{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `mineru-gradio` image uses the latest tag", "shortDescription": {"text": "Compose service `mineru-gradio` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED124", "name": "requirements.txt: `mkdocs-video` has no version pin", "shortDescription": {"text": "requirements.txt: `mkdocs-video` has no version pin"}, "fullDescription": {"text": "Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `__init__` (list)", "shortDescription": {"text": "Mutable default argument in `__init__` (list)"}, "fullDescription": {"text": "`def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_normalize_split_title_blocks` has cognitive complexity 11 (SonarSource s", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_normalize_split_title_blocks` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chain"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 11."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED073", "name": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of ", "shortDescription": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1333,CWE-400 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKC004", "name": "Compose service joins the host IPC namespace", "shortDescription": {"text": "Compose service joins the host IPC namespace"}, "fullDescription": {"text": "Sharing host namespaces reduces isolation and can expose host processes, networking, or IPC resources."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`", "shortDescription": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "fullDescription": {"text": "`uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `cr.metax-tech.com/public-ai-release/maca/vllm:maca.ai3.1.0.7-torch2.6-py310-ubuntu22.04-amd64` not pinn", "shortDescription": {"text": "Dockerfile FROM `cr.metax-tech.com/public-ai-release/maca/vllm:maca.ai3.1.0.7-torch2.6-py310-ubuntu22.04-amd64` not pinned by digest"}, "fullDescription": {"text": "`FROM cr.metax-tech.com/public-ai-release/maca/vllm:maca.ai3.1.0.7-torch2.6-py310-ubuntu22.04-amd64` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST (unknown path) has no auth", "shortDescription": {"text": "FastAPI POST (unknown path) has no auth"}, "fullDescription": {"text": "Handler `submit_parse_task` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.servers` used but never assigned in __init__", "shortDescription": {"text": "`self.servers` used but never assigned in __init__"}, "fullDescription": {"text": "Method `shutdown` of class `WorkerPool` reads `self.servers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_pipeline_with_two_config", "shortDescription": {"text": "Phantom test coverage: test_pipeline_with_two_config"}, "fullDescription": {"text": "Test function `test_pipeline_with_two_config` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `html` used but not imported", "shortDescription": {"text": "Missing import: `html` used but not imported"}, "fullDescription": {"text": "The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/847"}, "properties": {"repository": "opendatalab/MinerU", "repoUrl": "https://github.com/opendatalab/MinerU", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 76643, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 76641, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 1439, "file_path": "mineru/cli/router.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 214, "file_path": "mineru/cli/fast_api.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 76640, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `mineru-gradio` image uses the latest tag"}, "properties": {"repobilityId": 76636, "scanner": "repobility-docker", "fingerprint": "5f9ce2420384400cd6e347f4dfe1a551e26fed59786902c8d436c454f7a8b62e", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mineru:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5f9ce2420384400cd6e347f4dfe1a551e26fed59786902c8d436c454f7a8b62e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `mineru-router` image uses the latest tag"}, "properties": {"repobilityId": 76632, "scanner": "repobility-docker", "fingerprint": "35f6479595a7b4690541ef9e5aa7378ec1c6b4718ffdb97e74e0441886cba3d5", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mineru:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|35f6479595a7b4690541ef9e5aa7378ec1c6b4718ffdb97e74e0441886cba3d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `mineru-api` image uses the latest tag"}, "properties": {"repobilityId": 76628, "scanner": "repobility-docker", "fingerprint": "349c9d3dde7f06763ef18f7d2d266c26890816c141a114dbb05555e7590241d1", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mineru:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|349c9d3dde7f06763ef18f7d2d266c26890816c141a114dbb05555e7590241d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `mineru-openai-server` image uses the latest tag"}, "properties": {"repobilityId": 76624, "scanner": "repobility-docker", "fingerprint": "0fd03c1ccc5a710ee8735b3875252d322175cf7478948313d17572a374fae350", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mineru:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0fd03c1ccc5a710ee8735b3875252d322175cf7478948313d17572a374fae350"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 76623, "scanner": "repobility-docker", "fingerprint": "7f580b250b0f489a210962eed59c00fbfd1526f889d71d794bf40b10c9f5d5a8", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "vllm/vllm-openai:v0.21.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7f580b250b0f489a210962eed59c00fbfd1526f889d71d794bf40b10c9f5d5a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/global/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 76620, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 76619, "scanner": "repobility-docker", "fingerprint": "29ab2693dcf2ecdc494da53b931bd46d16089a9f08cd81fb3d3456054c3f637a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker.m.daocloud.io/vllm/vllm-openai:v0.21.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|29ab2693dcf2ecdc494da53b931bd46d16089a9f08cd81fb3d3456054c3f637a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 76614, "scanner": "repobility-threat-engine", "fingerprint": "d0e0959a7cd2abfdb151fb1d9be019c3e2afae63a86a8217c3697db7e579e8b1", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(f\"Using {form", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d0e0959a7cd2abfdb151fb1d9be019c3e2afae63a86a8217c3697db7e579e8b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/engine_utils.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 76613, "scanner": "repobility-threat-engine", "fingerprint": "91e43b915d844eddf1461ef36cc8b5566893ba4e5a71e7d10c98e6462f3ef53e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91e43b915d844eddf1461ef36cc8b5566893ba4e5a71e7d10c98e6462f3ef53e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/pdf_text_tool.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 76612, "scanner": "repobility-threat-engine", "fingerprint": "89ad816cbe9f549dd08b86fdf80560d42a9e2d24e4d8669e2e4466c05852a76b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception as e:\n                                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|89ad816cbe9f549dd08b86fdf80560d42a9e2d24e4d8669e2e4466c05852a76b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/config_reader.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC011", "level": "warning", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 76605, "scanner": "repobility-threat-engine", "fingerprint": "60a9d9e482bbb2bd00bdf60c49fc9e286b93df0afc09485233bf7891cf31c469", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "torch.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|19|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/base_ocr_v20.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 76599, "scanner": "repobility-threat-engine", "fingerprint": "93a071cd81af745ca4c727bb4d0a9e6cf85a1e7f19c4131c6fa3dd5514e7e5b3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|44|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/heads/__init__.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 76598, "scanner": "repobility-threat-engine", "fingerprint": "eb2b14c69d805f8efd48e47d363aa09350299b600481a6d173b1dbfcedf572e4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|65|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/__init__.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 76597, "scanner": "repobility-threat-engine", "fingerprint": "435dd2273c0997b55b59733cd86ef31d7b337b3a4e38b9158ee20115ffb83760", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|47|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/data/imaug/__init__.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 76569, "scanner": "repobility-agent-runtime", "fingerprint": "47861ea6eca65a2a22a13cdc151c073fb91ed32517b80f025689870066192bff", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|47861ea6eca65a2a22a13cdc151c073fb91ed32517b80f025689870066192bff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/fast_api.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `mkdocs-video` has no version pin"}, "properties": {"repobilityId": 76544, "scanner": "repobility-supply-chain", "fingerprint": "ea3c09730bfe733f43a3f50feb953c824c9975ce8e092f9916abacbea52bd279", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea3c09730bfe733f43a3f50feb953c824c9975ce8e092f9916abacbea52bd279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `markdown-gfm-admonition` has no version pin"}, "properties": {"repobilityId": 76543, "scanner": "repobility-supply-chain", "fingerprint": "de36dd51c5207e026f2db86f77d5da0cf310016963f44400d439c115628324f6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de36dd51c5207e026f2db86f77d5da0cf310016963f44400d439c115628324f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `mkdocs-static-i18n` has no version pin"}, "properties": {"repobilityId": 76542, "scanner": "repobility-supply-chain", "fingerprint": "6b4bab7ac362ab407edf1bbdcaaa371cc535622bc7d8e55a626ee01876c9fe38", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b4bab7ac362ab407edf1bbdcaaa371cc535622bc7d8e55a626ee01876c9fe38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `mkdocs` has no version pin"}, "properties": {"repobilityId": 76541, "scanner": "repobility-supply-chain", "fingerprint": "aac7d9a98b0939d484ecfe9009dfe2d40f0a5d4278d05d541aeb633383743d05", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aac7d9a98b0939d484ecfe9009dfe2d40f0a5d4278d05d541aeb633383743d05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76535, "scanner": "repobility-ast-engine", "fingerprint": "2bade0457d56608d2e548c08366b6f43f982312387c0293c6e8fba34ee3f784c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2bade0457d56608d2e548c08366b6f43f982312387c0293c6e8fba34ee3f784c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/necks/rnn.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76534, "scanner": "repobility-ast-engine", "fingerprint": "22afddde068444f2050bd1ecba5a743b292c4743a60e508d76f1177dcee7e333", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22afddde068444f2050bd1ecba5a743b292c4743a60e508d76f1177dcee7e333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_hgnet.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76533, "scanner": "repobility-ast-engine", "fingerprint": "0e5366d92ece4880a30b1cc06e2cb977eba6e012212b64d5e9170f290be07ba1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e5366d92ece4880a30b1cc06e2cb977eba6e012212b64d5e9170f290be07ba1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_svtrnet.py"}, "region": {"startLine": 405}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76532, "scanner": "repobility-ast-engine", "fingerprint": "9a6b82cb51c79db19af91b2e6fd8af2164327daa8be3356675dc3da163238b99", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a6b82cb51c79db19af91b2e6fd8af2164327daa8be3356675dc3da163238b99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_svtrnet.py"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76531, "scanner": "repobility-ast-engine", "fingerprint": "fca91a9d0fa597da6e02bb8700fc716c06b0a86065148f1ebaf5baf11b3a58b4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fca91a9d0fa597da6e02bb8700fc716c06b0a86065148f1ebaf5baf11b3a58b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_svtrnet.py"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76530, "scanner": "repobility-ast-engine", "fingerprint": "9ad7404cdbc75c4c691f137026ac882a702a5293e4fbe4ba1c8a88ef489b8354", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ad7404cdbc75c4c691f137026ac882a702a5293e4fbe4ba1c8a88ef489b8354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_svtrnet.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76529, "scanner": "repobility-ast-engine", "fingerprint": "f0d45f6d9fdb8dbd247cc05984a3c408d147e1149d11f2a810fce64bfb9f3cc7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0d45f6d9fdb8dbd247cc05984a3c408d147e1149d11f2a810fce64bfb9f3cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_svtrnet.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76528, "scanner": "repobility-ast-engine", "fingerprint": "3f31fb093cb1b049118957b036c534096707874cd018e4595c17d6f16667174b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f31fb093cb1b049118957b036c534096707874cd018e4595c17d6f16667174b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_svtrnet.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76527, "scanner": "repobility-ast-engine", "fingerprint": "7bed55a5bc16ca501e964e52881dbf7d134a20f5e093c99a153386479932dac0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7bed55a5bc16ca501e964e52881dbf7d134a20f5e093c99a153386479932dac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_pphgnetv2.py"}, "region": {"startLine": 1208}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76526, "scanner": "repobility-ast-engine", "fingerprint": "3e33a3930cffa8eb0acdba64ceca6287452fa24f38c6200e2a8bd378542e48b1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3e33a3930cffa8eb0acdba64ceca6287452fa24f38c6200e2a8bd378542e48b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_donut_swin.py"}, "region": {"startLine": 1098}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76525, "scanner": "repobility-ast-engine", "fingerprint": "07f331b44509ce977aa495d0cf893c25b74e3d41cc309c4097eb26921d8829c0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07f331b44509ce977aa495d0cf893c25b74e3d41cc309c4097eb26921d8829c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_donut_swin.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76524, "scanner": "repobility-ast-engine", "fingerprint": "d6221cab878e606bc89f9028b13bc8bf871398a8a98cce9b223ebe5371199c71", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d6221cab878e606bc89f9028b13bc8bf871398a8a98cce9b223ebe5371199c71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_lcnetv3.py"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `__init__` (list)"}, "properties": {"repobilityId": 76523, "scanner": "repobility-ast-engine", "fingerprint": "c52381ebcdd3893f1e693cef8a0ff72ab15dd506a2bf0817b81542117ed66744", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c52381ebcdd3893f1e693cef8a0ff72ab15dd506a2bf0817b81542117ed66744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/mfr/unimernet/unimernet_hf/unimer_swin/configuration_unimer_swin.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76522, "scanner": "repobility-ast-engine", "fingerprint": "074b09a4e58b61f7ccde91ad70f96aef9910b7d4db454f31d5a401efc12c6411", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|074b09a4e58b61f7ccde91ad70f96aef9910b7d4db454f31d5a401efc12c6411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/xlsx/xlsx_converter.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76521, "scanner": "repobility-ast-engine", "fingerprint": "0fd62e5a3a0baca07fffe399151b24c7be7d1c1af793faf03b1beb3259bca1c2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0fd62e5a3a0baca07fffe399151b24c7be7d1c1af793faf03b1beb3259bca1c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/xlsx/xlsx_converter.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `parse_request_form` (list)"}, "properties": {"repobilityId": 76519, "scanner": "repobility-ast-engine", "fingerprint": "84bccb09b6fd7f578c26e0397260e362d7bb83b26d34ecb768482ee93859219f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84bccb09b6fd7f578c26e0397260e362d7bb83b26d34ecb768482ee93859219f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/api_request.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76518, "scanner": "repobility-ast-engine", "fingerprint": "068419c65f0e6f25432e046e865fa165cfc44b464671d48ef757485df87daaf9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|068419c65f0e6f25432e046e865fa165cfc44b464671d48ef757485df87daaf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/visualization.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76517, "scanner": "repobility-ast-engine", "fingerprint": "90a1baca5a2966fa7ccf8c43c35f8f3082e597f3555c85785cf4c8b812a306da", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|90a1baca5a2966fa7ccf8c43c35f8f3082e597f3555c85785cf4c8b812a306da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/visualization.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76516, "scanner": "repobility-ast-engine", "fingerprint": "3c499d71567443fb1eb1a0007559df33a3d8c79b2d8749d8e866564d6ce2489c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c499d71567443fb1eb1a0007559df33a3d8c79b2d8749d8e866564d6ce2489c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/fast_api.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76515, "scanner": "repobility-ast-engine", "fingerprint": "aad54d1556fc02f87036d3e6eaac3352e3d8995dc451f261a0f581b935039564", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aad54d1556fc02f87036d3e6eaac3352e3d8995dc451f261a0f581b935039564"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/fast_api.py"}, "region": {"startLine": 611}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76514, "scanner": "repobility-ast-engine", "fingerprint": "25934ab66851a47ce9267db4f08c6afb90ff28d70c5bd71a5f7c10f96907cf8e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|25934ab66851a47ce9267db4f08c6afb90ff28d70c5bd71a5f7c10f96907cf8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/fast_api.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76513, "scanner": "repobility-ast-engine", "fingerprint": "2448edb68f92de109e08fdeb428b5f43e0d53df91d806fd98ffece74cbde5d47", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2448edb68f92de109e08fdeb428b5f43e0d53df91d806fd98ffece74cbde5d47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/gradio_app.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76512, "scanner": "repobility-ast-engine", "fingerprint": "a3824f78dd765a8d03418d393ec0f10f0034f739f64d654abd94aea9f25f74e7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3824f78dd765a8d03418d393ec0f10f0034f739f64d654abd94aea9f25f74e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 683}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76511, "scanner": "repobility-ast-engine", "fingerprint": "3e6f92efd79af4aed78179af558f4c4d6240a3f91b67151a94f07bf2ab8fc0ce", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3e6f92efd79af4aed78179af558f4c4d6240a3f91b67151a94f07bf2ab8fc0ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 758}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76510, "scanner": "repobility-ast-engine", "fingerprint": "d5abce66ad0a94f356f5c3a95f9695f8957ae18fe748b33abde6d98869a0eb57", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5abce66ad0a94f356f5c3a95f9695f8957ae18fe748b33abde6d98869a0eb57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 618}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76509, "scanner": "repobility-ast-engine", "fingerprint": "02ee05d2db1ee74d7c7f33c314e5d0018554637429772d4c9d2205bb5fd1bb87", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|02ee05d2db1ee74d7c7f33c314e5d0018554637429772d4c9d2205bb5fd1bb87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76498, "scanner": "repobility-ast-engine", "fingerprint": "503781dc7cba5bfd00ae3adf3d7699811635605610dca41345ace655932b6d6f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|503781dc7cba5bfd00ae3adf3d7699811635605610dca41345ace655932b6d6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 754}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76488, "scanner": "repobility-ast-engine", "fingerprint": "752f7f7fa947a1fa5867d2f94c19fc211b6256deff14e291be665dd58f1187c0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|752f7f7fa947a1fa5867d2f94c19fc211b6256deff14e291be665dd58f1187c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/api_client.py"}, "region": {"startLine": 584}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76487, "scanner": "repobility-ast-engine", "fingerprint": "7de76315b828ddd8c41b450a6a4be09e6cf8dbadf9138f2a0e802fcfa3f547a5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7de76315b828ddd8c41b450a6a4be09e6cf8dbadf9138f2a0e802fcfa3f547a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/api_client.py"}, "region": {"startLine": 711}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76479, "scanner": "repobility-ast-engine", "fingerprint": "589df23da2cc17a2782ce509dd56cc49c21d58ec44a00db87443bbb92bb6ee58", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|589df23da2cc17a2782ce509dd56cc49c21d58ec44a00db87443bbb92bb6ee58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/language.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76478, "scanner": "repobility-ast-engine", "fingerprint": "9fa2089d2aba55524e548bcb954f9fb05ceb63d642404e8b543d7c1ca9c63cf5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9fa2089d2aba55524e548bcb954f9fb05ceb63d642404e8b543d7c1ca9c63cf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/language.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76477, "scanner": "repobility-ast-engine", "fingerprint": "3617cb343ac01227f9b75272544fb230a592716094f19a6e01042315c122c93f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3617cb343ac01227f9b75272544fb230a592716094f19a6e01042315c122c93f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/pdfium_guard.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76476, "scanner": "repobility-ast-engine", "fingerprint": "769950de93517ff16ae2d97bac21216d16665518536c531a2a63f2a6bc5ee054", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|769950de93517ff16ae2d97bac21216d16665518536c531a2a63f2a6bc5ee054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/guess_suffix_or_lang.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76475, "scanner": "repobility-ast-engine", "fingerprint": "bdbbc8fcdac95ce31277d8757e68ad53cc12c5d75d9559264caa00a2f576dca9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bdbbc8fcdac95ce31277d8757e68ad53cc12c5d75d9559264caa00a2f576dca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/config_reader.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76474, "scanner": "repobility-ast-engine", "fingerprint": "3efb0b71290ea8f5184f04c4df3b4caa06281e803cf7bf685baa057a678b7887", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3efb0b71290ea8f5184f04c4df3b4caa06281e803cf7bf685baa057a678b7887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/config_reader.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76473, "scanner": "repobility-ast-engine", "fingerprint": "a9de94f7d00626bd84585acdb65236f23596a081270a1bd05e1ac266b8a0e894", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9de94f7d00626bd84585acdb65236f23596a081270a1bd05e1ac266b8a0e894"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/config_reader.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76472, "scanner": "repobility-ast-engine", "fingerprint": "725292d28da9b5f373844c5cc37f5017f77fa92e92416cc671ab66b52afc5722", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|725292d28da9b5f373844c5cc37f5017f77fa92e92416cc671ab66b52afc5722"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/config_reader.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76471, "scanner": "repobility-ast-engine", "fingerprint": "cd91948e4cb3aeb41a3de9aed76468a2efc4f9da4f067c0e70cc305e49de9e55", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd91948e4cb3aeb41a3de9aed76468a2efc4f9da4f067c0e70cc305e49de9e55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_e2e.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 76469, "scanner": "repobility-ast-engine", "fingerprint": "8aa84a3178550cd337ac46f10ed27000ebc8d53d18774646ba1e894caa6a9fa5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8aa84a3178550cd337ac46f10ed27000ebc8d53d18774646ba1e894caa6a9fa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "update_version.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 76642, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 76639, "scanner": "repobility-docker", "fingerprint": "11a3bce1b19ba605e92a29b8665c65767bea66ce55df51ff6efe64245ba1fe46", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mineru-gradio", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|11a3bce1b19ba605e92a29b8665c65767bea66ce55df51ff6efe64245ba1fe46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 76638, "scanner": "repobility-docker", "fingerprint": "d43fbe8b1c4dee688f0fac14d070bb1a9186fd8c194226bbed37914d7d57ecb0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mineru-gradio", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d43fbe8b1c4dee688f0fac14d070bb1a9186fd8c194226bbed37914d7d57ecb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 76635, "scanner": "repobility-docker", "fingerprint": "c4a2de5e32fac634a7e906244eb92a19201c7b9d5573e017df8a9ed50d4c0682", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mineru-router", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c4a2de5e32fac634a7e906244eb92a19201c7b9d5573e017df8a9ed50d4c0682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 76634, "scanner": "repobility-docker", "fingerprint": "f0f265cbb22c5676bab7c09d70398800a8b616e7bcfe1ec318fe8b0bca7abfd5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mineru-router", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f0f265cbb22c5676bab7c09d70398800a8b616e7bcfe1ec318fe8b0bca7abfd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 76631, "scanner": "repobility-docker", "fingerprint": "9b3d44293dbded675e1d595a6e28f151e403670aaf2df7ad1158f31f178fc03a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mineru-api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9b3d44293dbded675e1d595a6e28f151e403670aaf2df7ad1158f31f178fc03a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 76630, "scanner": "repobility-docker", "fingerprint": "9b37f34f620e8c32762ad006d0e96ad45c7f22b4bbeb86ce245260d681bf91ab", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mineru-api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9b37f34f620e8c32762ad006d0e96ad45c7f22b4bbeb86ce245260d681bf91ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 76627, "scanner": "repobility-docker", "fingerprint": "8ea35b1044fc340dde1501ef6efbe5b4e502c5e956a857e033391dd48c36f442", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mineru-openai-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8ea35b1044fc340dde1501ef6efbe5b4e502c5e956a857e033391dd48c36f442"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 76626, "scanner": "repobility-docker", "fingerprint": "440301e83a18774ba9f2b646f99291d8e680c21866367be6f9995f23f9581ca5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mineru-openai-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|440301e83a18774ba9f2b646f99291d8e680c21866367be6f9995f23f9581ca5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 76622, "scanner": "repobility-docker", "fingerprint": "9bab7e50ba994d3435291a2cd56a8487ff65cd6ce34a91e5b306a5a191f5581c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9bab7e50ba994d3435291a2cd56a8487ff65cd6ce34a91e5b306a5a191f5581c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/global/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 76621, "scanner": "repobility-docker", "fingerprint": "00085cc750d7673194116e08f85e4c9033d56896cf91dbe3fe82592805b70b68", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|00085cc750d7673194116e08f85e4c9033d56896cf91dbe3fe82592805b70b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/global/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 76618, "scanner": "repobility-docker", "fingerprint": "4075101fbbb3e4c89867fa297cd1619a43a8417d730002a96e9fd3ac2aec0f22", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4075101fbbb3e4c89867fa297cd1619a43a8417d730002a96e9fd3ac2aec0f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 76617, "scanner": "repobility-docker", "fingerprint": "4b99551b0604205242a19b82967713e7cc2f195b571fbf927c0f1abbd9895d6c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4b99551b0604205242a19b82967713e7cc2f195b571fbf927c0f1abbd9895d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 76592, "scanner": "repobility-threat-engine", "fingerprint": "a380cc0a30724f9606bc4f104581fd19144575710e5bd3335ba1b558a54607e7", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(os.path.dirname(fn_path)) and os.path.dirname(fn_path) != \"\":\n            os.makedirs", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a380cc0a30724f9606bc4f104581fd19144575710e5bd3335ba1b558a54607e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/data/data_reader_writer/filebase.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_normalize_split_title_blocks` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=3, if=1, nested_bonus=6."}, "properties": {"repobilityId": 76579, "scanner": "repobility-threat-engine", "fingerprint": "db2a2b47719626fc30236687780ed7b22b86f316a1c9166b30702464dc1fed12", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_normalize_split_title_blocks", "breakdown": {"if": 1, "for": 3, "continue": 1, "nested_bonus": 6}, "complexity": 11, "correlation_key": "fp|db2a2b47719626fc30236687780ed7b22b86f316a1c9166b30702464dc1fed12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/hybrid/hybrid_model_output_to_middle_json.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_resolve_title_line_avg_height` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=2, if=4, nested_bonus=6."}, "properties": {"repobilityId": 76578, "scanner": "repobility-threat-engine", "fingerprint": "148259e63c93ec1f77882c8419da56e7575780071401e3a167f7177fde860a82", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_resolve_title_line_avg_height", "breakdown": {"if": 4, "for": 2, "continue": 1, "nested_bonus": 6}, "complexity": 13, "correlation_key": "fp|148259e63c93ec1f77882c8419da56e7575780071401e3a167f7177fde860a82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/hybrid/hybrid_model_output_to_middle_json.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 76468, "scanner": "repobility-ai-code-hygiene", "fingerprint": "312ce49e639858ae07de25c23c7c51c790f1aa57df1907251349244bd4630db2", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "merge_spans_to_line", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "mineru/utils/ocr_utils.py", "correlation_key": "fp|312ce49e639858ae07de25c23c7c51c790f1aa57df1907251349244bd4630db2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/span_block_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76467, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48dd1423b7e5e09d84546c0191f7a9924bbcd9ded9586bac2ce24f1bf1b22f03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/office/office_magic_model.py", "duplicate_line": 455, "correlation_key": "fp|48dd1423b7e5e09d84546c0191f7a9924bbcd9ded9586bac2ce24f1bf1b22f03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/visual_magic_model_utils.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76466, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb637c6bd84419ea2fd9e314c02f209fe5acf16e2d3e8c44f74deb09439239bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/pipeline/pipeline_magic_model.py", "duplicate_line": 45, "correlation_key": "fp|fb637c6bd84419ea2fd9e314c02f209fe5acf16e2d3e8c44f74deb09439239bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/visual_magic_model_utils.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "468f9556627e36fb859364cc79d69fa9d9001de340a3b7f0fe28c345db79daa6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/model/utils/tools/infer/predict_system.py", "duplicate_line": 75, "correlation_key": "fp|468f9556627e36fb859364cc79d69fa9d9001de340a3b7f0fe28c345db79daa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/ocr_utils.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a8fe27043bdca3537c2d8ff13d8c3e557ed47bda345ee3d6c30d2e88866f9ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/model/utils/pytorchocr/modeling/architectures/base_model.py", "duplicate_line": 39, "correlation_key": "fp|3a8fe27043bdca3537c2d8ff13d8c3e557ed47bda345ee3d6c30d2e88866f9ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/necks/rnn.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7bfec2df27ef692832b551fdeb6c82bccd4dc31879a0c0650c50ca2d627e8359", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/model/utils/pytorchocr/modeling/backbones/rec_svtrnet.py", "duplicate_line": 528, "correlation_key": "fp|7bfec2df27ef692832b551fdeb6c82bccd4dc31879a0c0650c50ca2d627e8359"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/necks/rnn.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76462, "scanner": "repobility-ai-code-hygiene", "fingerprint": "887d4a23983b8d74afe416d7f48e6a8d6b34bc7c86c8a0c3dd5000f9c2e943e4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/model/utils/pytorchocr/modeling/architectures/base_model.py", "duplicate_line": 39, "correlation_key": "fp|887d4a23983b8d74afe416d7f48e6a8d6b34bc7c86c8a0c3dd5000f9c2e943e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_svtrnet.py"}, "region": {"startLine": 530}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76461, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4325ebba09f01a3e8efdbfd11ad33da13aa15c6319533931ebcab864345da974", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/model/utils/pytorchocr/modeling/backbones/det_mobilenet_v3.py", "duplicate_line": 208, "correlation_key": "fp|4325ebba09f01a3e8efdbfd11ad33da13aa15c6319533931ebcab864345da974"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/utils/pytorchocr/modeling/backbones/rec_mobilenet_v3.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76460, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ab9fecca5e41d1f59a673abbbf627acaacfaa36f0da7cdc3103335de35983c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/model/table/rec/slanet_plus/table_structure_utils.py", "duplicate_line": 20, "correlation_key": "fp|0ab9fecca5e41d1f59a673abbbf627acaacfaa36f0da7cdc3103335de35983c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/table/rec/unet_table/utils.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76459, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55f52641fcf4e1627f156d24f61a32e8827bea2f9d466d342c8a04d2f3fbccaa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/model/mfr/pp_formulanet_plus_m/predict_formula.py", "duplicate_line": 60, "correlation_key": "fp|55f52641fcf4e1627f156d24f61a32e8827bea2f9d466d342c8a04d2f3fbccaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/mfr/unimernet/Unimernet.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76458, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dab499b330c938cd6701a4f88a58c10397e95c4dbf7eaa929ee050ccd1ac8fbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/office/mkcontent/output_builders.py", "duplicate_line": 392, "correlation_key": "fp|dab499b330c938cd6701a4f88a58c10397e95c4dbf7eaa929ee050ccd1ac8fbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/vlm/vlm_middle_json_mkcontent.py"}, "region": {"startLine": 366}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76457, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2ec7e1d2cbe7fff405a4b616ad83db56ed0017a742e5ecaf819ac6676452b45", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/pipeline/pipeline_middle_json_mkcontent.py", "duplicate_line": 173, "correlation_key": "fp|b2ec7e1d2cbe7fff405a4b616ad83db56ed0017a742e5ecaf819ac6676452b45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/vlm/vlm_middle_json_mkcontent.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76456, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e455111cd230270fc0881b5c272e8c621595c7cfa33edcc673577781bb9166f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/hybrid/hybrid_magic_model.py", "duplicate_line": 100, "correlation_key": "fp|8e455111cd230270fc0881b5c272e8c621595c7cfa33edcc673577781bb9166f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/vlm/vlm_magic_model.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76455, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fea918a6afe95bda673a962e376b9d7f8ef7bde6160e0abd98d9d9ed10b7cdc0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/hybrid/hybrid_analyze.py", "duplicate_line": 603, "correlation_key": "fp|fea918a6afe95bda673a962e376b9d7f8ef7bde6160e0abd98d9d9ed10b7cdc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/vlm/vlm_analyze.py"}, "region": {"startLine": 349}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76454, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b792913128cfdaa74b6cab74c5e92224aaf4d2a4c3398703464c68e031142e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/hybrid/hybrid_model_output_to_middle_json.py", "duplicate_line": 79, "correlation_key": "fp|1b792913128cfdaa74b6cab74c5e92224aaf4d2a4c3398703464c68e031142e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/vlm/model_output_to_middle_json.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76453, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1218922d7c18fb4a53ad6a2840bff4a0174dcd57e4ef7f893100e329e93ee5df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/pipeline/model_init.py", "duplicate_line": 256, "correlation_key": "fp|1218922d7c18fb4a53ad6a2840bff4a0174dcd57e4ef7f893100e329e93ee5df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/pipeline/pipeline_analyze.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76452, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fc5e0c19c130c774b561dd7db10508d5f1ab9ecff8844f59100a964f3a9ba74", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/hybrid/hybrid_model_output_to_middle_json.py", "duplicate_line": 119, "correlation_key": "fp|6fc5e0c19c130c774b561dd7db10508d5f1ab9ecff8844f59100a964f3a9ba74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/pipeline/model_json_to_middle_json.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 76451, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c509cdd52fc4d1db3254f22c67669e4e6d19a09f7ac7aa72f5e8c50ee9133618", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mineru/backend/office/pptx_analyze.py", "duplicate_line": 7, "correlation_key": "fp|c509cdd52fc4d1db3254f22c67669e4e6d19a09f7ac7aa72f5e8c50ee9133618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/office/xlsx_analyze.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 76450, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f814ade954df687ec90d8d4d8c9db61975adf8721876d0146386878c1d036f0", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6f814ade954df687ec90d8d4d8c9db61975adf8721876d0146386878c1d036f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/span_block_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 76616, "scanner": "repobility-threat-engine", "fingerprint": "bafca505a083d62765162c040ef9b11e7dcb3e2fd81f47f1462810001e153fe2", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "print(os.getenv(\"FTLANG_CACHE\")", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|mineru/utils/language.py|4|print os.getenv ftlang_cache"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/language.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 76611, "scanner": "repobility-threat-engine", "fingerprint": "3ed4a11ec48650075e843160edf55362aa121897a652d0286a1dc826dd94d954", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3ed4a11ec48650075e843160edf55362aa121897a652d0286a1dc826dd94d954", "aggregated_count": 1}}}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 76604, "scanner": "repobility-threat-engine", "fingerprint": "072f4714ea473ec917e63015f1233e47f5e91a0923ed69c67125b9a821516045", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "evidence": {"match": "torch.load(", "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|110|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/mfr/unimernet/unimernet_hf/modeling_unimernet.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 76600, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 76596, "scanner": "repobility-threat-engine", "fingerprint": "e89866dae63f76012be44873c07aa14d3a790a3ec6eb815157e607acfb13751b", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'FullLoader' detected on same line", "evidence": {"match": "yaml.load(", "reason": "Safe pattern 'FullLoader' detected on same line", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|60|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/mfr/pp_formulanet_plus_m/predict_formula.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 76595, "scanner": "repobility-threat-engine", "fingerprint": "cec1faa05b1b27ad0afd4fa659d5787df177e55c43d61f30dbbd66a63521586c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cec1faa05b1b27ad0afd4fa659d5787df177e55c43d61f30dbbd66a63521586c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/pptx/package_normalizer.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 76594, "scanner": "repobility-threat-engine", "fingerprint": "f995c6b44077f8ed070dfed314c634d4ca5c3357929227e249382b0261bb846e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f995c6b44077f8ed070dfed314c634d4ca5c3357929227e249382b0261bb846e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/docx/tools/office_xml.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 76593, "scanner": "repobility-threat-engine", "fingerprint": "6c55481dde8fad4dda48f86e664b6d89b2a772139746258b2a98ebfdcf629748", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c55481dde8fad4dda48f86e664b6d89b2a772139746258b2a98ebfdcf629748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/docx/tools/math/latex_dict.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 76591, "scanner": "repobility-threat-engine", "fingerprint": "799cf7be584c0a8e070780d98493f752fafc452735234b55c5ea7b11a9e78914", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|799cf7be584c0a8e070780d98493f752fafc452735234b55c5ea7b11a9e78914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/data/io/http.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 76590, "scanner": "repobility-threat-engine", "fingerprint": "d14e9b683e3d9d439c00fcacbb4e41356754b138a4efef2a6e00b847dee81215", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d14e9b683e3d9d439c00fcacbb4e41356754b138a4efef2a6e00b847dee81215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/models_download.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 76589, "scanner": "repobility-threat-engine", "fingerprint": "ff5a032bf813f2887be66ada0d5a0467556489caa394117d8d0fb616ece3b703", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff5a032bf813f2887be66ada0d5a0467556489caa394117d8d0fb616ece3b703"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/models_download.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 76586, "scanner": "repobility-threat-engine", "fingerprint": "43bdccc3bad63d29eee5c236dc420a840f0abaa2083e9c032122d0fb2ac83096", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|43bdccc3bad63d29eee5c236dc420a840f0abaa2083e9c032122d0fb2ac83096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/api_request.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 76585, "scanner": "repobility-threat-engine", "fingerprint": "63475f3d692f137d86224f7a6e225d0a700e355ba9d6880f3f7875d570f8ac7b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|63475f3d692f137d86224f7a6e225d0a700e355ba9d6880f3f7875d570f8ac7b", "aggregated_count": 14}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 76584, "scanner": "repobility-threat-engine", "fingerprint": "ccdc76486c5d870eeb529388cb3558f1873a0c3127d78d457c03fb7c4eaa3aa5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ccdc76486c5d870eeb529388cb3558f1873a0c3127d78d457c03fb7c4eaa3aa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/data/data_reader_writer/dummy.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 76583, "scanner": "repobility-threat-engine", "fingerprint": "d2d5b4a090f0a25d021617390a0a00bdd552650eb31fe341e5575e1d12cee3a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2d5b4a090f0a25d021617390a0a00bdd552650eb31fe341e5575e1d12cee3a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/data/data_reader_writer/base.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 76582, "scanner": "repobility-threat-engine", "fingerprint": "e69df5ce0bef420b6660e2065096b353636eb77c878aea88ec5a70492129477a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e69df5ce0bef420b6660e2065096b353636eb77c878aea88ec5a70492129477a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/utils/runtime_utils.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED073", "level": "none", "message": {"text": "[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data \u2014 denial of service."}, "properties": {"repobilityId": 76581, "scanner": "repobility-threat-engine", "fingerprint": "243dbdd9a072b7d5b1ef6a452489a7e9f96baae6873b2384b39ec6ed7ff126df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "redos-greedy-quantifier", "owasp": "A06:2021", "cwe_ids": ["CWE-1333", "CWE-400"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348072+00:00", "triaged_in_corpus": 12, "observations_count": 12702, "ai_coder_pattern_id": 35}, "scanner": "repobility-threat-engine", "correlation_key": "fp|243dbdd9a072b7d5b1ef6a452489a7e9f96baae6873b2384b39ec6ed7ff126df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/office/model_output_to_middle_json.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "properties": {"repobilityId": 76580, "scanner": "repobility-threat-engine", "fingerprint": "7b644dc6da792c50b665551471cb4192e5f1c7269a05cdd5f97bed219c214cde", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 72 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "_apply_post_ocr", "breakdown": {"if": 4, "for": 6, "elif": 1, "else": 1, "continue": 1, "nested_bonus": 17}, "aggregated": true, "complexity": 30, "correlation_key": "fp|7b644dc6da792c50b665551471cb4192e5f1c7269a05cdd5f97bed219c214cde", "aggregated_count": 72}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 76576, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "DKC004", "level": "error", "message": {"text": "Compose service joins the host IPC namespace"}, "properties": {"repobilityId": 76637, "scanner": "repobility-docker", "fingerprint": "57da88847817515d66074636aad4b236f4acca1dc0cb8b01f393cc92a86ab951", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ipc: host was set on the service.", "evidence": {"rule_id": "DKC004", "scanner": "repobility-docker", "service": "mineru-gradio", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|57da88847817515d66074636aad4b236f4acca1dc0cb8b01f393cc92a86ab951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKC004", "level": "error", "message": {"text": "Compose service joins the host IPC namespace"}, "properties": {"repobilityId": 76633, "scanner": "repobility-docker", "fingerprint": "2fd91ed2df61a883ddacae21c4d799ae9b5cc1caae37d2c684a1c6f51ada235d", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ipc: host was set on the service.", "evidence": {"rule_id": "DKC004", "scanner": "repobility-docker", "service": "mineru-router", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2fd91ed2df61a883ddacae21c4d799ae9b5cc1caae37d2c684a1c6f51ada235d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC004", "level": "error", "message": {"text": "Compose service joins the host IPC namespace"}, "properties": {"repobilityId": 76629, "scanner": "repobility-docker", "fingerprint": "c622e8d7eb1040b9e9e596e9ac24dc94fa60654b61fd40bdcdd8d59b5637dc49", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ipc: host was set on the service.", "evidence": {"rule_id": "DKC004", "scanner": "repobility-docker", "service": "mineru-api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c622e8d7eb1040b9e9e596e9ac24dc94fa60654b61fd40bdcdd8d59b5637dc49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC004", "level": "error", "message": {"text": "Compose service joins the host IPC namespace"}, "properties": {"repobilityId": 76625, "scanner": "repobility-docker", "fingerprint": "d7c8b8cf39d5d4b3ebee622f6764121a4c607f8e746fb22071be37ec5e3eb9e7", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ipc: host was set on the service.", "evidence": {"rule_id": "DKC004", "scanner": "repobility-docker", "service": "mineru-openai-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d7c8b8cf39d5d4b3ebee622f6764121a4c607f8e746fb22071be37ec5e3eb9e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 76615, "scanner": "repobility-threat-engine", "fingerprint": "b95ae18d5cc905e2be563d26f6b81c0392f2cb12293d25c144aaca96984d7ae0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b95ae18d5cc905e2be563d26f6b81c0392f2cb12293d25c144aaca96984d7ae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/hash_utils.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 76610, "scanner": "repobility-threat-engine", "fingerprint": "6f7ea3b2d7ce1043221b83c710de1a02cd00ef508cedd688d122e533440244c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f7ea3b2d7ce1043221b83c710de1a02cd00ef508cedd688d122e533440244c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/model_utils.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 76609, "scanner": "repobility-threat-engine", "fingerprint": "b71a2ddca8520cd2932bc65b594713f81a29c6c1390f9a9954b5ac6f7868629c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b71a2ddca8520cd2932bc65b594713f81a29c6c1390f9a9954b5ac6f7868629c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/config_reader.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 76608, "scanner": "repobility-threat-engine", "fingerprint": "6f49415d6b59e556a07853c7f2f2e661bf250b7f506da5c95e2dce701663d9fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f49415d6b59e556a07853c7f2f2e661bf250b7f506da5c95e2dce701663d9fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/cli_parser.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 76607, "scanner": "repobility-threat-engine", "fingerprint": "2ed0c4e44826856defb41d809f46898540ccd3cb8d0e3a3798d66fce53f21e5d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ed0c4e44826856defb41d809f46898540ccd3cb8d0e3a3798d66fce53f21e5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/vlm/lmdeploy_server.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC005", "level": "error", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 76606, "scanner": "repobility-threat-engine", "fingerprint": "635f27067bb77a60e04080a06a963c215626480e38a99314745828c7c9f08c01", "category": "injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Command source appears controllable (config/plugin/argv/user input)", "evidence": {"match": "os.system(\"lmdeploy \" +", "reason": "Command source appears controllable (config/plugin/argv/user input)", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|injection|token|90|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/vlm/lmdeploy_server.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 76588, "scanner": "repobility-threat-engine", "fingerprint": "e14bcdbeff4e6727963099306f1f7d7b934896cfc3c60448013ceb31199d784d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e14bcdbeff4e6727963099306f1f7d7b934896cfc3c60448013ceb31199d784d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/data/io/http.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 76587, "scanner": "repobility-threat-engine", "fingerprint": "15b62c64f06ed027b309b06373ac887de0f1d3db104d5b6d40c56726ae3f3ff6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|15b62c64f06ed027b309b06373ac887de0f1d3db104d5b6d40c56726ae3f3ff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/models_download.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `_apply_post_ocr` has cognitive complexity 30 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, elif=1, else=1, for=6, if=4, nested_bonus=17."}, "properties": {"repobilityId": 76577, "scanner": "repobility-threat-engine", "fingerprint": "45c9d50c3f1310b7614088b2d214e9204d7b08224b47da60a5c8bfc1a5d1d3d8", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 30 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_apply_post_ocr", "breakdown": {"if": 4, "for": 6, "elif": 1, "else": 1, "continue": 1, "nested_bonus": 17}, "complexity": 30, "correlation_key": "fp|45c9d50c3f1310b7614088b2d214e9204d7b08224b47da60a5c8bfc1a5d1d3d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/hybrid/hybrid_model_output_to_middle_json.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 76575, "scanner": "repobility-threat-engine", "fingerprint": "da8de03b49dd522e12cb4908758ab4bd200fb1a23065b3243ddec4e81a901d43", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "progress_bar.update(1)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da8de03b49dd522e12cb4908758ab4bd200fb1a23065b3243ddec4e81a901d43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/vlm/model_output_to_middle_json.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 76574, "scanner": "repobility-threat-engine", "fingerprint": "6e63debd03fcee85c227c35346702db024acea620b34bf1094f8ef25b2279c99", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "progress_bar.update(1)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6e63debd03fcee85c227c35346702db024acea620b34bf1094f8ef25b2279c99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/pipeline/model_json_to_middle_json.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 76573, "scanner": "repobility-threat-engine", "fingerprint": "43ae2e1a8b511afd5a6ed9acecc563b8e08556b38c6c9fe81e62914aa34521b7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "progress_bar.update(1)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43ae2e1a8b511afd5a6ed9acecc563b8e08556b38c6c9fe81e62914aa34521b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/hybrid/hybrid_model_output_to_middle_json.py"}, "region": {"startLine": 225}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 76572, "scanner": "repobility-threat-engine", "fingerprint": "0f0acf0b74f6719496eb1a0b16153a140e420b222247b3463b5076ef03dd26ac", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url (s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f0acf0b74f6719496eb1a0b16153a140e420b222247b3463b5076ef03dd26ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/data/io/s3.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 76571, "scanner": "repobility-threat-engine", "fingerprint": "a9d384b4ba17a055ace1d17627eb3fa4a98f2b2929799cd8f2b2ecc66865f21a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url (s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9d384b4ba17a055ace1d17627eb3fa4a98f2b2929799cd8f2b2ecc66865f21a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/data/data_reader_writer/s3.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 76570, "scanner": "repobility-threat-engine", "fingerprint": "fd19000f2ee86b80301cdd2378aa6fa3b0c616d709d7a6506556f60b9719557f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd19000f2ee86b80301cdd2378aa6fa3b0c616d709d7a6506556f60b9719557f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/demo.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 76568, "scanner": "repobility-supply-chain", "fingerprint": "0cfaaeef905cb304a149d79f3e04d4eddb74bce441024764988c3f4c4a41af01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cfaaeef905cb304a149d79f3e04d4eddb74bce441024764988c3f4c4a41af01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cli.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76567, "scanner": "repobility-supply-chain", "fingerprint": "4544443f856a3dbb55347b7512bbc2118d0f5b4d3585747284ac341ade5606d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4544443f856a3dbb55347b7512bbc2118d0f5b4d3585747284ac341ade5606d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cli.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 76566, "scanner": "repobility-supply-chain", "fingerprint": "aa548383673b6c9e25fc8df58fc9950787edc4b2b43824b2baf58f14a9f53d68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa548383673b6c9e25fc8df58fc9950787edc4b2b43824b2baf58f14a9f53d68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76565, "scanner": "repobility-supply-chain", "fingerprint": "37ab1cf2740d18dfa39c8a5f54069266665d2b771403e176179ce9709de2a183", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37ab1cf2740d18dfa39c8a5f54069266665d2b771403e176179ce9709de2a183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76564, "scanner": "repobility-supply-chain", "fingerprint": "8244d3bde0d7c9fb928bb5ff6f10489e25e119191274ec64135002be2a26adc7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8244d3bde0d7c9fb928bb5ff6f10489e25e119191274ec64135002be2a26adc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76563, "scanner": "repobility-supply-chain", "fingerprint": "fe0328ac11755d372680315a9c49139e7c774e0465a04c4002a6e413f3656b23", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe0328ac11755d372680315a9c49139e7c774e0465a04c4002a6e413f3656b23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76562, "scanner": "repobility-supply-chain", "fingerprint": "ea9b1475390c390406876f66791e0f3f435706809ab6b8bae3e3f38b6da5602f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea9b1475390c390406876f66791e0f3f435706809ab6b8bae3e3f38b6da5602f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76561, "scanner": "repobility-supply-chain", "fingerprint": "08ef6b09fcf742b8a8e663313628839dbc77e3463d7ec487b28a8e3f18739140", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08ef6b09fcf742b8a8e663313628839dbc77e3463d7ec487b28a8e3f18739140"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76560, "scanner": "repobility-supply-chain", "fingerprint": "22f7ee290e9c309a7bacf82e14acecc4d9ef776f854a32bb62fb4275787bec16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22f7ee290e9c309a7bacf82e14acecc4d9ef776f854a32bb62fb4275787bec16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76559, "scanner": "repobility-supply-chain", "fingerprint": "42a232095ff0aa524175af15ddfdb9d9bd30f06ef4b980efcd44fc6f487edae2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42a232095ff0aa524175af15ddfdb9d9bd30f06ef4b980efcd44fc6f487edae2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/python-package.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `contributor-assistant/github-action` pinned to mutable ref `@v2.6.1`"}, "properties": {"repobilityId": 76558, "scanner": "repobility-supply-chain", "fingerprint": "12c2ef25c107a51976be3dc619623a8aa5772cbb95164d4b07e5dd63c7726bcc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12c2ef25c107a51976be3dc619623a8aa5772cbb95164d4b07e5dd63c7726bcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cla.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mhausenblas/mkdocs-deploy-gh-pages` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 76557, "scanner": "repobility-supply-chain", "fingerprint": "425fb89009319427ea0450ab709f3e6f5ea28f3023bee775f3399f4d50d61d44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|425fb89009319427ea0450ab709f3e6f5ea28f3023bee775f3399f4d50d61d44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mkdocs.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 76556, "scanner": "repobility-supply-chain", "fingerprint": "e552f7e347d4ea76207bd7d0ff4c74ff0d1dd588d8ff6cc8641e48e2505488ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e552f7e347d4ea76207bd7d0ff4c74ff0d1dd588d8ff6cc8641e48e2505488ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mkdocs.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `cr.metax-tech.com/public-ai-release/maca/vllm:maca.ai3.1.0.7-torch2.6-py310-ubuntu22.04-amd64` not pinned by digest"}, "properties": {"repobilityId": 76555, "scanner": "repobility-supply-chain", "fingerprint": "f9f7e546e943b85e8361653c3631d511bea146cc11aebe7b574e5fc15b51e65d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9f7e546e943b85e8361653c3631d511bea146cc11aebe7b574e5fc15b51e65d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/maca.Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `registry.mthreads.com/mcconline/vllm-musa-qy2-py310:v0.8.4-release` not pinned by digest"}, "properties": {"repobilityId": 76554, "scanner": "repobility-supply-chain", "fingerprint": "0116768b586e3fc34740e17203755f6ced229725ecaa864f024bae5af171b093", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0116768b586e3fc34740e17203755f6ced229725ecaa864f024bae5af171b093"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/musa.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `harbor.sourcefind.cn:5443` not pinned by digest"}, "properties": {"repobilityId": 76553, "scanner": "repobility-supply-chain", "fingerprint": "a679c29607e14802223d50e2706998a6180a7c0b78f08e201e2f6437d1c73c93", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a679c29607e14802223d50e2706998a6180a7c0b78f08e201e2f6437d1c73c93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/dcu.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `docker.m.daocloud.io/vllm/vllm-openai:v0.21.0` not pinned by digest"}, "properties": {"repobilityId": 76552, "scanner": "repobility-supply-chain", "fingerprint": "85e6ed9fb222c3813f4a00d11e0e1d6515ab358d667928991d6dbc4d035c17d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85e6ed9fb222c3813f4a00d11e0e1d6515ab358d667928991d6dbc4d035c17d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `docker.1ms.run/wjie520/vllm_kunlun:v0.10.1.1rc1` not pinned by digest"}, "properties": {"repobilityId": 76551, "scanner": "repobility-supply-chain", "fingerprint": "283d61b7814134b67b6284395f6f76cc4812f4f34843b4310e5c7a14b68eed72", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|283d61b7814134b67b6284395f6f76cc4812f4f34843b4310e5c7a14b68eed72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/kxpu.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `quay.m.daocloud.io/ascend/vllm-ascend:v0.11.0` not pinned by digest"}, "properties": {"repobilityId": 76550, "scanner": "repobility-supply-chain", "fingerprint": "600456652bb5b1be4e0e4e8cf8163f025d9d7afbf31c1dce0749a70db1ce8246", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|600456652bb5b1be4e0e4e8cf8163f025d9d7afbf31c1dce0749a70db1ce8246"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/npu.Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `crpi-vofi3w62lkohhxsp.cn-shanghai.personal.cr.aliyuncs.com/opendatalab-mineru/gcu:docker_images_topsrider_i3x_3.6.20260106_vllm0.11_pytorch2.8.0` not pinned by digest"}, "properties": {"repobilityId": 76549, "scanner": "repobility-supply-chain", "fingerprint": "7474df6f9ca37afbce2a282f5889c2b015e5e59593828707396b42c2dc499e9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7474df6f9ca37afbce2a282f5889c2b015e5e59593828707396b42c2dc499e9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/gcu.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `crpi-vofi3w62lkohhxsp.cn-shanghai.personal.cr.aliyuncs.com/opendatalab-mineru/corex:4.4.0_torch2.7.1_vllm0.11.2_py3.10` not pinned by digest"}, "properties": {"repobilityId": 76548, "scanner": "repobility-supply-chain", "fingerprint": "35f37023295056d380d7991ba9685a26e409b2f250e55573a9d7ba6c7713219d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35f37023295056d380d7991ba9685a26e409b2f250e55573a9d7ba6c7713219d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/corex.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `crpi-vofi3w62lkohhxsp.cn-shanghai.personal.cr.aliyuncs.com/opendatalab-mineru/ppu:ppu-pytorch2.6.0-ubuntu24.04-cuda12.6-vllm0.8.5-py312` not pinned by digest"}, "properties": {"repobilityId": 76547, "scanner": "repobility-supply-chain", "fingerprint": "25d166ea04a2228dcd5cf0065158e7a0daf20796492ee6dc49598085fc48209e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25d166ea04a2228dcd5cf0065158e7a0daf20796492ee6dc49598085fc48209e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/ppu.Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `crpi-4crprmm5baj1v8iv.cn-hangzhou.personal.cr.aliyuncs.com/lmdeploy_dlinfer/camb:mineru25` not pinned by digest"}, "properties": {"repobilityId": 76546, "scanner": "repobility-supply-chain", "fingerprint": "bca2dfe1914627b77668d0df3960cd564523d62f92b74348293f7ec32465efad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bca2dfe1914627b77668d0df3960cd564523d62f92b74348293f7ec32465efad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/china/mlu.Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `vllm/vllm-openai:v0.21.0` not pinned by digest"}, "properties": {"repobilityId": 76545, "scanner": "repobility-supply-chain", "fingerprint": "d9efeb887f4ea34d00ad3ba171b5c86d25f1018c064b812974ebb61a4383c502", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9efeb887f4ea34d00ad3ba171b5c86d25f1018c064b812974ebb61a4383c502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/global/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST (unknown path) has no auth"}, "properties": {"repobilityId": 76540, "scanner": "repobility-route-auth", "fingerprint": "250ad52f74401a674a0bd4eb50a813366f8ab8fdb1d7c50687e25f4ffcffb129", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|250ad52f74401a674a0bd4eb50a813366f8ab8fdb1d7c50687e25f4ffcffb129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/fast_api.py"}, "region": {"startLine": 1281}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST (unknown path) has no auth"}, "properties": {"repobilityId": 76539, "scanner": "repobility-route-auth", "fingerprint": "0d56d7ee92b5be5e668e258efc7a92efcbe95ceca61d0e2d7b61ba5ae7c32a82", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|0d56d7ee92b5be5e668e258efc7a92efcbe95ceca61d0e2d7b61ba5ae7c32a82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/fast_api.py"}, "region": {"startLine": 1233}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST (unknown path) has no auth"}, "properties": {"repobilityId": 76538, "scanner": "repobility-route-auth", "fingerprint": "0fe93b5f9b2078c3859474aebfc110ee53357549fda4a7a8c139d439c8716076", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|0fe93b5f9b2078c3859474aebfc110ee53357549fda4a7a8c139d439c8716076"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 1529}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST (unknown path) has no auth"}, "properties": {"repobilityId": 76537, "scanner": "repobility-route-auth", "fingerprint": "357574347c1ca7cbc7f77329f693e81d38b9207329098d2a0d387c760a066ce5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|357574347c1ca7cbc7f77329f693e81d38b9207329098d2a0d387c760a066ce5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 1468}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.servers` used but never assigned in __init__"}, "properties": {"repobilityId": 76508, "scanner": "repobility-ast-engine", "fingerprint": "637c14b5499972bda7d535ec56fda2d9aef119d0489f284e936fad88be0acd16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|637c14b5499972bda7d535ec56fda2d9aef119d0489f284e936fad88be0acd16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 629}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._start_local_server` used but never assigned in __init__"}, "properties": {"repobilityId": 76507, "scanner": "repobility-ast-engine", "fingerprint": "80c8406116d54edb11391c889f2ffda3c6feadb818a7e0e4fe17697bed1f94c0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80c8406116d54edb11391c889f2ffda3c6feadb818a7e0e4fe17697bed1f94c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 602}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._monitor_loop` used but never assigned in __init__"}, "properties": {"repobilityId": 76506, "scanner": "repobility-ast-engine", "fingerprint": "586ed08af605620f310f7b9b4f606e1201fe12132d14fdf20e3da2236dbdd7bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|586ed08af605620f310f7b9b4f606e1201fe12132d14fdf20e3da2236dbdd7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 609}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.refresh_all` used but never assigned in __init__"}, "properties": {"repobilityId": 76505, "scanner": "repobility-ast-engine", "fingerprint": "28430e48f6b929812407cce483670aafceabb6cb30c1231f867c037d7e64d921", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|28430e48f6b929812407cce483670aafceabb6cb30c1231f867c037d7e64d921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 607}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.servers` used but never assigned in __init__"}, "properties": {"repobilityId": 76504, "scanner": "repobility-ast-engine", "fingerprint": "e7195915d990175f835d86d28156dce48c54aafb6ca2a4d15be967d1ef169e73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7195915d990175f835d86d28156dce48c54aafb6ca2a4d15be967d1ef169e73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 597}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.start` used but never assigned in __init__"}, "properties": {"repobilityId": 76503, "scanner": "repobility-ast-engine", "fingerprint": "2f6d7ddf652395d5153b36313d31ae3c47af39d9e61f4f48f7447d9dc8ff2f78", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f6d7ddf652395d5153b36313d31ae3c47af39d9e61f4f48f7447d9dc8ff2f78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 479}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stop` used but never assigned in __init__"}, "properties": {"repobilityId": 76502, "scanner": "repobility-ast-engine", "fingerprint": "015ca3c719978dc3118d80a59a8cd22744b37522c20214fec7b497a227bdca70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|015ca3c719978dc3118d80a59a8cd22744b37522c20214fec7b497a227bdca70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 478}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stop` used but never assigned in __init__"}, "properties": {"repobilityId": 76501, "scanner": "repobility-ast-engine", "fingerprint": "67fdbdfc0c32a9981ffbf0f679e2bfa0f394e2b604c2b20d13adc4a2328c2fac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67fdbdfc0c32a9981ffbf0f679e2bfa0f394e2b604c2b20d13adc4a2328c2fac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 449}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.wait_until_ready` used but never assigned in __init__"}, "properties": {"repobilityId": 76500, "scanner": "repobility-ast-engine", "fingerprint": "d5a4269c1f3390e86e50c1c7754a38ce9f14b5be25da7307b38ad91b5fe1ded1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d5a4269c1f3390e86e50c1c7754a38ce9f14b5be25da7307b38ad91b5fe1ded1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 447}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.is_running` used but never assigned in __init__"}, "properties": {"repobilityId": 76499, "scanner": "repobility-ast-engine", "fingerprint": "58bf550d1300b28ecffd4dd688c546c773419f5665d937729f2437271fcf5bb9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58bf550d1300b28ecffd4dd688c546c773419f5665d937729f2437271fcf5bb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/router.py"}, "region": {"startLine": 408}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_render_line_locked` used but never assigned in __init__"}, "properties": {"repobilityId": 76497, "scanner": "repobility-ast-engine", "fingerprint": "b2d72471676d092c35ead6a72cfec6a2d968f60ec9b49eafbabcbd7885f491ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2d72471676d092c35ead6a72cfec6a2d968f60ec9b49eafbabcbd7885f491ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._build_render_lines_locked` used but never assigned in __init__"}, "properties": {"repobilityId": 76496, "scanner": "repobility-ast-engine", "fingerprint": "3fdd4bd72ca0e8cb5fab7d469d776df0982ce4c851cff7e6e89e70b488836e6e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3fdd4bd72ca0e8cb5fab7d469d776df0982ce4c851cff7e6e89e70b488836e6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.clear_locked` used but never assigned in __init__"}, "properties": {"repobilityId": 76495, "scanner": "repobility-ast-engine", "fingerprint": "f802ac1c73002fb24dc0c32ef5d2264f0b2468513ab525b5384f35431dc7e4c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f802ac1c73002fb24dc0c32ef5d2264f0b2468513ab525b5384f35431dc7e4c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.clear_locked` used but never assigned in __init__"}, "properties": {"repobilityId": 76494, "scanner": "repobility-ast-engine", "fingerprint": "374eb66679ad2a85e271644255877f33cca40037ae510a09d21b6f2159810cea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|374eb66679ad2a85e271644255877f33cca40037ae510a09d21b6f2159810cea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.render_locked` used but never assigned in __init__"}, "properties": {"repobilityId": 76493, "scanner": "repobility-ast-engine", "fingerprint": "a58c560be21a413ec1d02bc2a2442a8f1800536fadecae988ba186eab550a22b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a58c560be21a413ec1d02bc2a2442a8f1800536fadecae988ba186eab550a22b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.render_locked` used but never assigned in __init__"}, "properties": {"repobilityId": 76492, "scanner": "repobility-ast-engine", "fingerprint": "3290e605db03c44075534fe7d5808605a861a1b353bb6127d01162561dd2c931", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3290e605db03c44075534fe7d5808605a861a1b353bb6127d01162561dd2c931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.render_locked` used but never assigned in __init__"}, "properties": {"repobilityId": 76491, "scanner": "repobility-ast-engine", "fingerprint": "146334e38fa1c93d20d3c78e9bd32d45170d68577163d270fc2c501b839605db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|146334e38fa1c93d20d3c78e9bd32d45170d68577163d270fc2c501b839605db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.flush` used but never assigned in __init__"}, "properties": {"repobilityId": 76490, "scanner": "repobility-ast-engine", "fingerprint": "4cebbe3ac7016fb0d9e30fece805394b2e05a666049fa5e5cb7cd5c26847b1bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4cebbe3ac7016fb0d9e30fece805394b2e05a666049fa5e5cb7cd5c26847b1bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stop` used but never assigned in __init__"}, "properties": {"repobilityId": 76486, "scanner": "repobility-ast-engine", "fingerprint": "56db330d3c8a5195a8d164dbe11122723035885042630223bdc9e2f5607fde65", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|56db330d3c8a5195a8d164dbe11122723035885042630223bdc9e2f5607fde65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/api_client.py"}, "region": {"startLine": 570}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._cleanup_temp_dir` used but never assigned in __init__"}, "properties": {"repobilityId": 76485, "scanner": "repobility-ast-engine", "fingerprint": "e42ff9e86707b5dafd8f025afe5b094def8aec924b52e17954a6c68474134d01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e42ff9e86707b5dafd8f025afe5b094def8aec924b52e17954a6c68474134d01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/api_client.py"}, "region": {"startLine": 574}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stop` used but never assigned in __init__"}, "properties": {"repobilityId": 76484, "scanner": "repobility-ast-engine", "fingerprint": "c113d02be8185a0eee45696c2d03c262a0230c3a47a3128be62849413dd21abd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c113d02be8185a0eee45696c2d03c262a0230c3a47a3128be62849413dd21abd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/api_client.py"}, "region": {"startLine": 544}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._candidate_indices_for_block` used but never assigned in __init__"}, "properties": {"repobilityId": 76483, "scanner": "repobility-ast-engine", "fingerprint": "67f7f1ff445dd370e73db0ab4d26c27d1a0933ea363f5f4ea3c17f54e839a34c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67f7f1ff445dd370e73db0ab4d26c27d1a0933ea363f5f4ea3c17f54e839a34c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/span_pre_proc.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._default_overlap_ratio` used but never assigned in __init__"}, "properties": {"repobilityId": 76482, "scanner": "repobility-ast-engine", "fingerprint": "9f4f17c6d19be66e41f087e2b97bd3726354c32eed4ae28db5ce2dd28f8b86f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9f4f17c6d19be66e41f087e2b97bd3726354c32eed4ae28db5ce2dd28f8b86f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/span_pre_proc.py"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._cell_range` used but never assigned in __init__"}, "properties": {"repobilityId": 76481, "scanner": "repobility-ast-engine", "fingerprint": "0799c0e5ec62b840e866b2257868f08667bb636db4fa7327d58b6988583e58f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0799c0e5ec62b840e866b2257868f08667bb636db4fa7327d58b6988583e58f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/span_pre_proc.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._cell_range` used but never assigned in __init__"}, "properties": {"repobilityId": 76480, "scanner": "repobility-ast-engine", "fingerprint": "8b06d88d3387420b9bad526f55480672222dfd1b909faa335167e6e1b6387782", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b06d88d3387420b9bad526f55480672222dfd1b909faa335167e6e1b6387782"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/utils/span_pre_proc.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_pipeline_with_two_config"}, "properties": {"repobilityId": 76470, "scanner": "repobility-ast-engine", "fingerprint": "3ebfc91d2f273fe7e9c29bcc592891bcb77db2d51663334ab5c6bcc83c497199", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3ebfc91d2f273fe7e9c29bcc592891bcb77db2d51663334ab5c6bcc83c497199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unittest/test_e2e.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 76603, "scanner": "repobility-threat-engine", "fingerprint": "ef836952a061d3d8e1665cdcbba3d865ae7ab76cef91f47a591644769bec4cd8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef836952a061d3d8e1665cdcbba3d865ae7ab76cef91f47a591644769bec4cd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/mfr/pp_formulanet_plus_m/predict_formula.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 76602, "scanner": "repobility-threat-engine", "fingerprint": "b9761c243af29e9546a236d5052d197ef751e627509b8cccd371bebe476de3ba", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|60|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/mfr/pp_formulanet_plus_m/predict_formula.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 76601, "scanner": "repobility-threat-engine", "fingerprint": "5aef0102940e7d39d88b699ec219599f26dd1e348bc08f726c41d7881fd6d250", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(yaml_file, Loader=yaml.FullLoader)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5aef0102940e7d39d88b699ec219599f26dd1e348bc08f726c41d7881fd6d250"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/mfr/pp_formulanet_plus_m/predict_formula.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `html` used but not imported"}, "properties": {"repobilityId": 76536, "scanner": "repobility-ast-engine", "fingerprint": "d12e587d764b5d2aa41a24fcab6eeb6c70a64b45f9b566fed20e42a2fce2b128", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d12e587d764b5d2aa41a24fcab6eeb6c70a64b45f9b566fed20e42a2fce2b128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/backend/office/mkcontent/output_builders.py"}, "region": {"startLine": 607}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `queue` used but not imported"}, "properties": {"repobilityId": 76520, "scanner": "repobility-ast-engine", "fingerprint": "e3daed1b8a9955ea74d746079afb6934f62a021ed60918cae3df552d503a473b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e3daed1b8a9955ea74d746079afb6934f62a021ed60918cae3df552d503a473b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/model/xlsx/xlsx_converter.py"}, "region": {"startLine": 1259}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `queue` used but not imported"}, "properties": {"repobilityId": 76489, "scanner": "repobility-ast-engine", "fingerprint": "86cea1324ad498c17f0bbd0f8707517f387e3c889f9a3d65328a03ccafa823e3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86cea1324ad498c17f0bbd0f8707517f387e3c889f9a3d65328a03ccafa823e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mineru/cli/client.py"}, "region": {"startLine": 767}}}]}]}]}