{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /un"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /monitor.php."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 8.5% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 8.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `website` image has no explicit tag", "shortDescription": {"text": "Compose service `website` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC105", "name": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted ove", "shortDescription": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "fullDescription": {"text": "Always set HttpOnly=true, Secure=true (in production), SameSite=Lax or Strict. For Express: `res.cookie(name, val, { httpOnly: true, secure: true, sameSite: 'lax' })`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED098] Global Scope Pollution (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 46 more): Same pattern found in 46 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 24 more): Same pattern found in 24 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `cdash-root-intermediate (no tag)` not pinned by digest: `FROM cdash-root-intermediate (no ta", "shortDescription": {"text": "[MINED118] Dockerfile FROM `cdash-root-intermediate (no tag)` not pinned by digest: `FROM cdash-root-intermediate (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is poten"}, "fullDescription": {"text": "Replace with: `FROM cdash-root-intermediate (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{build_id}/files."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC039", "name": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptogra", "shortDescription": {"text": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretchin"}, "fullDescription": {"text": "Use a purpose-built password hash:\n  - Python: passlib.hash.argon2.hash(password)\n  - Python: bcrypt.hashpw(password.encode(), bcrypt.gensalt())\n  - Python: hashlib.pbkdf2_hmac('sha256', password, salt, 600000)\n  - PHP: password_hash($password, PASSWORD_ARGON2ID)\n  - Node.js: argon2.hash(password) or bcrypt.hash(password, 12)\nWhen rotating, accept both old + new for one session each, then re-hash on next login."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1172"}, "properties": {"repository": "Kitware/CDash", "repoUrl": "https://github.com/Kitware/CDash", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 117644, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 117643, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /unclaimSite."}, "properties": {"repobilityId": 117637, "scanner": "repobility-access-control", "fingerprint": "d2d401af75e849f46a21483b7b4cfb418669a8a2efbfa15aad776a900b54fd55", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/unclaimSite", "method": "ANY", "scanner": "repobility-access-control", "framework": "GraphQL", "correlation_key": "code|auth|graphql/schema.graphql|100|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "graphql/schema.graphql"}, "region": {"startLine": 100}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /v1/testOverview.php."}, "properties": {"repobilityId": 117636, "scanner": "repobility-access-control", "fingerprint": "792c65fd7be71a1108413e2e4864f81bb794d02a56341cfb1b38fa97172cef3c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/testOverview.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/api.php|44|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/api.php"}, "region": {"startLine": 44}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /v1/timeline.php."}, "properties": {"repobilityId": 117635, "scanner": "repobility-access-control", "fingerprint": "38d8e3be8c0f1edc00cb793ba192510c04f46974965a8ac1ce2705d50f4d69b3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/timeline.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/api.php|42|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/api.php"}, "region": {"startLine": 42}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /v1/overview.php."}, "properties": {"repobilityId": 117634, "scanner": "repobility-access-control", "fingerprint": "619c14530bfa8390bc4228ba9e3f952c5ab262949eeb084097a0b2c20cd978c9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/overview.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/api.php|40|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/api.php"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /v1/getSubProjectDependencies.php."}, "properties": {"repobilityId": 117633, "scanner": "repobility-access-control", "fingerprint": "f9fc54e2411289484e4b0c54dc32d4116d083d4cfb29d38bc1d6c9617a600fe8", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/getSubProjectDependencies.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/api.php|26|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/api.php"}, "region": {"startLine": 26}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /v1/viewSubProjects.php."}, "properties": {"repobilityId": 117632, "scanner": "repobility-access-control", "fingerprint": "f4bd2651c2d966e0a65398f60c881b0d72c0d234380ca97e2951b7b1d1dce7a2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/viewSubProjects.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/api.php|24|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/api.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /v1/filterdata.php."}, "properties": {"repobilityId": 117631, "scanner": "repobility-access-control", "fingerprint": "774a5c8344a96bfcf255713388017795cceb7deae0608b1856890a6c9ca62b53", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/filterdata.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/api.php|22|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/api.php"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /v1/testDetails.php."}, "properties": {"repobilityId": 117630, "scanner": "repobility-access-control", "fingerprint": "bfc739c5b07da7e638d65b708f56610e91b3a1b5da77a7f375f7fe3b83b4a855", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/v1/testDetails.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/api.php|18|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/api.php"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /subscribeProject.php."}, "properties": {"repobilityId": 117629, "scanner": "repobility-access-control", "fingerprint": "dcfd938dde27d86250412b4ec8fb99f35a6256106395af7b6a9a90e1001619b7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/subscribeProject.php", "method": "POST", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|303|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 303}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /subscribeProject.php."}, "properties": {"repobilityId": 117628, "scanner": "repobility-access-control", "fingerprint": "22a9295ce1afd9c22c1ba9f123864522bed0a6f466d854195c952f2bda011cd2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/subscribeProject.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|302|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 302}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /monitor.php."}, "properties": {"repobilityId": 117627, "scanner": "repobility-access-control", "fingerprint": "ee748619d865105c8cbd3fbbecab77a6ebe342f005a6fc70963e04850f78394f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/monitor.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|323|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 323}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /monitor."}, "properties": {"repobilityId": 117626, "scanner": "repobility-access-control", "fingerprint": "4184b0ba7dc7e96c1efdbca694ac6711249e6176a399ad40562a99e27e6d4326", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/monitor", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|322|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 322}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /authtokens/manage."}, "properties": {"repobilityId": 117625, "scanner": "repobility-access-control", "fingerprint": "598079df5bb31c0203d327940a0534013b8ace9947c94a5d1c5d4e78205b72e5", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/authtokens/manage", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|320|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 320}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /administration."}, "properties": {"repobilityId": 117624, "scanner": "repobility-access-control", "fingerprint": "19219a988eb40e1214e945e373d9e49e82a35d420fa99ac7408dac5fa315b461", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/administration", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|318|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 318}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /projects/{projectId}/invitations/{invitationId}."}, "properties": {"repobilityId": 117623, "scanner": "repobility-access-control", "fingerprint": "91f56aabcd91e9ffb228222b497bc80c7d912638f09f88a6b0633bf6d98f801b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/projects/{projectId}/invitations/{invitationId}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|313|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 313}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /manageProjectRoles.php."}, "properties": {"repobilityId": 117622, "scanner": "repobility-access-control", "fingerprint": "71a8039f3d71dd1007e7bcd217349cc03e4832a8d6837f2dc817591d76bd431b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/manageProjectRoles.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|305|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 305}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /manageBuildGroup.php."}, "properties": {"repobilityId": 117621, "scanner": "repobility-access-control", "fingerprint": "b274acc1dfc9af2f6254a0d077869a6faeb14b7a9d247514381801ffdb0fcbec", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/manageBuildGroup.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|279|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 279}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /manageSubProject.php."}, "properties": {"repobilityId": 117620, "scanner": "repobility-access-control", "fingerprint": "8db8af5dc91a25ff34a8f142ca60be7b141952930742cd11eb64d8c1cf86938d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/manageSubProject.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|264|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 264}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /manageOverview.php."}, "properties": {"repobilityId": 117619, "scanner": "repobility-access-control", "fingerprint": "b82441ff97d93997fa66428efa88aa264ded27f719663c7ff5a9b5d182c97fdc", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/manageOverview.php", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|230|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 230}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /projects/{project_id}/settings."}, "properties": {"repobilityId": 117618, "scanner": "repobility-access-control", "fingerprint": "65c24ee07a5be8dc7e13afbd9037b8a5fd4bf4ce1ae55132177b4e7c77a05a4e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/projects/{project_id}/settings", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|185|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 185}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 8.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 117607, "scanner": "repobility-access-control", "fingerprint": "35e70a015f7d8f8ce13eab43096d75c47a74e3c22558046bb15ae62482d42787", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 577, "correlation_key": "fp|35e70a015f7d8f8ce13eab43096d75c47a74e3c22558046bb15ae62482d42787", "auth_visible_percent": 8.5}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 117606, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Laravel", "GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `website` image has no explicit tag"}, "properties": {"repobilityId": 117603, "scanner": "repobility-docker", "fingerprint": "936272c0be25b5cae24a89aeb00950c7a76756f9c8d826b3434150ef94b3ec80", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "kitware/cdash", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|936272c0be25b5cae24a89aeb00950c7a76756f9c8d826b3434150ef94b3ec80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 117601, "scanner": "repobility-docker", "fingerprint": "8ad5e5f6d845b567280f060258b7bfc8fd7d183726631bb52fd7eed75b4064d6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "cdash-${BASE_IMAGE}-non-root-intermediate", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8ad5e5f6d845b567280f060258b7bfc8fd7d183726631bb52fd7eed75b4064d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 255}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 117598, "scanner": "repobility-docker", "fingerprint": "30598fce62d17dbe0d6fda008f5946c5235e3180db3c6269948a242538373497", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|30598fce62d17dbe0d6fda008f5946c5235e3180db3c6269948a242538373497", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 210}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 117596, "scanner": "repobility-docker", "fingerprint": "8264c4b5cffbedb819eda704de40ed56cc45ce8f022464fc603c9917a96d00ec", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "registry.access.redhat.com/ubi9/php-83", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8264c4b5cffbedb819eda704de40ed56cc45ce8f022464fc603c9917a96d00ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 136}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 117595, "scanner": "repobility-docker", "fingerprint": "6917bc3dfa988405a218403f1be648d6fd328d46c5945d623be7288c7d0e47c5", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|6917bc3dfa988405a218403f1be648d6fd328d46c5945d623be7288c7d0e47c5", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 117556, "scanner": "repobility-threat-engine", "fingerprint": "5a77a63493fba102999fda3a3d78e494c1c9c576f75e93818b35df6115051218", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a class=\"footer-link\" href=\"https://github.com/Kitware/CDash/issues\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|18|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/components/footer.blade.php"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 117555, "scanner": "repobility-threat-engine", "fingerprint": "8877149484e0d551d74f10a7d3055d9561ecb8359d39f516b2459c8d06c2736e", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|41|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/angular/controllers/overview.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 117549, "scanner": "repobility-threat-engine", "fingerprint": "1a6cb0d490ef23760bd5e656418852ca1c2cb76eaa55a0291404ffb1907f3002", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|30|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/angular/controllers/head.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 117547, "scanner": "repobility-threat-engine", "fingerprint": "08c7a46bed811d747bc4b6c9cc93e3f8d29c85bc8f19afdf5d16e158fe71c69e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'secure' => false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|08c7a46bed811d747bc4b6c9cc93e3f8d29c85bc8f19afdf5d16e158fe71c69e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/session.php"}, "region": {"startLine": 168}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 117645, "scanner": "repobility-web-presence", "fingerprint": "12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 117642, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 117641, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 117640, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 117638, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Laravel", "GraphQL"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 117605, "scanner": "repobility-docker", "fingerprint": "3cedb5f77b1d9ad0ba9139aadf7702c282bfa42cdf66c8005ac7bbcd6419d14c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "website", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3cedb5f77b1d9ad0ba9139aadf7702c282bfa42cdf66c8005ac7bbcd6419d14c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 117604, "scanner": "repobility-docker", "fingerprint": "e86f45540692e02b5194fb3c843ecc2d189ec6fb2b605fbc7f3f413c2807ae66", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "website", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e86f45540692e02b5194fb3c843ecc2d189ec6fb2b605fbc7f3f413c2807ae66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 117602, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 117597, "scanner": "repobility-docker", "fingerprint": "3bb328373000cb67ae3880a30f7dc494316b79cf9918f0d9a853b6ac601460d8", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3bb328373000cb67ae3880a30f7dc494316b79cf9918f0d9a853b6ac601460d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 176}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 117594, "scanner": "repobility-docker", "fingerprint": "6b368c52185ba188af73f8b8de7b3c869d4debc0109944aa30fec286722536af", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6b368c52185ba188af73f8b8de7b3c869d4debc0109944aa30fec286722536af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 117593, "scanner": "repobility-docker", "fingerprint": "f7e730b9f4582ff7fca68acc823359341664883ac891d65b8107cd75da0102a0", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f7e730b9f4582ff7fca68acc823359341664883ac891d65b8107cd75da0102a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 117592, "scanner": "repobility-docker", "fingerprint": "41648d29edabc5b07fde0271b28f5368e597df4ab1a2f303739c95bc9f06265b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|41648d29edabc5b07fde0271b28f5368e597df4ab1a2f303739c95bc9f06265b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 117591, "scanner": "repobility-docker", "fingerprint": "962b10d6062c8fb6b77dc2f0d527baafc10c343fa1a2b4e8dff00e0e6491af6e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|962b10d6062c8fb6b77dc2f0d527baafc10c343fa1a2b4e8dff00e0e6491af6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117590, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66a601ed8c0f29ef98d8cac94bdfc2cd25e52a81c7b3f2b6b3ea61cac45f0806", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|66a601ed8c0f29ef98d8cac94bdfc2cd25e52a81c7b3f2b6b3ea61cac45f0806"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/ProjectHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117589, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2508f3283159564304b5f9df5f4acf30c4f4d93e934ecbf0c6ce095b33691c2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/JSCoverTarHandler.php", "duplicate_line": 3, "correlation_key": "fp|2508f3283159564304b5f9df5f4acf30c4f4d93e934ecbf0c6ce095b33691c2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/OpenCoverTarHandler.php"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117588, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31eb436bcafd227f26d676a37e437dc7c2895aeb9e49997e724275c5e76ae59a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|31eb436bcafd227f26d676a37e437dc7c2895aeb9e49997e724275c5e76ae59a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/OpenCoverTarHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117587, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2345090f1d506017b314304019979ed1a2aa0f8172dbcf70a2d9dd6ae29dc610", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/CoverageHandler.php", "duplicate_line": 37, "correlation_key": "fp|2345090f1d506017b314304019979ed1a2aa0f8172dbcf70a2d9dd6ae29dc610"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/NoteHandler.php"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117586, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f1ea5f215f4efb7a614e35c41937f11ee98b79fb90a1aee44f0feae5d46c2c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/ConfigureHandler.php", "duplicate_line": 3, "correlation_key": "fp|9f1ea5f215f4efb7a614e35c41937f11ee98b79fb90a1aee44f0feae5d46c2c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/NoteHandler.php"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117585, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82b39a56dce3e59ccf9b1c5891757f2f4cc477c01cb2db428b5cf7921b00b2fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|82b39a56dce3e59ccf9b1c5891757f2f4cc477c01cb2db428b5cf7921b00b2fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/NoteHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117584, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb31ddd0adc19146e9a7af62c0795bcd5ead1c5a2c50770a82b2a7c386c10972", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/GcovTarHandler.php", "duplicate_line": 43, "correlation_key": "fp|bb31ddd0adc19146e9a7af62c0795bcd5ead1c5a2c50770a82b2a7c386c10972"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/JavaJSONTarHandler.php"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117583, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38835d0259df2e963f69ca8b96785020576e4aea044e8cc2cd5c83cb06789dcb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/JSCoverTarHandler.php", "duplicate_line": 3, "correlation_key": "fp|38835d0259df2e963f69ca8b96785020576e4aea044e8cc2cd5c83cb06789dcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/JavaJSONTarHandler.php"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117582, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29149d31877b21f6df4e58e33e13d5db41d9ec289806125852d48ce4abf9fd34", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|29149d31877b21f6df4e58e33e13d5db41d9ec289806125852d48ce4abf9fd34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/JavaJSONTarHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117581, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec07f94c5f9b6a300af0b92c877bffd245adce9ae28ddfcc8f8b07686642622e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/GcovTarHandler.php", "duplicate_line": 43, "correlation_key": "fp|ec07f94c5f9b6a300af0b92c877bffd245adce9ae28ddfcc8f8b07686642622e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/JSCoverTarHandler.php"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117580, "scanner": "repobility-ai-code-hygiene", "fingerprint": "905aeba5e5a2b200ec724bf20a03e18cd854f8171bb73ce1b0321ddc185b2bab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|905aeba5e5a2b200ec724bf20a03e18cd854f8171bb73ce1b0321ddc185b2bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/JSCoverTarHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117579, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1e72c6cdb78e15a53de1eca9633a92159739b5242086f49aa8c8c5a854bbe30", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|e1e72c6cdb78e15a53de1eca9633a92159739b5242086f49aa8c8c5a854bbe30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/GcovTarHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117578, "scanner": "repobility-ai-code-hygiene", "fingerprint": "017c16daa40be9912da8f5f5e07f87da52a2c20eec915812b1c8f6c20fade628", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/BuildHandler.php", "duplicate_line": 69, "correlation_key": "fp|017c16daa40be9912da8f5f5e07f87da52a2c20eec915812b1c8f6c20fade628"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/DynamicAnalysisHandler.php"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117577, "scanner": "repobility-ai-code-hygiene", "fingerprint": "609696893cb32139050f93be814af7f037955fccc3b87e7d92bddc87ad156b16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/ConfigureHandler.php", "duplicate_line": 3, "correlation_key": "fp|609696893cb32139050f93be814af7f037955fccc3b87e7d92bddc87ad156b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/DynamicAnalysisHandler.php"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117576, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7ba6df7208dbcbf8c78297e302450fe067a86f7c5750e0615159400c733b0ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|f7ba6df7208dbcbf8c78297e302450fe067a86f7c5750e0615159400c733b0ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/DynamicAnalysisHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117575, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e50a4537a5eed5c2ba639a1e40671e51f46c7dbaa2e328cf20f92692a5315e7d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|e50a4537a5eed5c2ba639a1e40671e51f46c7dbaa2e328cf20f92692a5315e7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/DoneHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117574, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f228697c4b6fe59563979697f941136e294916206c1ec393993973c20c3be7f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/CoverageHandler.php", "duplicate_line": 94, "correlation_key": "fp|f228697c4b6fe59563979697f941136e294916206c1ec393993973c20c3be7f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/CoverageLogHandler.php"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117573, "scanner": "repobility-ai-code-hygiene", "fingerprint": "460856313fc57c9bba4a17c11d7373f72a9348ad38334b429223c9f06a6374e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|460856313fc57c9bba4a17c11d7373f72a9348ad38334b429223c9f06a6374e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/CoverageLogHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117572, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4a96e8c873cfd6ac2bff214fc920428f8999e743a8191bf32b518e2574200b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/CoverageHandler.php", "duplicate_line": 45, "correlation_key": "fp|e4a96e8c873cfd6ac2bff214fc920428f8999e743a8191bf32b518e2574200b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/CoverageJUnitHandler.php"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117571, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7ef43b02874239ad5c3465b30106e16febc8dd91f649da601aa9f8af54da2b2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/ConfigureHandler.php", "duplicate_line": 3, "correlation_key": "fp|e7ef43b02874239ad5c3465b30106e16febc8dd91f649da601aa9f8af54da2b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/CoverageJUnitHandler.php"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117570, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2685b97f3fb3eb3744e1e31ebd5863656df34e9d675a07a74763e7f91f07dbb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|b2685b97f3fb3eb3744e1e31ebd5863656df34e9d675a07a74763e7f91f07dbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/CoverageJUnitHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117569, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b68abd516f1c5772fa8bd530efee4982cef9e6a29cee9dee017aae6563d6316", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/ConfigureHandler.php", "duplicate_line": 3, "correlation_key": "fp|2b68abd516f1c5772fa8bd530efee4982cef9e6a29cee9dee017aae6563d6316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/CoverageHandler.php"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117568, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6159b44a724563ffe50b11ee4462b9ff06b2f062b0efb1a0651060be5d8fe848", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|6159b44a724563ffe50b11ee4462b9ff06b2f062b0efb1a0651060be5d8fe848"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/CoverageHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117567, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83812118930ffeeab045df59fa41b66e0096e9b720d6ac317460ae885a722c54", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/BuildHandler.php", "duplicate_line": 80, "correlation_key": "fp|83812118930ffeeab045df59fa41b66e0096e9b720d6ac317460ae885a722c54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/ConfigureHandler.php"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117566, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e4ee3f0992291565cb1518559e519efcf1bfb62d86b3c8f1fedc0cf929de9af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|5e4ee3f0992291565cb1518559e519efcf1bfb62d86b3c8f1fedc0cf929de9af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/ConfigureHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117565, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ca6933ee04fe002b013a7dbb84ec0c3540ee4f1148e72b9e86549932b99a486", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|7ca6933ee04fe002b013a7dbb84ec0c3540ee4f1148e72b9e86549932b99a486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/BuildPropertiesJSONHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117564, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7340846e4353447ebf4e731c9ed5f51cb4ae096189b9d1080ed2893c21e3e309", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|7340846e4353447ebf4e731c9ed5f51cb4ae096189b9d1080ed2893c21e3e309"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/BuildHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117563, "scanner": "repobility-ai-code-hygiene", "fingerprint": "464e44dc412cd1884ef350d3671388630ac3df31a36ae1ea7079ab3a8b749cf9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Submission/Handlers/AbstractXmlHandler.php", "duplicate_line": 1, "correlation_key": "fp|464e44dc412cd1884ef350d3671388630ac3df31a36ae1ea7079ab3a8b749cf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/BazelJSONHandler.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117562, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c26382411e0c1f1568179bcb9453576c3088818062b096afa2c71574203c937b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/GraphQL/Validators/CreateProjectInputValidator.php", "duplicate_line": 16, "correlation_key": "fp|c26382411e0c1f1568179bcb9453576c3088818062b096afa2c71574203c937b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/GraphQL/Validators/UpdateProjectInputValidator.php"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 117561, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43ac1c247a5bd43cf01e7a47fac7ca592446fe47e988e1d995ad602b03e799b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Console/Commands/RemoveUser.php", "duplicate_line": 9, "correlation_key": "fp|43ac1c247a5bd43cf01e7a47fac7ca592446fe47e988e1d995ad602b03e799b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Console/Commands/SaveUser.php"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 117557, "scanner": "repobility-threat-engine", "fingerprint": "2cef94347cd9a3749c39437c6a5ea46a62fe1b1d2201c8fd0ea3cbc764efcd8e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"index.php?project=\" + project + \"&date=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2cef94347cd9a3749c39437c6a5ea46a62fe1b1d2201c8fd0ea3cbc764efcd8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/angular/controllers/overview.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 117600, "scanner": "repobility-docker", "fingerprint": "8ac79556535e2922429c153895ae09d1ee6ca099a1122611c7c96b86b72d1524", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "cdash-${BASE_IMAGE}-non-root-intermediate", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8ac79556535e2922429c153895ae09d1ee6ca099a1122611c7c96b86b72d1524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 255}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 117599, "scanner": "repobility-docker", "fingerprint": "0605ccc3a549e5dd84619192a006ae069d044cab26fc10a842a0f4df65a8b80d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "cdash-${BASE_IMAGE}-intermediate", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0605ccc3a549e5dd84619192a006ae069d044cab26fc10a842a0f4df65a8b80d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 117560, "scanner": "repobility-threat-engine", "fingerprint": "cbfd02203bde873bbe789ff8d0a014ebc6555f8310f7bdc150d93ffd27a57819", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cbfd02203bde873bbe789ff8d0a014ebc6555f8310f7bdc150d93ffd27a57819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/vue/components/shared/ApiLoader.js"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 117559, "scanner": "repobility-threat-engine", "fingerprint": "3837e958d57bbd93d1db3e9bdc202d587befa16582ad4a11e8356a686c1cda41", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3837e958d57bbd93d1db3e9bdc202d587befa16582ad4a11e8356a686c1cda41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/vue/app.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 117558, "scanner": "repobility-threat-engine", "fingerprint": "c7c99b1ae1b8efb51763558b181eac2a97ed81e80f8c3c623b3299548ab70c7b", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|resources/js/vue/app.js|5|console.error csrf token not found: token #csrf-x-csrf-token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/vue/app.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 117554, "scanner": "repobility-threat-engine", "fingerprint": "781219ee48c59486d780877829c9169928fcedcbec550181d331d15cc72aa283", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|781219ee48c59486d780877829c9169928fcedcbec550181d331d15cc72aa283", "aggregated_count": 1}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 117553, "scanner": "repobility-threat-engine", "fingerprint": "90cce418a4ef8e5dfc1ec99e544d94c691df3288d2db7ba85cb89a314d49edb5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90cce418a4ef8e5dfc1ec99e544d94c691df3288d2db7ba85cb89a314d49edb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/angular/directives/timeline.js"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 117552, "scanner": "repobility-threat-engine", "fingerprint": "17f6dd139ef691b2de7485228079120eb6cf623dd63bf89a67157a1c57ac194e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17f6dd139ef691b2de7485228079120eb6cf623dd63bf89a67157a1c57ac194e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/angular/controllers/testOverview.js"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 117551, "scanner": "repobility-threat-engine", "fingerprint": "a547eb2980cd7dd7afca977a92186d65fb662ec98430af1376effdf7edda8506", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a547eb2980cd7dd7afca977a92186d65fb662ec98430af1376effdf7edda8506"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/angular/controllers/head.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 117548, "scanner": "repobility-threat-engine", "fingerprint": "f836c36bd21127a5c06b2ec7778303c4e6ee69ab8c3c83ef5baee1ee05a8b855", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f836c36bd21127a5c06b2ec7778303c4e6ee69ab8c3c83ef5baee1ee05a8b855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.sh"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "properties": {"repobilityId": 117544, "scanner": "repobility-threat-engine", "fingerprint": "c25a41abf03d41f456748383a3b70b9d70dc3a87837b730f47dd664de78e8eb0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c25a41abf03d41f456748383a3b70b9d70dc3a87837b730f47dd664de78e8eb0", "aggregated_count": 46}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 117543, "scanner": "repobility-threat-engine", "fingerprint": "e9bcb62f5fe88c6574f018efa61d9f30daa11299657b6a588ad858f338df15a0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9bcb62f5fe88c6574f018efa61d9f30daa11299657b6a588ad858f338df15a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/CoverageHandler.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 117542, "scanner": "repobility-threat-engine", "fingerprint": "84536e573fc7412c89a0e1c2d17720be1c3849ae95fc436a9404bb2a26c6c55a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|84536e573fc7412c89a0e1c2d17720be1c3849ae95fc436a9404bb2a26c6c55a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/BuildPropertiesJSONHandler.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 117541, "scanner": "repobility-threat-engine", "fingerprint": "6e6d04b750f0c13b436274b3a0a0689046f9df6311a65b7d766c8d92faa59455", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e6d04b750f0c13b436274b3a0a0689046f9df6311a65b7d766c8d92faa59455"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Submission/Handlers/AbstractXmlHandler.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 117539, "scanner": "repobility-threat-engine", "fingerprint": "08b11bf2b9baa678e8d2525e5c1a11a706b666ddea4e3dbb29d292f5b6c40ca0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|08b11bf2b9baa678e8d2525e5c1a11a706b666ddea4e3dbb29d292f5b6c40ca0", "aggregated_count": 24}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 117538, "scanner": "repobility-threat-engine", "fingerprint": "17f92eb6f45d0c73e361c8f94199a93f9dfa7767da5223788bd87b0c709fe183", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17f92eb6f45d0c73e361c8f94199a93f9dfa7767da5223788bd87b0c709fe183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Utils/DatabaseCleanupUtils.php"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 117537, "scanner": "repobility-threat-engine", "fingerprint": "e4907bf1168a1b91d341dd0ac486cb9babfdca504d99caec6a9616b6c3ba2a63", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4907bf1168a1b91d341dd0ac486cb9babfdca504d99caec6a9616b6c3ba2a63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Controllers/SubmissionController.php"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 117536, "scanner": "repobility-threat-engine", "fingerprint": "dcc8cd9100f76b5400098f67ebf6171b57f443c185175ebb28f8dbefcb34ee6f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dcc8cd9100f76b5400098f67ebf6171b57f443c185175ebb28f8dbefcb34ee6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/GraphQL/Directives/FilterableDirective.php"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 117534, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 117653, "scanner": "repobility-supply-chain", "fingerprint": "8694763cb7e646c3c017cfd344d54ea40417fd6d51cda0af7003dfdfac029400", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8694763cb7e646c3c017cfd344d54ea40417fd6d51cda0af7003dfdfac029400"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 117652, "scanner": "repobility-supply-chain", "fingerprint": "e2036b00acb1c3ecfdc77f6e96260267065289a094ad88cfcbf5dd15402a40d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2036b00acb1c3ecfdc77f6e96260267065289a094ad88cfcbf5dd15402a40d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 117651, "scanner": "repobility-supply-chain", "fingerprint": "185cdb7fe8cdceeb5522f1a3fef07799bca95cd75359ba1cdd1fa93af9239e17", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|185cdb7fe8cdceeb5522f1a3fef07799bca95cd75359ba1cdd1fa93af9239e17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 117650, "scanner": "repobility-supply-chain", "fingerprint": "ffd7c6aa6678bbc3903e124f4e203917f08d012419bc990a4402d40a5a8e113a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffd7c6aa6678bbc3903e124f4e203917f08d012419bc990a4402d40a5a8e113a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `cdash-root-intermediate (no tag)` not pinned by digest: `FROM cdash-root-intermediate (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 117649, "scanner": "repobility-supply-chain", "fingerprint": "a6c7e7c29c1eea6ff9d5798ec60ef36e99a032caf1509fa1cb85845f89b84c68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6c7e7c29c1eea6ff9d5798ec60ef36e99a032caf1509fa1cb85845f89b84c68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `cdash-root-intermediate (no tag)` not pinned by digest: `FROM cdash-root-intermediate (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 117648, "scanner": "repobility-supply-chain", "fingerprint": "485172f0d1e5ba27e146d6ce79d5b9fbed9bef8f99241ab67dc298e13db7d74b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|485172f0d1e5ba27e146d6ce79d5b9fbed9bef8f99241ab67dc298e13db7d74b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi9/php-83 (no tag)` not pinned by digest: `FROM registry.access.redhat.com/ubi9/php-83 (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 117647, "scanner": "repobility-supply-chain", "fingerprint": "a2c0f5051c4de3958105555b637f01b4051452a4340803b0925081b54bedc53e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2c0f5051c4de3958105555b637f01b4051452a4340803b0925081b54bedc53e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `php:8.3-apache-trixie` not pinned by digest: `FROM php:8.3-apache-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 117646, "scanner": "repobility-supply-chain", "fingerprint": "16e35166a3c083c4ca72a4d692f59db32e5c5dc37ec935055fd57d705b005601", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16e35166a3c083c4ca72a4d692f59db32e5c5dc37ec935055fd57d705b005601"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 117639, "scanner": "repobility-journey-contract", "fingerprint": "4c00980aa0bf61c22f4030f9f923f9a1ce0ab1b92c7c5fc66558b3a553a95fa9", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|102|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/vue/components/ProfilePage.vue"}, "region": {"startLine": 102}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{build_id}/files."}, "properties": {"repobilityId": 117617, "scanner": "repobility-access-control", "fingerprint": "b56a058798a9895c471e8ac0befd2b074245cd0e4d9410edc0d9e088d1b1c82f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{build_id}/files", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|142|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 142}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{build_id}/instrumentation."}, "properties": {"repobilityId": 117616, "scanner": "repobility-access-control", "fingerprint": "361a00a97e2d609933745ce1292111e128b3e70462a921c5c933367a66dafd56", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{build_id}/instrumentation", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|138|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 138}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{build_id}/targets."}, "properties": {"repobilityId": 117615, "scanner": "repobility-access-control", "fingerprint": "82913c0cc8be095ee7cf6b4213dd1854e319c156b56b02874611d2498105abbb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{build_id}/targets", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|135|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 135}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{build_id}/dynamic_analysis/{file_id}."}, "properties": {"repobilityId": 117614, "scanner": "repobility-access-control", "fingerprint": "3d5cb87f886ba683180874ff1001851ee7ce6a7d4955a32f4d1e76565ac11479", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{build_id}/dynamic_analysis/{file_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|123|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 123}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{id}/dynamic_analysis."}, "properties": {"repobilityId": 117613, "scanner": "repobility-access-control", "fingerprint": "e60d960f9e3f8d381458f5ba5b669a3cab5db3c95dc8281725d808f8d5988225", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{id}/dynamic_analysis", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|115|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 115}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{id}/notes."}, "properties": {"repobilityId": 117612, "scanner": "repobility-access-control", "fingerprint": "0b4da2bf0047fb3596032f60af51b140ab5cbffe8a50e36873cc6fe0a8da631b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{id}/notes", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|107|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 107}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{id}/update."}, "properties": {"repobilityId": 117611, "scanner": "repobility-access-control", "fingerprint": "8e2a8888f46ad08bd9ab4a832316c42a2ac6ee3577934a8d0e7ec48957d50660", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{id}/update", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|99|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 99}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{build_id}/tests."}, "properties": {"repobilityId": 117610, "scanner": "repobility-access-control", "fingerprint": "9925cb4f716da51eda99466f62edf1bb960190e77b5c71d4b0374c377d01789a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{build_id}/tests", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|92|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 92}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{id}/configure."}, "properties": {"repobilityId": 117609, "scanner": "repobility-access-control", "fingerprint": "02983e2e838cb33576e037540d8f6f0f8fe1e611d699941e9c69532251df07d6", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{id}/configure", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|84|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 84}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /builds/{id}."}, "properties": {"repobilityId": 117608, "scanner": "repobility-access-control", "fingerprint": "2c54f1226ee39fcd320a1031339f533ca2a9d9a3e73977c7df333b50c5a356f7", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/builds/{id}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|76|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 117550, "scanner": "repobility-threat-engine", "fingerprint": "2c56860f94204954125dd11dba3b2a393e12658efb94ff8fa52cfdccd2d4b6f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c56860f94204954125dd11dba3b2a393e12658efb94ff8fa52cfdccd2d4b6f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/angular/controllers/head.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 117546, "scanner": "repobility-threat-engine", "fingerprint": "49ed62ebea010931c9583bea180f337cdb66efbeedaedfb17f57cb6e504e91e1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|49ed62ebea010931c9583bea180f337cdb66efbeedaedfb17f57cb6e504e91e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/js/vue/components/shared/RepositoryIntegrations.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 117545, "scanner": "repobility-threat-engine", "fingerprint": "53362664d1565997d99882f7fde7b338f7aed4fc060bd30597045bc47d7db469", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(C", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53362664d1565997d99882f7fde7b338f7aed4fc060bd30597045bc47d7db469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Providers/AppServiceProvider.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 117535, "scanner": "repobility-threat-engine", "fingerprint": "04a77414692a35d625ddb6d4e59305641db2317ecf88a951e48aa2a70ea33f20", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open($input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|43|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Console/Commands/ValidateXml.php"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 117533, "scanner": "repobility-threat-engine", "fingerprint": "f4ecb9c4cefb84189fc10452facb429b4969c43c0adba02e8740b131fdd2650a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f4ecb9c4cefb84189fc10452facb429b4969c43c0adba02e8740b131fdd2650a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Models/BuildFile.php"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 117532, "scanner": "repobility-threat-engine", "fingerprint": "ceda1e8695bd1ce8b325cacb43a773ce7ecf3148b217a23c3f2f59019faa1a09", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ceda1e8695bd1ce8b325cacb43a773ce7ecf3148b217a23c3f2f59019faa1a09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Controllers/SubmissionController.php"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 117531, "scanner": "repobility-threat-engine", "fingerprint": "95e38878170b45201e8a1d1b9fadcfdbd79091749227933d4bd31395982d11ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95e38878170b45201e8a1d1b9fadcfdbd79091749227933d4bd31395982d11ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Console/Commands/QueueSubmissions.php"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC039", "level": "error", "message": {"text": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretching. Attackers with the hash database can crack 90%+ of common passwords offline in hours. CWE-916 (use of password hash without computational effort)."}, "properties": {"repobilityId": 117540, "scanner": "repobility-threat-engine", "fingerprint": "9194af22d8eb58e3ce9892c0e90e1ce0ad042f376b136d0023e7c474bf5d4169", "category": "crypto", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hash($passwd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC039", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|87|sec039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Controllers/UserController.php"}, "region": {"startLine": 87}}}]}]}]}