b892105f2bf298b1a6d1d942907"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 486}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65672, "scanner": "repobility-ast-engine", "fingerprint": "735080168527f641b104ba85d9aba3f5169e144f9dca3b6ea830cbdede8e741d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|735080168527f641b104ba85d9aba3f5169e144f9dca3b6ea830cbdede8e741d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 409}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65671, "scanner": "repobility-ast-engine", "fingerprint": "50aa39d2ec72081a6626dca42c6e692eef335ad13292b5b83c946f2f139360f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|50aa39d2ec72081a6626dca42c6e692eef335ad13292b5b83c946f2f139360f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65670, "scanner": "repobility-ast-engine", "fingerprint": "8e871828e7d429197503a84f45a5944dc5da5f6799246c58ca034ccb6f98e859", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e871828e7d429197503a84f45a5944dc5da5f6799246c58ca034ccb6f98e859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 315}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65669, "scanner": "repobility-ast-engine", "fingerprint": "30fda6562e263c695e8e40677397bc2b08f25a30d0bf5b74a0b4d3059b6594f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|30fda6562e263c695e8e40677397bc2b08f25a30d0bf5b74a0b4d3059b6594f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 308}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65668, "scanner": "repobility-ast-engine", "fingerprint": "74f1a5d857a85bc0da69d90714cf5e230284abb10979860f57a72e967653004b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|74f1a5d857a85bc0da69d90714cf5e230284abb10979860f57a72e967653004b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65667, "scanner": "repobility-ast-engine", "fingerprint": "dbb70c30281ef4738a64630a717aa38115acd76eeead215836955aeb58896aed", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dbb70c30281ef4738a64630a717aa38115acd76eeead215836955aeb58896aed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65666, "scanner": "repobility-ast-engine", "fingerprint": "727867e97a68b8ae142a9e6425e73762a92e5503aeafffe10e125f20f6df63a1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|727867e97a68b8ae142a9e6425e73762a92e5503aeafffe10e125f20f6df63a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65665, "scanner": "repobility-ast-engine", "fingerprint": "1e93c042bf6ee73a2dc8b76d83a58885a82a5223b928848ee2fbe8e1ce7ecf23", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e93c042bf6ee73a2dc8b76d83a58885a82a5223b928848ee2fbe8e1ce7ecf23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65664, "scanner": "repobility-ast-engine", "fingerprint": "198ad16539911311addfc2d48f721084a3efbfaa720ecb8d5f5139f454031e02", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|198ad16539911311addfc2d48f721084a3efbfaa720ecb8d5f5139f454031e02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65663, "scanner": "repobility-ast-engine", "fingerprint": "6ef6be19740a71b533217728237bc5ee0102fd4a5df2ab6b865bd76b6ff44b2d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ef6be19740a71b533217728237bc5ee0102fd4a5df2ab6b865bd76b6ff44b2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65662, "scanner": "repobility-ast-engine", "fingerprint": "a125afdaf603c3bb2bc71b668cb482d9915c68e1945179a81a05ae5686ca266b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a125afdaf603c3bb2bc71b668cb482d9915c68e1945179a81a05ae5686ca266b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65661, "scanner": "repobility-ast-engine", "fingerprint": "4f7a8c47459ee546c71a39e69e19b6a36cd3fd537c9718e5e9fb705a71993466", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f7a8c47459ee546c71a39e69e19b6a36cd3fd537c9718e5e9fb705a71993466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65660, "scanner": "repobility-ast-engine", "fingerprint": "ab9788c191d67201a62fbb5cee9fa3d93ef22e068edf59f0e0ef72fb3bbcef50", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab9788c191d67201a62fbb5cee9fa3d93ef22e068edf59f0e0ef72fb3bbcef50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65659, "scanner": "repobility-ast-engine", "fingerprint": "01102114ee67605301ba3a77989a6d358a17d456b84ad7465d1606c093eeabf1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01102114ee67605301ba3a77989a6d358a17d456b84ad7465d1606c093eeabf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65654, "scanner": "repobility-ast-engine", "fingerprint": "e2ab5923b0564952f6e6218777c4011975f1b7e903e17adfc29f2e16f640e048", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2ab5923b0564952f6e6218777c4011975f1b7e903e17adfc29f2e16f640e048"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65653, "scanner": "repobility-ast-engine", "fingerprint": "916debba355257368238b3fe153418ca928ca4e39f8e9ed5e92630b21a6189f5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|916debba355257368238b3fe153418ca928ca4e39f8e9ed5e92630b21a6189f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65652, "scanner": "repobility-ast-engine", "fingerprint": "a4570853a0824414729f7c8168fe88fa4f7a8e3dbade2b4fc2becc3d4a7714f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a4570853a0824414729f7c8168fe88fa4f7a8e3dbade2b4fc2becc3d4a7714f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65651, "scanner": "repobility-ast-engine", "fingerprint": "b964cf4269e7cd16a2c5fc22b02a679c78b2076a9cf2ef6fe62274495f57eeb8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b964cf4269e7cd16a2c5fc22b02a679c78b2076a9cf2ef6fe62274495f57eeb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65650, "scanner": "repobility-ast-engine", "fingerprint": "ada4ab57f310564ebfa0a24a148791c4a88356ce435797d2cd3535272e915d12", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ada4ab57f310564ebfa0a24a148791c4a88356ce435797d2cd3535272e915d12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65649, "scanner": "repobility-ast-engine", "fingerprint": "a86f7f7ada1dfd893e1258c4fff170c440beeaa5093688b4c133db185bedbcb5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a86f7f7ada1dfd893e1258c4fff170c440beeaa5093688b4c133db185bedbcb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65648, "scanner": "repobility-ast-engine", "fingerprint": "4f24806888dc7ef6825584979a3636af04cba1d1f9c6d6930f6d9b371f041663", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f24806888dc7ef6825584979a3636af04cba1d1f9c6d6930f6d9b371f041663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 65624, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 65620, "scanner": "repobility-agent-runtime", "fingerprint": "e0944a934caf0ae9df7c7a68094e129e7fc92eccb95971ac6f7901e06861e052", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|e0944a934caf0ae9df7c7a68094e129e7fc92eccb95971ac6f7901e06861e052"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-types/bun.d.ts"}, "region": {"startLine": 7608}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65619, "scanner": "repobility-agent-runtime", "fingerprint": "ff413da2ad834d0caa269f065ac4d2544c10a58dbf8c4d6662043754a1df2402", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ff413da2ad834d0caa269f065ac4d2544c10a58dbf8c4d6662043754a1df2402"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-release/src/npm/install.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65618, "scanner": "repobility-agent-runtime", "fingerprint": "005e1a16caaa265daa870ac15c3f4e2f92310a71da84fc9e101976fad297fbd7", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|005e1a16caaa265daa870ac15c3f4e2f92310a71da84fc9e101976fad297fbd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 54}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 65610, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65575, "scanner": "repobility-threat-engine", "fingerprint": "a1ac9e8a210ff603ff30ebfd27ae758082afa432833525562b58b62f00a5a8ff", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|57|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-error/stack-trace-parser.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65574, "scanner": "repobility-threat-engine", "fingerprint": "40ee6542de0474e2a3b586514d64e0a2bc0af6d7e93a3ae1bc1089b46dbaca2f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|76|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-error/runtime-error.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65573, "scanner": "repobility-threat-engine", "fingerprint": "a14b74b50315667ea9457e4604a78550d90e7283f6b862c5619b837ba892a1ad", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|39|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/snippets/urlpattern.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 65571, "scanner": "repobility-threat-engine", "fingerprint": "ad884d92b6ae07552d9f58eb0a594cb638534c0b032ef8270fe04956c27dfdcf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad884d92b6ae07552d9f58eb0a594cb638534c0b032ef8270fe04956c27dfdcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/snippets/urlpattern.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 65570, "scanner": "repobility-threat-engine", "fingerprint": "b04292a48b24de2b55577bba9487d5319376b3cefd48dd0044faf430065978f8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b04292a48b24de2b55577bba9487d5319376b3cefd48dd0044faf430065978f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/snippets/buffer-includes.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 65563, "scanner": "repobility-threat-engine", "fingerprint": "e35e3492e32ab666f96f2633049d9c163420edc7d7750a83efdf0a065998ad1a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e35e3492e32ab666f96f2633049d9c163420edc7d7750a83efdf0a065998ad1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/snippets/dns.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 65562, "scanner": "repobility-threat-engine", "fingerprint": "c5ce0c3a2ce4e029be04e12a7a56d12db3d968d7a2ffd1aa00c09b5be3f631b1", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c5ce0c3a2ce4e029be04e12a7a56d12db3d968d7a2ffd1aa00c09b5be3f631b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/module-loader/create.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 65561, "scanner": "repobility-threat-engine", "fingerprint": "57e80fceef72d125a9329cb3a17550748fdcc5c4a73313f847994bc19a431149", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (error) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|57e80fceef72d125a9329cb3a17550748fdcc5c4a73313f847994bc19a431149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/post-edit-zig-format.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 521 lines (recommend <300)"}, "properties": {"repobilityId": 65556, "scanner": "repobility-core", "fingerprint": "599327eb039f35ee84539be09e33920fbd77b94b2aa63d14c8571c5da89a0653", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|599327eb039f35ee84539be09e33920fbd77b94b2aa63d14c8571c5da89a0653"}}}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 65625, "scanner": "repobility-web-presence", "fingerprint": "9b76fd18063e366ed673c43b0474edfb2b01420e6d3676314c25a71e93736087", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|9b76fd18063e366ed673c43b0474edfb2b01420e6d3676314c25a71e93736087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-error/markdown.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 65623, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 65622, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 65621, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65617, "scanner": "repobility-ai-code-hygiene", "fingerprint": "482cd320a9cfa876be0221038afbc94775f2440cbc7d6cf27724f698b548170b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/bun-uws/src/ProxyParser.h", "duplicate_line": 24, "correlation_key": "fp|482cd320a9cfa876be0221038afbc94775f2440cbc7d6cf27724f698b548170b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-uws/src/WebSocketProtocol.h"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65616, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74220557d5f439ac925def84757331c69c334383e3f33d04a0a037dc3d1085dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/bun-native-bundler-plugin-api/bundler_plugin.h", "duplicate_line": 2, "correlation_key": "fp|74220557d5f439ac925def84757331c69c334383e3f33d04a0a037dc3d1085dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-native-plugin-rs/src/sys.rs"}, "region": {"startLine": 98}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65615, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a618d8b17a218327f71ceee83e89f00ddf0cb3343c0f57603674e2193bc6e8d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/bun-native-bundler-plugin-api/bundler_plugin.h", "duplicate_line": 1, "correlation_key": "fp|1a618d8b17a218327f71ceee83e89f00ddf0cb3343c0f57603674e2193bc6e8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-native-plugin-rs/headers/bun-native-bundler-plugin-api/bundler_plugin.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65614, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8d78aa7416bbf3ecc3e0cdaf8d6e85e92e1a349c5f6bba1c3de4f57455b3288", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/bun-inspector-protocol/src/inspector/node-socket.ts", "duplicate_line": 78, "correlation_key": "fp|c8d78aa7416bbf3ecc3e0cdaf8d6e85e92e1a349c5f6bba1c3de4f57455b3288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-inspector-protocol/src/inspector/websocket.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65613, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2502048d80c23dd6a1c556fef7365704573d4f5fd6407a6eea540721e97cdba0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bench/sqlite/bun.js", "duplicate_line": 5, "correlation_key": "fp|2502048d80c23dd6a1c556fef7365704573d4f5fd6407a6eea540721e97cdba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/sqlite/deno.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65612, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e667a9ac19655fc704266cb8ae52092a991059e0f1745dbc4c2097d94bac68e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bench/react-hello-world/react-hello-world.workerd.js", "duplicate_line": 1, "correlation_key": "fp|7e667a9ac19655fc704266cb8ae52092a991059e0f1745dbc4c2097d94bac68e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/react-hello-world/react-hello-world.workerd.jsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65611, "scanner": "repobility-ai-code-hygiene", "fingerprint": "50d4971a6efe9bf527271a8d31d378d6cd0193a957c493909862439f80ab853c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bench/crypto/asymmetricCipher.js", "duplicate_line": 1, "correlation_key": "fp|50d4971a6efe9bf527271a8d31d378d6cd0193a957c493909862439f80ab853c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/crypto/asymmetricSign.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 65602, "scanner": "repobility-threat-engine", "fingerprint": "c5e4871de7fa198502557d2e618e90b3909621961ebbec9073f7d6ffed19d4ee", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Failed to run \" + exec + \" bun, exit code: \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c5e4871de7fa198502557d2e618e90b3909621961ebbec9073f7d6ffed19d4ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-release/scripts/upload-npm.ts"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 65608, "scanner": "repobility-threat-engine", "fingerprint": "1974dad06ac817038642e0b3b3e5b91c6d62c479d9da2a39d8a6f8c03cc815d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1974dad06ac817038642e0b3b3e5b91c6d62c479d9da2a39d8a6f8c03cc815d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-uws/src/WebSocketData.h"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 65607, "scanner": "repobility-threat-engine", "fingerprint": "5f580c5c744000ad5fb80e12b18c467067c84b4480cbd6e704395a4d1ca1460c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f580c5c744000ad5fb80e12b18c467067c84b4480cbd6e704395a4d1ca1460c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-uws/src/TopicTree.h"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 65606, "scanner": "repobility-threat-engine", "fingerprint": "56626c3c133607867712f3496821c14c069363ad3b978ef7e6db8e5f47a23c15", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56626c3c133607867712f3496821c14c069363ad3b978ef7e6db8e5f47a23c15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-usockets/src/crypto/sni_tree.cpp"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 65599, "scanner": "repobility-threat-engine", "fingerprint": "b327b32675dba37823c90ac172e4a2d04efa80bec1df77d560143a814d2f1b0d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b327b32675dba37823c90ac172e4a2d04efa80bec1df77d560143a814d2f1b0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-native-plugin-rs/bun-macro/src/lib.rs"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65597, "scanner": "repobility-threat-engine", "fingerprint": "83f62e08b7b3d822492d0ecb5f420d89174886cdc2034fbef3661ceb4379cda2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83f62e08b7b3d822492d0ecb5f420d89174886cdc2034fbef3661ceb4379cda2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-plugin-svelte/example/index.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65596, "scanner": "repobility-threat-engine", "fingerprint": "1395f988792e92aaf04464a6cae0b14cd99d5d87521ccd2176dfd37c2b28fadf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1395f988792e92aaf04464a6cae0b14cd99d5d87521ccd2176dfd37c2b28fadf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-inspector-protocol/src/inspector/websocket.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65595, "scanner": "repobility-threat-engine", "fingerprint": "3237aa0e8d135634571bf5df2eea145aa3e67c501002cd99127480c2d9b028a5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3237aa0e8d135634571bf5df2eea145aa3e67c501002cd99127480c2d9b028a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-inspector-protocol/src/inspector/node-socket.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 65594, "scanner": "repobility-threat-engine", "fingerprint": "f312b6112ca006fc1437728ce22e8725df0d5d8695d37f5d9dcfc0251b27258c", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|13|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-inspector-frontend/scripts/build.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65593, "scanner": "repobility-threat-engine", "fingerprint": "4f1c09d6413617869f14f797e0cf7d1e0544f67e4d229d0b4b7981703108ebc8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f1c09d6413617869f14f797e0cf7d1e0544f67e4d229d0b4b7981703108ebc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-release/scripts/upload-s3.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65592, "scanner": "repobility-threat-engine", "fingerprint": "5fad3f3083be1cc4401391839cf0d4a5b4f2fa6535d6de0a02a5711550cc173e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5fad3f3083be1cc4401391839cf0d4a5b4f2fa6535d6de0a02a5711550cc173e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-error/markdown.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65591, "scanner": "repobility-threat-engine", "fingerprint": "8da7ddba3a61923f05f8fb18cc5f5667f23ed1663ba8f5b0a8ee14a90b4958bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8da7ddba3a61923f05f8fb18cc5f5667f23ed1663ba8f5b0a8ee14a90b4958bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-debug-adapter-protocol/src/debugger/sourcemap.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 65590, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65589, "scanner": "repobility-threat-engine", "fingerprint": "39a6988e5754caa431f4a2e7cc769f9d58a4c57e071c61e00328cca39958e11c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39a6988e5754caa431f4a2e7cc769f9d58a4c57e071c61e00328cca39958e11c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-inspector-protocol/src/inspector/node-socket.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65588, "scanner": "repobility-threat-engine", "fingerprint": "367a35b2ab0026ad7adbc708e3ffa3ce27ef460bfd6c2774a94b1a64c26771f2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|367a35b2ab0026ad7adbc708e3ffa3ce27ef460bfd6c2774a94b1a64c26771f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-error/sourcemap.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65587, "scanner": "repobility-threat-engine", "fingerprint": "ca600d6ab72b7dbd10e6b240e718a88ea936a096bfb4ee38c3544049573b7e84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca600d6ab72b7dbd10e6b240e718a88ea936a096bfb4ee38c3544049573b7e84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-debug-adapter-protocol/scripts/generate-protocol.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 65586, "scanner": "repobility-threat-engine", "fingerprint": "9b2e8bd14a9221dc458ee74aca48076c2a5086d4fcb62f622e524078d8719825", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b2e8bd14a9221dc458ee74aca48076c2a5086d4fcb62f622e524078d8719825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-vscode/src/features/lockfile/lockfile.style.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 65585, "scanner": "repobility-threat-engine", "fingerprint": "aa51d0df4fa520dc651c4902021415add154c59cace8ecc7d324edb82cc9e1ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa51d0df4fa520dc651c4902021415add154c59cace8ecc7d324edb82cc9e1ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/websocket-server/chat-server.bun.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 65584, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 65580, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 65576, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 65565, "scanner": "repobility-threat-engine", "fingerprint": "5af343bbf836228045859ac2ebc72e28d2c0c9293534a919eb14d24f5746f0c2", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.node' detected on same line", "evidence": {"match": "require(import", "reason": "Safe pattern '\\.node' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|5af343bbf836228045859ac2ebc72e28d2c0c9293534a919eb14d24f5746f0c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/ffi/bun.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 65564, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 65560, "scanner": "repobility-threat-engine", "fingerprint": "6fe2e86aa5dd2430264e83659af3e74799efeda8a0967573be009372889efb13", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6fe2e86aa5dd2430264e83659af3e74799efeda8a0967573be009372889efb13", "aggregated_count": 42}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65559, "scanner": "repobility-threat-engine", "fingerprint": "101090ce51a9734eb180cd62fe1d246553189b4f39e605fd7e9420c722638e54", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|101090ce51a9734eb180cd62fe1d246553189b4f39e605fd7e9420c722638e54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/expect-to-equal/index.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65558, "scanner": "repobility-threat-engine", "fingerprint": "32bec3ddf82e3a1ed987a5c0fbcd03f33da4fe61e690ebda757b72847de508b5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32bec3ddf82e3a1ed987a5c0fbcd03f33da4fe61e690ebda757b72847de508b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-bash-zig-build.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65557, "scanner": "repobility-threat-engine", "fingerprint": "0f02160c8947f9c31f240d769da483cf8df09ceb977654eb93b481bd6f960502", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f02160c8947f9c31f240d769da483cf8df09ceb977654eb93b481bd6f960502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/post-edit-zig-format.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `svelte` pulled from URL/Git: `dependencies.svelte` = `git+ssh://git@gitlab.com/dylan-conway/public-install-test.git#93f3aa4ec9ca8a0bacc010776db48bfcd915c44c` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65690, "scanner": "repobility-supply-chain", "fingerprint": "117315e7a47925f58050e34debdef76e568f2a5098b8ab5faba6a17c491b65a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|117315e7a47925f58050e34debdef76e568f2a5098b8ab5faba6a17c491b65a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/complex-workspace/packages/body-parser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `mkdirp` pulled from URL/Git: `dependencies.mkdirp` = `file:mkdirp` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65689, "scanner": "repobility-supply-chain", "fingerprint": "ad4b7d7def5bcdc4501b44d0eb4747f06d8292a4a009f7f2b747592d29dd285b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad4b7d7def5bcdc4501b44d0eb4747f06d8292a4a009f7f2b747592d29dd285b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/yarn/yarn-lock-mkdirp-file-dep/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `tarball` pulled from URL/Git: `dependencies.tarball` = `file:abbrev-1.1.1.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65688, "scanner": "repobility-supply-chain", "fingerprint": "128fa006c76f2b2ed95aaa2457b0d1e16adae6a4d2296b81c0e06d7d92da9e21", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|128fa006c76f2b2ed95aaa2457b0d1e16adae6a4d2296b81c0e06d7d92da9e21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/yarn/yarn-stuff/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `symlink` pulled from URL/Git: `dependencies.symlink` = `file:./abbrev-link-target` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65687, "scanner": "repobility-supply-chain", "fingerprint": "dce3c6fe18a359db12d74a111da90b48bee917441528c686e82d419c3381961f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dce3c6fe18a359db12d74a111da90b48bee917441528c686e82d419c3381961f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/yarn/yarn-stuff/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `remote` pulled from URL/Git: `dependencies.remote` = `https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65686, "scanner": "repobility-supply-chain", "fingerprint": "a3bd0e4762e60e97693fbd795d3fba4e27ed7f05a5895788bdc3e468f2ef1397", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3bd0e4762e60e97693fbd795d3fba4e27ed7f05a5895788bdc3e468f2ef1397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/yarn/yarn-stuff/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `ghshort` pulled from URL/Git: `dependencies.ghshort` = `github:isaacs/abbrev-js` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65685, "scanner": "repobility-supply-chain", "fingerprint": "89e4376938e75b73663cda7d67b38809072f3af601614e2ac292966ecfea3866", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89e4376938e75b73663cda7d67b38809072f3af601614e2ac292966ecfea3866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/yarn/yarn-stuff/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `full-git-url` pulled from URL/Git: `dependencies.full-git-url` = `git+https://github.com/isaacs/abbrev-js.git` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65684, "scanner": "repobility-supply-chain", "fingerprint": "3ce43c0f7b12b5a1e95b2ce4a95f420db5cb69fcad48629ee3a5f210ee375120", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ce43c0f7b12b5a1e95b2ce4a95f420db5cb69fcad48629ee3a5f210ee375120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/yarn/yarn-stuff/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-yarn-internal` pulled from URL/Git: `devDependencies.eslint-plugin-yarn-internal` = `file:scripts/eslint-rules` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65683, "scanner": "repobility-supply-chain", "fingerprint": "aa5d33b65c8756a31821992157e22a79ff2e44f46415f61ec8df1df781791ef5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa5d33b65c8756a31821992157e22a79ff2e44f46415f61ec8df1df781791ef5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/yarn/yarn-cli-repo/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `install-test1` pulled from URL/Git: `dependencies.install-test1` = `git+ssh://git@github.com/dylan-conway/install-test.git#596234dab30564f37adae1e5c4d7123bcffce537` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65682, "scanner": "repobility-supply-chain", "fingerprint": "2e60332a9b0c5f9af028965531550a82de93b7e2dad890c259dc6d5cbf0f06d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e60332a9b0c5f9af028965531550a82de93b7e2dad890c259dc6d5cbf0f06d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/complex-workspace/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `hello` pulled from URL/Git: `dependencies.hello` = `file:hello-0.3.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65681, "scanner": "repobility-supply-chain", "fingerprint": "9080b592051786063757eb3333c8353926d73b8a3f33a6d239435932684fb875", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9080b592051786063757eb3333c8353926d73b8a3f33a6d239435932684fb875"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/complex-workspace/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `bun-types` pulled from URL/Git: `dependencies.bun-types` = `file:bun-types` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65680, "scanner": "repobility-supply-chain", "fingerprint": "f87454cd6acdd6c82d09b7219a8ab9fbf8d3dbc83f4d5ac43e63028d7ad9cd67", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f87454cd6acdd6c82d09b7219a8ab9fbf8d3dbc83f4d5ac43e63028d7ad9cd67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/complex-workspace/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `bar` pulled from URL/Git: `dependencies.bar` = `https://github.com/oven-sh/bun/raw/f7e4eb83694aa007a492ef66c28ffbe6a2dae791/test/cli/install/bar-0.0.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65679, "scanner": "repobility-supply-chain", "fingerprint": "65f6efb2bc7ca6958df24ef67da78a4479b50833a7f8b8eec8bd47be982ab744", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65f6efb2bc7ca6958df24ef67da78a4479b50833a7f8b8eec8bd47be982ab744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/cli/install/migration/complex-workspace/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `react` pulled from URL/Git: `dependencies.react` = `file:../node_modules/react` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65678, "scanner": "repobility-supply-chain", "fingerprint": "120cf8e27b6d7ea638fd8ae499720335c5bb7a455beeb431e759d2644c67a33f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|120cf8e27b6d7ea638fd8ae499720335c5bb7a455beeb431e759d2644c67a33f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `bun-plugin-svelte` pulled from URL/Git: `dependencies.bun-plugin-svelte` = `file:../packages/bun-plugin-svelte` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65677, "scanner": "repobility-supply-chain", "fingerprint": "dfbffa7d8fba5cb1779086efefe70a1325bb01528809e2eab1d790f4ad6eddc6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfbffa7d8fba5cb1779086efefe70a1325bb01528809e2eab1d790f4ad6eddc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `bun-tracestrings` pulled from URL/Git: `devDependencies.bun-tracestrings` = `github:oven-sh/bun.report#912ca63e26c51429d3e6799aa2a6ab079b188fd8` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 65676, "scanner": "repobility-supply-chain", "fingerprint": "915dbfd0b083027a9024d0d30611030b976771d2ae05f8717812fd4652807300", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|915dbfd0b083027a9024d0d30611030b976771d2ae05f8717812fd4652807300"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.elem_size` used but never assigned in __init__: Method `update` of class `zig_Slice_SynthProvider` reads `self.elem_size`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65658, "scanner": "repobility-ast-engine", "fingerprint": "648ec88a96515090b702cb0e79fd9241050ee2b7138830b59ef7c0e8bde07ddb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|648ec88a96515090b702cb0e79fd9241050ee2b7138830b59ef7c0e8bde07ddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.elem_type` used but never assigned in __init__: Method `update` of class `zig_Slice_SynthProvider` reads `self.elem_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65657, "scanner": "repobility-ast-engine", "fingerprint": "f74a2826af4972408f258a786cfe3f607bd6c71ae927e7659a5ed6d901b619d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f74a2826af4972408f258a786cfe3f607bd6c71ae927e7659a5ed6d901b619d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.len` used but never assigned in __init__: Method `update` of class `zig_Slice_SynthProvider` reads `self.len`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65656, "scanner": "repobility-ast-engine", "fingerprint": "88e833da751cdfc56f75625c4459baec33a0afa2b0ea5b280e165016e5012143", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|88e833da751cdfc56f75625c4459baec33a0afa2b0ea5b280e165016e5012143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ptr` used but never assigned in __init__: Method `update` of class `zig_Slice_SynthProvider` reads `self.ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65655, "scanner": "repobility-ast-engine", "fingerprint": "2e0fee94879e95491ceee1d400724d7e4d29abc7daaaaf7243a9b3c1a1391326", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e0fee94879e95491ceee1d400724d7e4d29abc7daaaaf7243a9b3c1a1391326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/lldb_pretty_printers.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.elem_size` used but never assigned in __init__: Method `get_child_at_index` of class `bun_BabyList_SynthProvider` reads `self.elem_size`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65647, "scanner": "repobility-ast-engine", "fingerprint": "85d58337e653775283f3c2a997751aa2567c1faee8a817aa70d17389e0618599", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|85d58337e653775283f3c2a997751aa2567c1faee8a817aa70d17389e0618599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ptr` used but never assigned in __init__: Method `get_child_at_index` of class `bun_BabyList_SynthProvider` reads `self.ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65646, "scanner": "repobility-ast-engine", "fingerprint": "936dbc1d4a2d77497e860188c6651132a96f049e50b165a47a5db5b29c4dbe4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|936dbc1d4a2d77497e860188c6651132a96f049e50b165a47a5db5b29c4dbe4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.elem_type` used but never assigned in __init__: Method `get_child_at_index` of class `bun_BabyList_SynthProvider` reads `self.elem_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65645, "scanner": "repobility-ast-engine", "fingerprint": "352fa9ea41a102a7b4b0b78088bda246ecd14a6a7c558cd4129d7c162a559392", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|352fa9ea41a102a7b4b0b78088bda246ecd14a6a7c558cd4129d7c162a559392"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.len` used but never assigned in __init__: Method `get_child_at_index` of class `bun_BabyList_SynthProvider` reads `self.len`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65644, "scanner": "repobility-ast-engine", "fingerprint": "9e058cf4e9fd4eef55375fc4367a551b63d4620a0915e90df71b7eb672bfe89e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9e058cf4e9fd4eef55375fc4367a551b63d4620a0915e90df71b7eb672bfe89e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.len` used but never assigned in __init__: Method `num_children` of class `bun_BabyList_SynthProvider` reads `self.len`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65643, "scanner": "repobility-ast-engine", "fingerprint": "ec4244291a828ae9797c9e2a0e0207e9633769faafcb3c2b3515422fd57decda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec4244291a828ae9797c9e2a0e0207e9633769faafcb3c2b3515422fd57decda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ptr` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65642, "scanner": "repobility-ast-engine", "fingerprint": "082191a1f32ed82a013afdf9c4b28d147db9b19ccc7ae4dd2e36d102b3c2aabc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|082191a1f32ed82a013afdf9c4b28d147db9b19ccc7ae4dd2e36d102b3c2aabc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.cap` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.cap`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65641, "scanner": "repobility-ast-engine", "fingerprint": "e164fd2dbb00c0db6c1586ed7318b92f47e0d773a44fd416b49349b7947cb11a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e164fd2dbb00c0db6c1586ed7318b92f47e0d773a44fd416b49349b7947cb11a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.len` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.len`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65640, "scanner": "repobility-ast-engine", "fingerprint": "cc2d336e0df5dd69903f5a9f2fa5358cff669a523657a47e6321843a1199c5fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cc2d336e0df5dd69903f5a9f2fa5358cff669a523657a47e6321843a1199c5fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.elem_type` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.elem_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65639, "scanner": "repobility-ast-engine", "fingerprint": "432038392da17825d80d6f886bd879ef1df43fb869caa92a628e88bc16453042", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|432038392da17825d80d6f886bd879ef1df43fb869caa92a628e88bc16453042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.elem_size` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.elem_size`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65638, "scanner": "repobility-ast-engine", "fingerprint": "82c9ee36110f68a7dcec5842859904e56ee04a832b3fe27518f704090ddcb2d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|82c9ee36110f68a7dcec5842859904e56ee04a832b3fe27518f704090ddcb2d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.elem_type` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.elem_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65637, "scanner": "repobility-ast-engine", "fingerprint": "fbb1cfa23331e2a6030976090d66ec7c4eeb70df8eba27da031442606f0a671d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fbb1cfa23331e2a6030976090d66ec7c4eeb70df8eba27da031442606f0a671d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.cap` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.cap`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65636, "scanner": "repobility-ast-engine", "fingerprint": "e3cc433d452bcbaf16a2dd075d3de682ff922f1126c63bb84ba770180e269754", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e3cc433d452bcbaf16a2dd075d3de682ff922f1126c63bb84ba770180e269754"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.len` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.len`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65635, "scanner": "repobility-ast-engine", "fingerprint": "1d1375d65f9216f23cd9c0b13d34aef9019a7280159e6999bd2e60602bfcccdd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d1375d65f9216f23cd9c0b13d34aef9019a7280159e6999bd2e60602bfcccdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.ptr` used but never assigned in __init__: Method `update` of class `bun_BabyList_SynthProvider` reads `self.ptr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65634, "scanner": "repobility-ast-engine", "fingerprint": "0575867467022e9fa895ac6d74a404f1550fabfbb5ae0a4768152718e3efd2ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0575867467022e9fa895ac6d74a404f1550fabfbb5ae0a4768152718e3efd2ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.header_ptr_type` used but never assigned in __init__: Method `display_hint` of class `HashMapPrinter` reads `self.header_ptr_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65632, "scanner": "repobility-ast-engine", "fingerprint": "c25ed90df8044e69a1d03f237abf6fe99ac118d9c35ba72a3cd43f956d9cdc39", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c25ed90df8044e69a1d03f237abf6fe99ac118d9c35ba72a3cd43f956d9cdc39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/gdb/std_gdb_pretty_printers.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.display_hint` used but never assigned in __init__: Method `children` of class `HashMapPrinter` reads `self.display_hint`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65631, "scanner": "repobility-ast-engine", "fingerprint": "ff0809ab96a8d7c16cf0a3d689d45a967b779ad014f533317136ff8c7c8cf3c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ff0809ab96a8d7c16cf0a3d689d45a967b779ad014f533317136ff8c7c8cf3c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/gdb/std_gdb_pretty_printers.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.header` used but never assigned in __init__: Method `children` of class `HashMapPrinter` reads `self.header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65630, "scanner": "repobility-ast-engine", "fingerprint": "68dc9d2ad59332ed0dde2bcf14b9e7b767139c0d037f05f62f9d9dae9d5a80f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68dc9d2ad59332ed0dde2bcf14b9e7b767139c0d037f05f62f9d9dae9d5a80f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/gdb/std_gdb_pretty_printers.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.header` used but never assigned in __init__: Method `to_string` of class `HashMapPrinter` reads `self.header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65629, "scanner": "repobility-ast-engine", "fingerprint": "aa0ac6fb9a9985cd09190569a4a06056ce154c9be6ddb9873b4937932d2be517", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa0ac6fb9a9985cd09190569a4a06056ce154c9be6ddb9873b4937932d2be517"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/gdb/std_gdb_pretty_printers.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.header_ptr_type` used but never assigned in __init__: Method `header` of class `HashMapPrinter` reads `self.header_ptr_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65628, "scanner": "repobility-ast-engine", "fingerprint": "a02cdf4c9059065f9cc8b60124ba70b434e008d678dd1b5645e1c946a1e34cc2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a02cdf4c9059065f9cc8b60124ba70b434e008d678dd1b5645e1c946a1e34cc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/gdb/std_gdb_pretty_printers.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.slice` used but never assigned in __init__: Method `children` of class `MultiArrayListPrinter` reads `self.slice`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65627, "scanner": "repobility-ast-engine", "fingerprint": "ad2fe11e680d643384fc7fbc6de362b96f4c474bcc68513b78a12e44ecd99c73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad2fe11e680d643384fc7fbc6de362b96f4c474bcc68513b78a12e44ecd99c73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/gdb/std_gdb_pretty_printers.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.child_type` used but never assigned in __init__: Method `slice` of class `MultiArrayListPrinter` reads `self.child_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 65626, "scanner": "repobility-ast-engine", "fingerprint": "da77d0d18ed1dbf9b142b5b36f31d406863a86a37a733ca9a58ea77a0f478a29", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da77d0d18ed1dbf9b142b5b36f31d406863a86a37a733ca9a58ea77a0f478a29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/gdb/std_gdb_pretty_printers.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 65609, "scanner": "repobility-threat-engine", "fingerprint": "fcb76252e61964448eae1f1a14302c2fe8cf3213833511df0f0f33066d86b74e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fcb76252e61964448eae1f1a14302c2fe8cf3213833511df0f0f33066d86b74e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-vscode/src/features/diagnostics/diagnostics.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 65605, "scanner": "repobility-threat-engine", "fingerprint": "035601a6ece6b5b16e0cc28bd372068abc7bca3a30b74f383d824016838ee893", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|035601a6ece6b5b16e0cc28bd372068abc7bca3a30b74f383d824016838ee893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-uws/src/WebSocketHandshake.h"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 65604, "scanner": "repobility-threat-engine", "fingerprint": "aaaefea37108e7f9b3eeca5b306a604ae271694b5ed75db94001de7dec998aa2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aaaefea37108e7f9b3eeca5b306a604ae271694b5ed75db94001de7dec998aa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-usockets/src/crypto/default_ciphers.h"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 65603, "scanner": "repobility-threat-engine", "fingerprint": "f2c9602230e8a7c7f7153c5914c7bab815b2d1211710fcd80b588034862ee7ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2c9602230e8a7c7f7153c5914c7bab815b2d1211710fcd80b588034862ee7ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-release/src/npm/install.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65601, "scanner": "repobility-threat-engine", "fingerprint": "3fe7da056950879a426433523d46f73aeed4ed4b32f48a20172e9253995915e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.diagnosticCollection.delete(uri);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3fe7da056950879a426433523d46f73aeed4ed4b32f48a20172e9253995915e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-vscode/src/features/diagnostics/diagnostics.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65600, "scanner": "repobility-threat-engine", "fingerprint": "7c8b7f3ad78d434933281d9b4dfb8b2ba334b97ca5d1361885317a6b885df625", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "virtualCssModules.delete(path);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c8b7f3ad78d434933281d9b4dfb8b2ba334b97ca5d1361885317a6b885df625"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-plugin-svelte/src/index.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 65598, "scanner": "repobility-threat-engine", "fingerprint": "c4f4b5046b8ef13ce02ab384bd83b52afa4346fffdcacd1afe6c2ec1a427957e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c4f4b5046b8ef13ce02ab384bd83b52afa4346fffdcacd1afe6c2ec1a427957e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-native-plugin-rs/bun-macro/src/lib.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65583, "scanner": "repobility-threat-engine", "fingerprint": "b3d845febb9508dec30fc7aef04a7b2de696c5a02fd508a5dadfed3dc1880ecc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3d845febb9508dec30fc7aef04a7b2de696c5a02fd508a5dadfed3dc1880ecc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-debug-adapter-protocol/scripts/generate-protocol.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65582, "scanner": "repobility-threat-engine", "fingerprint": "1d28d4ae16dee6f8b542c9e6b8eb943bd87bfdbeb9d4247d242ede588b648a45", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d28d4ae16dee6f8b542c9e6b8eb943bd87bfdbeb9d4247d242ede588b648a45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/cold-jsc-start.cpp"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65581, "scanner": "repobility-threat-engine", "fingerprint": "9a1c4875074b79d14b9a86524b5c0815001214be8c9013b8598beed5f0c6688e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a1c4875074b79d14b9a86524b5c0815001214be8c9013b8598beed5f0c6688e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/websocket-server/chat-server.bun.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65579, "scanner": "repobility-threat-engine", "fingerprint": "4356a5e45636a26fd510d1f4d3335e5d7d0f5aac4b1f3097a2bbfff069c11499", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4356a5e45636a26fd510d1f4d3335e5d7d0f5aac4b1f3097a2bbfff069c11499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-error/stack-trace-parser.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65578, "scanner": "repobility-threat-engine", "fingerprint": "a917d43dba0d2143065cdffc5839eebd708286f0d3080fff64bb561dc3223bdd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(urlLike", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a917d43dba0d2143065cdffc5839eebd708286f0d3080fff64bb561dc3223bdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-error/runtime-error.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65577, "scanner": "repobility-threat-engine", "fingerprint": "91541658b3b7fd4e2891e67c7abaa763edc3bda09dc03f89d72736b3e57683e4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(testURL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91541658b3b7fd4e2891e67c7abaa763edc3bda09dc03f89d72736b3e57683e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/snippets/urlpattern.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 65572, "scanner": "repobility-threat-engine", "fingerprint": "6b0adf579d8548e250afc901af4e9335b32134e82c9af944bbc4889f49c06a40", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b0adf579d8548e250afc901af4e9335b32134e82c9af944bbc4889f49c06a40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/snippets/http3-hello.js"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 65569, "scanner": "repobility-threat-engine", "fingerprint": "4b1f3dba67c881ebc5b80deae0c83b68877a4f711777db81d3efb35c6cf1365e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(({ bin }) => `${owner}/${bin}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b1f3dba67c881ebc5b80deae0c83b68877a4f711777db81d3efb35c6cf1365e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-release/scripts/upload-npm.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 65568, "scanner": "repobility-threat-engine", "fingerprint": "07e5da7acb6c0ab757d2df97d4465feb26f1320f40fa81f6bfe5984e0ab1fedb", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(({ name }) => `- ${name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07e5da7acb6c0ab757d2df97d4465feb26f1320f40fa81f6bfe5984e0ab1fedb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bun-release/scripts/upload-assets.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 65567, "scanner": "repobility-threat-engine", "fingerprint": "16c9eae8bf2249d503aefca277997f3d0247d4969a64142defbc04a60a6d1936", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((k, j) => `export * from \"./file${j}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16c9eae8bf2249d503aefca277997f3d0247d4969a64142defbc04a60a6d1936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/module-loader/create.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65693, "scanner": "repobility-supply-chain", "fingerprint": "7ea4e5f588529f0bd5fa7bf81847f2a61111a3c576ad68264cf5564ecf4d53ef", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ea4e5f588529f0bd5fa7bf81847f2a61111a3c576ad68264cf5564ecf4d53ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-find-issues-for-pr.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65692, "scanner": "repobility-supply-chain", "fingerprint": "396f02861c9ec9f80433cfa27c740e6eddc322181f5a7931f3c5ba6ee9915279", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|396f02861c9ec9f80433cfa27c740e6eddc322181f5a7931f3c5ba6ee9915279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-find-issues-for-pr.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED120", "level": "error", "message": {"text": "[MINED120] package.json `scripts.install` runs network/exec on install: `scripts.install: node-gyp rebuild --debug -j max` runs during `npm install` on every developer's machine and in every CI build. Common crypto-miner / data-exfiltration vector. Even when intentional, the hook should be reviewed and pinned."}, "properties": {"repobilityId": 65691, "scanner": "repobility-supply-chain", "fingerprint": "61d2235c62ffa7aadf301d07dba180aa3f3dc9ce0e5aec45169cee96ba6fff63", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-postinstall-hook", "owasp": "A08:2021", "cwe_ids": ["CWE-506"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61d2235c62ffa7aadf301d07dba180aa3f3dc9ce0e5aec45169cee96ba6fff63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/napi/napi-app/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `struct` used but not imported: The file uses `struct.something(...)` but never imports `struct`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 65633, "scanner": "repobility-ast-engine", "fingerprint": "dab458539d2f8592e663ad7dcb07f31b7789daa4040acbff74438bdfea85dd02", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dab458539d2f8592e663ad7dcb07f31b7789daa4040acbff74438bdfea85dd02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misctools/lldb/bun_pretty_printer.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 65566, "scanner": "repobility-threat-engine", "fingerprint": "b4d825f4e01d8a375d4db09e350221c8dcfe96369f13f6b97d714ec5babfbe6a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(bigPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b4d825f4e01d8a375d4db09e350221c8dcfe96369f13f6b97d714ec5babfbe6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/sourcemap/internal-sourcemap-bench.ts"}, "region": {"startLine": 28}}}]}]}]}