{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/424"}, "properties": {"repository": "laravel/framework", "repoUrl": "https://github.com/laravel/framework.git", "branch": "13.x"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 23006, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23012, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56cc369fd4e0f998c1973b44165a28ef39b9d95fb0995b315e2fd35c9cd77eff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Illuminate/Cache/FileStore.php", "duplicate_line": 81, "correlation_key": "fp|56cc369fd4e0f998c1973b44165a28ef39b9d95fb0995b315e2fd35c9cd77eff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Illuminate/Cache/StorageStore.php"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23011, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65b4282fae03462da1fe2ac6a2dd3e5bb86dcf3d17fb3bb9625c3a7dd2491a04", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Illuminate/Cache/Events/CacheFlushFailed.php", "duplicate_line": 4, "correlation_key": "fp|65b4282fae03462da1fe2ac6a2dd3e5bb86dcf3d17fb3bb9625c3a7dd2491a04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Illuminate/Cache/Events/CacheFlushing.php"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23010, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9e77745c1d3b32c8621ee621ccb9afd08df6873234460970dcc21781b48ed59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Illuminate/Cache/Events/CacheFlushFailed.php", "duplicate_line": 4, "correlation_key": "fp|f9e77745c1d3b32c8621ee621ccb9afd08df6873234460970dcc21781b48ed59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Illuminate/Cache/Events/CacheFlushed.php"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23009, "scanner": "repobility-ai-code-hygiene", "fingerprint": "afb0f368d5a47ca95c5669b934c6e63338c7e6ba7cfe693a9d9e5106cdad6289", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Illuminate/Broadcasting/Broadcasters/AblyBroadcaster.php", "duplicate_line": 15, "correlation_key": "fp|afb0f368d5a47ca95c5669b934c6e63338c7e6ba7cfe693a9d9e5106cdad6289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Illuminate/Broadcasting/Broadcasters/PusherBroadcaster.php"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc05d839c0fdd81ad7aafd5aac8f9d8f6f3c6dc8b1cabeb4a87e4f7c16ea4d7e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Illuminate/Auth/DatabaseUserProvider.php", "duplicate_line": 71, "correlation_key": "fp|cc05d839c0fdd81ad7aafd5aac8f9d8f6f3c6dc8b1cabeb4a87e4f7c16ea4d7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Illuminate/Auth/EloquentUserProvider.php"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b3c7a46b6fccfeb7ef7e7f88e9ad650b35e4b358b5f31936114fd00331cfad9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "config-stubs/app.php", "duplicate_line": 2, "correlation_key": "fp|4b3c7a46b6fccfeb7ef7e7f88e9ad650b35e4b358b5f31936114fd00331cfad9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/app.php"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23005, "scanner": "repobility-threat-engine", "fingerprint": "4fe765806e6b34e3d72fae63b259bd50bc1935517aa0961748e215c4df2320ec", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4fe765806e6b34e3d72fae63b259bd50bc1935517aa0961748e215c4df2320ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Illuminate/Auth/Notifications/ResetPassword.php"}, "region": {"startLine": 96}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 16594, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}