{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC105", "name": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted ove", "shortDescription": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "fullDescription": {"text": "Always set HttpOnly=true, Secure=true (in production), SameSite=Lax or Strict. For Express: `res.cookie(name, val, { httpOnly: true, secure: true, sameSite: 'lax' })`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC130", "name": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resemble", "shortDescription": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh en"}, "fullDescription": {"text": "Verify the import resolves to a real, maintained package: check pypi.org / npmjs.com directly. If the package doesn't exist, the AI invented it \u2014 find the real package the AI was thinking of and swap. Pin all deps to known-good versions and require a registry allowlist in CI."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED087", "name": "[MINED087] Js Always True If: if (true) \u2014 else branch unreachable. Likely debug residue.", "shortDescription": {"text": "[MINED087] Js Always True If: if (true) \u2014 else branch unreachable. Likely debug residue."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-561 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 25 more): Same pattern found in 25 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED013] Password In Url (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED069] Debug True Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED053] Placeholder Default Username (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 40 more): Same pattern found in 40 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 25 more): Same pattern found in 25 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 51 more): Same pattern found in 51 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 199 more): Same pattern found in 199 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 199 more): Same pattern found in 199 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 341 more): Same pattern found in 341 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 341 more): Same pattern found in 341 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /assert has no auth: Express route POST /assert declared without an auth middleware in its handl", "shortDescription": {"text": "[MINED113] Express POST /assert has no auth: Express route POST /assert declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control"}, "fullDescription": {"text": "Add an auth middleware: app.post('/assert', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC061", "name": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from", "shortDescription": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "fullDescription": {"text": "If the JWT is live, invalidate by rotating the signing key. Move tokens out of source."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/948"}, "properties": {"repository": "DefinitelyTyped/DefinitelyTyped", "repoUrl": "https://github.com/DefinitelyTyped/DefinitelyTyped", "branch": "master"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 89015, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 89014, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 89013, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 89008, "scanner": "repobility-journey-contract", "fingerprint": "b65b49a59c7ad0fc749257a7a739d38335cbed192924c399a1e380eb989332eb", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|95|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/auth0-lock/auth0-lock-tests.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 89007, "scanner": "repobility-journey-contract", "fingerprint": "ffc45585cb9291928cd7f0d94e42c5f03ab46e628c2ec8ac7f80c9e8a6b8a734", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|83|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/auth0-lock/auth0-lock-tests.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 89006, "scanner": "repobility-journey-contract", "fingerprint": "6db17993d5d1886c02ead264ce971431558a03ef34b8483fc9e36fc6f95a7bb3", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|397|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/auth0-js/auth0-js-tests.ts"}, "region": {"startLine": 397}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 89005, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 88989, "scanner": "repobility-threat-engine", "fingerprint": "7b62b43b2d9c5edc431452eb6f235cc2eaf31d4185573d674e0640358ed77362", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".cookie(\"key\", \"value\", {\n        maxAge: 86400,\n        signed: true,\n        httpOnly: false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b62b43b2d9c5edc431452eb6f235cc2eaf31d4185573d674e0640358ed77362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/express-serve-static-core/v4/express-serve-static-core-tests.ts"}, "region": {"startLine": 215}}}]}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 88988, "scanner": "repobility-threat-engine", "fingerprint": "126ca730df57906221e0cd6f3b6582164465bef293938c7043b8aed2a113f5b7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".cookie(\"key\", \"value\", {\n        maxAge: 86400,\n        signed: true,\n        httpOnly: false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|126ca730df57906221e0cd6f3b6582164465bef293938c7043b8aed2a113f5b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/express-serve-static-core/express-serve-static-core-tests.ts"}, "region": {"startLine": 245}}}]}, {"ruleId": "SEC130", "level": "warning", "message": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh environments, and (2) supply-chain attackers publish typosquat packages targeting exactly these AI-hallucinated names, so installing succeeds and ships malware ('slopsquatting'). CWE-1357 (dependency on an unmaintained / unverified component). CVE-2024-class sup"}, "properties": {"repobilityId": 88986, "scanner": "repobility-threat-engine", "fingerprint": "f03e50b184881300a228926b67e0a8a6c27721a9d91ba9500b4e0a5b8543ec3d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import expresss", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC130", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f03e50b184881300a228926b67e0a8a6c27721a9d91ba9500b4e0a5b8543ec3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/express-socket.io-session/express-socket.io-session-tests.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC130", "level": "warning", "message": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh environments, and (2) supply-chain attackers publish typosquat packages targeting exactly these AI-hallucinated names, so installing succeeds and ships malware ('slopsquatting'). CWE-1357 (dependency on an unmaintained / unverified component). CVE-2024-class sup"}, "properties": {"repobilityId": 88985, "scanner": "repobility-threat-engine", "fingerprint": "0edd478d892240cf23c2ad362ff47a6cb028a299497072c10c9daa896bcf95ab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import expressS", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC130", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0edd478d892240cf23c2ad362ff47a6cb028a299497072c10c9daa896bcf95ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/express-sitemap-xml/express-sitemap-xml-tests.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC130", "level": "warning", "message": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh environments, and (2) supply-chain attackers publish typosquat packages targeting exactly these AI-hallucinated names, so installing succeeds and ships malware ('slopsquatting'). CWE-1357 (dependency on an unmaintained / unverified component). CVE-2024-class sup"}, "properties": {"repobilityId": 88984, "scanner": "repobility-threat-engine", "fingerprint": "d0c61036b8e38247479243eaead2f34259463e1ed09de93db1a4877159a66459", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import expressS", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC130", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d0c61036b8e38247479243eaead2f34259463e1ed09de93db1a4877159a66459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/express-sanitized/express-sanitized-tests.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 88975, "scanner": "repobility-threat-engine", "fingerprint": "2052b976d8e7d3c6052da3306c4c676038c9505aa33b405d7b5445c7622b1f63", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "console.log(req.body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2052b976d8e7d3c6052da3306c4c676038c9505aa33b405d7b5445c7622b1f63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/express-form-data/express-form-data-tests.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 88974, "scanner": "repobility-threat-engine", "fingerprint": "69173ed5ea87189d969f555839640879a9384baa172256c74b618242bdf49212", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "console.log(req.body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|69173ed5ea87189d969f555839640879a9384baa172256c74b618242bdf49212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/body-parser/body-parser-tests.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 88954, "scanner": "repobility-threat-engine", "fingerprint": "343a2a63125a556bd17f4115b30bbdca1e9405711e5cbfdad763bcf0b13dff45", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(URL.createObjectURL(blob)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|40|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/animated_gif/animated_gif-tests.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 88945, "scanner": "repobility-threat-engine", "fingerprint": "53ed680b779b8236cf1e8099dfedb4c1248654c1200b8d664f60dcfb9158d6c5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DEBUG = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53ed680b779b8236cf1e8099dfedb4c1248654c1200b8d664f60dcfb9158d6c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/bucks/bucks-tests.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 88944, "scanner": "repobility-threat-engine", "fingerprint": "cab7332b0d0c988c92ee75455dd88155fc2d401a8561401781783cf113004c0b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DEBUG = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cab7332b0d0c988c92ee75455dd88155fc2d401a8561401781783cf113004c0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/backbone.radio/backbone.radio-tests.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 88943, "scanner": "repobility-threat-engine", "fingerprint": "e258ed1cd02742feb765541f9c25834518e796c9edd6c53f4b0fdcffcbdb31d9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e258ed1cd02742feb765541f9c25834518e796c9edd6c53f4b0fdcffcbdb31d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-gettext/angular-gettext-tests.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 88932, "scanner": "repobility-threat-engine", "fingerprint": "0234e18db765c4551fa2042947641fe1f9dc5be9699dd1aee2290ddaeaf46813", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|27|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/cassanknex/cassanknex-tests.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 88931, "scanner": "repobility-threat-engine", "fingerprint": "4ebf7275b7d72f08c7dee511f2e96dd73d651cfb90f6f2a70c7acb3a65304db5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|64|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/browser-harness/browser-harness-tests.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 88930, "scanner": "repobility-threat-engine", "fingerprint": "24094f4461b2aed3605a40b28757289e57cdab8d8adeff4af9e2fbff0a7b2188", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|49|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-ui-router/angular-ui-router-tests.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 88907, "scanner": "repobility-threat-engine", "fingerprint": "0701b3f22f27227756afefe14e6ee6a1474ce04183bb74ef52516fdeac013c25", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url=\"http://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0701b3f22f27227756afefe14e6ee6a1474ce04183bb74ef52516fdeac013c25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/americanexpress__react-seo/americanexpress__react-seo-tests.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 88906, "scanner": "repobility-threat-engine", "fingerprint": "b6783cdeee90d4cbe95b92a153dbaf4fb87bf82a9f726a3f5f3fe0607f45c30c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6783cdeee90d4cbe95b92a153dbaf4fb87bf82a9f726a3f5f3fe0607f45c30c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-scripting/activex-scripting-tests.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 88905, "scanner": "repobility-threat-engine", "fingerprint": "9d7913c6769b6ecd563bd107d0ecdd502b11b7bcf11c1c3f989061817a39df8e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d7913c6769b6ecd563bd107d0ecdd502b11b7bcf11c1c3f989061817a39df8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/actioncable/actioncable-tests.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 88899, "scanner": "repobility-threat-engine", "fingerprint": "7cc0cf24cdb3f805e33c917e9e8ad3daa5d38ab4d41431892ba9cc3e32cbff2e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7cc0cf24cdb3f805e33c917e9e8ad3daa5d38ab4d41431892ba9cc3e32cbff2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/avocat/avocat-tests.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 88898, "scanner": "repobility-threat-engine", "fingerprint": "2aa397a14ba5e8f6b8d48f3e51622b79e91e1a523e0a64f2af3f7101d1dd8599", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2aa397a14ba5e8f6b8d48f3e51622b79e91e1a523e0a64f2af3f7101d1dd8599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update-codeowners.js"}, "region": {"startLine": 54}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 88897, "scanner": "repobility-threat-engine", "fingerprint": "d2f603ef2ad45b6d4dedc47e70ea1e3c7ab93ab8acbb335479d15376ca376a34", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d2f603ef2ad45b6d4dedc47e70ea1e3c7ab93ab8acbb335479d15376ca376a34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ghostbuster.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 89012, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 89011, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 89010, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 89009, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89004, "scanner": "repobility-ai-code-hygiene", "fingerprint": "460f06aa1db7f1152f861ca5654b38d407df9a89d2ae4bac0a88ea193bbadfd5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/babel-traverse/babel-traverse-tests.ts", "duplicate_line": 60, "correlation_key": "fp|460f06aa1db7f1152f861ca5654b38d407df9a89d2ae4bac0a88ea193bbadfd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/babel__traverse/babel__traverse-tests.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89003, "scanner": "repobility-ai-code-hygiene", "fingerprint": "758b54567861ae058334a7c0227eaba95dc4ecf382a5f4b96a07b59a3b3a92b0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/babel__plugin-transform-runtime/babel__plugin-transform-runtime-tests.ts", "duplicate_line": 7, "correlation_key": "fp|758b54567861ae058334a7c0227eaba95dc4ecf382a5f4b96a07b59a3b3a92b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/babel__preset-env/babel__preset-env-tests.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89002, "scanner": "repobility-ai-code-hygiene", "fingerprint": "688e61e4ede0abb82b8beffca5357f0ba1ea1513e7c5ec82e98b27a7da673629", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/async-stream-emitter/async-stream-emitter-tests.ts", "duplicate_line": 1, "correlation_key": "fp|688e61e4ede0abb82b8beffca5357f0ba1ea1513e7c5ec82e98b27a7da673629"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/async-stream-emitter/v6/async-stream-emitter-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89001, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4b63f898de00b9723fcb910eae5db8aea83193e1a1edb91bec82be0e6f106fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/async-stream-emitter/async-stream-emitter-tests.ts", "duplicate_line": 1, "correlation_key": "fp|c4b63f898de00b9723fcb910eae5db8aea83193e1a1edb91bec82be0e6f106fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/async-stream-emitter/v5/async-stream-emitter-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 89000, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7b4aacecb23eac8f17f8189cdd7c1132b555a612e2717b3bf322914a446d0dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/async-stream-emitter/async-stream-emitter-tests.ts", "duplicate_line": 1, "correlation_key": "fp|c7b4aacecb23eac8f17f8189cdd7c1132b555a612e2717b3bf322914a446d0dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/async-stream-emitter/v4/async-stream-emitter-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88999, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8cb59f2388080975f527d81ee050fc631027f390ed8e7947043a9b952a76b4ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/async-stream-emitter/async-stream-emitter-tests.ts", "duplicate_line": 1, "correlation_key": "fp|8cb59f2388080975f527d81ee050fc631027f390ed8e7947043a9b952a76b4ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/async-stream-emitter/v3/async-stream-emitter-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88998, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b78322fe162110d465655ce76874dca486b17b653c9e410679f575d4de6fe0cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/angular-odata-resources/angular-odata-resources-tests.ts", "duplicate_line": 21, "correlation_key": "fp|b78322fe162110d465655ce76874dca486b17b653c9e410679f575d4de6fe0cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-resource/angular-resource-tests.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88997, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe787d79422c678cdf6f340699fc2e65a86ac5d3d67ae231ab64af8285f79280", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/amplitude-js/amplitude-js-tests.ts", "duplicate_line": 1, "correlation_key": "fp|fe787d79422c678cdf6f340699fc2e65a86ac5d3d67ae231ab64af8285f79280"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/amplitude-js/v5/amplitude-js-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88996, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9e295ac9d8a60890078a3e9726ffb9f542a139b01d9486ffa235fee20b8d036", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/amplifier/amplifier-tests.ts", "duplicate_line": 95, "correlation_key": "fp|a9e295ac9d8a60890078a3e9726ffb9f542a139b01d9486ffa235fee20b8d036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/amplify/amplify-tests.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88995, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6feea536ff2ac0770c387c5b565e168e7dba290348435d734407cd6ab2f69d04", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/ag-simple-broker/ag-simple-broker-tests.ts", "duplicate_line": 1, "correlation_key": "fp|6feea536ff2ac0770c387c5b565e168e7dba290348435d734407cd6ab2f69d04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/ag-simple-broker/v5/ag-simple-broker-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88994, "scanner": "repobility-ai-code-hygiene", "fingerprint": "10d3b750a316c1082886fe33b8ffeb4d257b75d851d3e7e6f07c258aae73f008", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/ag-simple-broker/ag-simple-broker-tests.ts", "duplicate_line": 1, "correlation_key": "fp|10d3b750a316c1082886fe33b8ffeb4d257b75d851d3e7e6f07c258aae73f008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/ag-simple-broker/v4/ag-simple-broker-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88993, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab4da8b0fac0e8e715609d72758b1c995414c824427c7c8e376919898d59e32f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/ag-channel/ag-channel-tests.ts", "duplicate_line": 1, "correlation_key": "fp|ab4da8b0fac0e8e715609d72758b1c995414c824427c7c8e376919898d59e32f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/ag-channel/v4/ag-channel-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88992, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3394955360213bd2bb38067f0a937dc616f90358665d4cdfea3380a12e83f9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/adm-zip/adm-zip-tests.ts", "duplicate_line": 1, "correlation_key": "fp|c3394955360213bd2bb38067f0a937dc616f90358665d4cdfea3380a12e83f9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/adm-zip/ts5.6/adm-zip-tests.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88991, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c2eb687f12da47c9da4b74c6bce2c54a3ffe06f7f8e244eeeaba4c7be3b96eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/activex-adodb/activex-adodb-tests.ts", "duplicate_line": 2, "correlation_key": "fp|0c2eb687f12da47c9da4b74c6bce2c54a3ffe06f7f8e244eeeaba4c7be3b96eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-faxcomexlib/activex-faxcomexlib-tests.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88990, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c14af2136f3ea5244386cb8d665997c069e77539397f8a71fc3ac0f9d1eaa866", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "types/activex-adodb/activex-adodb-tests.ts", "duplicate_line": 15, "correlation_key": "fp|c14af2136f3ea5244386cb8d665997c069e77539397f8a71fc3ac0f9d1eaa866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-adox/activex-adox-tests.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 88980, "scanner": "repobility-threat-engine", "fingerprint": "fcac8c227ed5ff007d86ab4992e8faabeb55fc9c44bd8ad30bb39148d0196f51", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = t", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|15|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/countdown/countdown-tests.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 88979, "scanner": "repobility-threat-engine", "fingerprint": "ad559be8e450adecf60e56d3a8d5f46adccd8523971022de87e570a2c0b1cfb6", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML +=", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|409|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/chillout/chillout-tests.ts"}, "region": {"startLine": 409}}}]}, {"ruleId": "SEC022", "level": "note", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 88955, "scanner": "repobility-threat-engine", "fingerprint": "1f8623c32134ad29c9627d5b129c80b85fbff1d51d2cbe0a36bc785a938fd399", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value contains development/placeholder marker Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "mysql://user:password@", "reason": "Value contains development/placeholder marker", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "secret|token|1|mysql://user:password", "duplicate_count": 1, "duplicate_rule_ids": ["SEC022"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["17d2af437092d4981813ead86118b01ec681dec634542ffd1e87b183c0b156fb", "1f8623c32134ad29c9627d5b129c80b85fbff1d51d2cbe0a36bc785a938fd399"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/any-db-transaction/any-db-transaction-tests.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 88948, "scanner": "repobility-threat-engine", "fingerprint": "2b282a303e98fac5afa7dc115451d29fae47130735122a366f6d2840ae0aa78e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Full-screen element \" + element + \" changed.\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b282a303e98fac5afa7dc115451d29fae47130735122a366f6d2840ae0aa78e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/bigscreen/bigscreen-tests.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 88947, "scanner": "repobility-threat-engine", "fingerprint": "2e3b567cc41f34dfe048ebceff0afee29ce5166fbd032fd5ca99dc969224956c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/languages/\" + lang + \".json\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e3b567cc41f34dfe048ebceff0afee29ce5166fbd032fd5ca99dc969224956c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-gettext/angular-gettext-tests.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC130", "level": "none", "message": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 88987, "scanner": "repobility-threat-engine", "fingerprint": "169ee4da4da899c01e60a2cf272d61ec99da02ac6ee3f6eeed2eabbbdcb62e39", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC130", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|169ee4da4da899c01e60a2cf272d61ec99da02ac6ee3f6eeed2eabbbdcb62e39"}}}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 88972, "scanner": "repobility-threat-engine", "fingerprint": "f9df7749cca9766583bf9890f81590f88b2f0ecffbdee0be9d92b03c42055f0a", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password = \"<redacted>\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/bitauth/bitauth-tests.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 88971, "scanner": "repobility-threat-engine", "fingerprint": "e29c63aa363f0c5974221cb40afa31979f461cedcd28c0d35e12b75cff36b0a3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e29c63aa363f0c5974221cb40afa31979f461cedcd28c0d35e12b75cff36b0a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/esc-pos-encoder/esc-pos-encoder-tests.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 88970, "scanner": "repobility-threat-engine", "fingerprint": "0e550e5ee4e7722a89e57702d32e36006a2fd7bb042fc41565b802ff7d9d72f1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e550e5ee4e7722a89e57702d32e36006a2fd7bb042fc41565b802ff7d9d72f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/bardjs/bardjs-tests.ts"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED087", "level": "none", "message": {"text": "[MINED087] Js Always True If: if (true) \u2014 else branch unreachable. Likely debug residue."}, "properties": {"repobilityId": 88969, "scanner": "repobility-threat-engine", "fingerprint": "e5fb21f99c0ed65dceaa1948d8d85f620d49f2a235a93997a269bafca0f1defc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-always-true-if", "owasp": null, "cwe_ids": ["CWE-561"], "languages": ["javascript", "typescript", "tsx", "jsx", "python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348140+00:00", "triaged_in_corpus": 12, "observations_count": 739, "ai_coder_pattern_id": 140}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e5fb21f99c0ed65dceaa1948d8d85f620d49f2a235a93997a269bafca0f1defc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/babel__core/babel__core-tests.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 88966, "scanner": "repobility-threat-engine", "fingerprint": "0b813a79a9727f38fb1caf0c897a799a131c5ca7bf98064b09d2fe178495f7ff", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0b813a79a9727f38fb1caf0c897a799a131c5ca7bf98064b09d2fe178495f7ff", "aggregated_count": 25}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88965, "scanner": "repobility-threat-engine", "fingerprint": "cf4c7152b4221e5fb36c7a4a42644e460b0cbbe1d684ff5f9ef86d1d70efcc4e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf4c7152b4221e5fb36c7a4a42644e460b0cbbe1d684ff5f9ef86d1d70efcc4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/babel__generator/babel__generator-tests.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88964, "scanner": "repobility-threat-engine", "fingerprint": "0a7ad2f64d62d348163572fdf3d2cb9a5b73829c5365b197a52bb5a36cb50469", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a7ad2f64d62d348163572fdf3d2cb9a5b73829c5365b197a52bb5a36cb50469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/babel__core/babel__core-tests.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88963, "scanner": "repobility-threat-engine", "fingerprint": "17a583eb9affc3dacf61033acde6dc3ea3fae1ce91a8f3b9b2afcc8ba9efadea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17a583eb9affc3dacf61033acde6dc3ea3fae1ce91a8f3b9b2afcc8ba9efadea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/aws-cloudfront-function/aws-cloudfront-function-tests.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED013", "level": "none", "message": {"text": "[MINED013] Password In Url (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 88960, "scanner": "repobility-threat-engine", "fingerprint": "085040b8c3d2e5c3560ba1137cf773c78596fa51f6271b6214b5fee56cac4add", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|085040b8c3d2e5c3560ba1137cf773c78596fa51f6271b6214b5fee56cac4add", "aggregated_count": 1}}}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 88952, "scanner": "repobility-threat-engine", "fingerprint": "590230b5e962d7d6f840c1ee013acdd3403c41ee0e3742ac3f89de53ef403c46", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|590230b5e962d7d6f840c1ee013acdd3403c41ee0e3742ac3f89de53ef403c46", "aggregated_count": 2}}}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 88951, "scanner": "repobility-threat-engine", "fingerprint": "18f3071ba007abc59fdd438ad9ea6ff641c6c9058a1c419754e514b16ff261cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18f3071ba007abc59fdd438ad9ea6ff641c6c9058a1c419754e514b16ff261cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/bucks/bucks-tests.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 88950, "scanner": "repobility-threat-engine", "fingerprint": "4495280af5442f6f188e82dc3512b03f625c72f27109e4d6928b47ab41ed1d23", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4495280af5442f6f188e82dc3512b03f625c72f27109e4d6928b47ab41ed1d23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/backbone.radio/backbone.radio-tests.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 88949, "scanner": "repobility-threat-engine", "fingerprint": "23070a309d54e7a55899317a863a983f1c18c40c44bb93647e46dacffa9a0c94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23070a309d54e7a55899317a863a983f1c18c40c44bb93647e46dacffa9a0c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-gettext/angular-gettext-tests.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC123", "level": "none", "message": {"text": "[SEC123] Production stack trace / debug output exposed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 88946, "scanner": "repobility-threat-engine", "fingerprint": "4c3b2cd34f335829c8b37089d8abf8102b9e3eced04336d2f77ffe021c8e4230", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4c3b2cd34f335829c8b37089d8abf8102b9e3eced04336d2f77ffe021c8e4230"}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 88942, "scanner": "repobility-threat-engine", "fingerprint": "293253bbdac798036bab407ee3841d5d2dac0381dbd30cf3093f015ec5dee5dd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|293253bbdac798036bab407ee3841d5d2dac0381dbd30cf3093f015ec5dee5dd", "aggregated_count": 3}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 88941, "scanner": "repobility-threat-engine", "fingerprint": "e8872c8464d21efc4116f3ab752f637ba666bd23cf7f7ccd4ebf6835deabcd28", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8872c8464d21efc4116f3ab752f637ba666bd23cf7f7ccd4ebf6835deabcd28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/creditkey-js/creditkey-js-tests.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 88940, "scanner": "repobility-threat-engine", "fingerprint": "4d372e70e147c76e494d4fa640dbf340a5928368018c9088f40cd54caa9904eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d372e70e147c76e494d4fa640dbf340a5928368018c9088f40cd54caa9904eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/cordova-plugin-email-composer/cordova-plugin-email-composer-tests.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 88939, "scanner": "repobility-threat-engine", "fingerprint": "1b6e329d9efd704789465dd5ef9f84f6e6055165f47f18a1d3b1334db9c0a02b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b6e329d9efd704789465dd5ef9f84f6e6055165f47f18a1d3b1334db9c0a02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-formly/angular-formly-tests.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 88938, "scanner": "repobility-threat-engine", "fingerprint": "2eaab8f590234775531b0af5c0b5d781dabb04b06006b4e2a5ef6e77992ce9f7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2eaab8f590234775531b0af5c0b5d781dabb04b06006b4e2a5ef6e77992ce9f7", "aggregated_count": 8}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 88933, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 88929, "scanner": "repobility-threat-engine", "fingerprint": "6f0d696a1d2a676149c10e4722606bbb98d528c62b7b5ee3687ad3deed58cac5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f0d696a1d2a676149c10e4722606bbb98d528c62b7b5ee3687ad3deed58cac5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/af-utils__react-table/af-utils__react-table-tests.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 88928, "scanner": "repobility-threat-engine", "fingerprint": "096fa48694b4a1c57a8681774bdde0e3aec078918a387df3612d98523e35afd3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|096fa48694b4a1c57a8681774bdde0e3aec078918a387df3612d98523e35afd3", "aggregated_count": 7}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 88927, "scanner": "repobility-threat-engine", "fingerprint": "0c5ed0ac7f8c4eaebdefac8c3aed92b13ebe666ec28e27ddd9a56f0097a5a02c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c5ed0ac7f8c4eaebdefac8c3aed92b13ebe666ec28e27ddd9a56f0097a5a02c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/atlassian-connect-js/atlassian-connect-js-tests.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 88926, "scanner": "repobility-threat-engine", "fingerprint": "7b29fd3cd22e7c60f2dba8c4e2a888622cb1067d05b6e2df3f4b031553e1c54a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b29fd3cd22e7c60f2dba8c4e2a888622cb1067d05b6e2df3f4b031553e1c54a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-meteor/angular-meteor-tests.ts"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 88925, "scanner": "repobility-threat-engine", "fingerprint": "4fb154465b85f03f41cfd2a2c1df7e510f9b85cca882bc09dc612b7a18fa535a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4fb154465b85f03f41cfd2a2c1df7e510f9b85cca882bc09dc612b7a18fa535a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/adal-angular/adal-angular-tests.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 88924, "scanner": "repobility-threat-engine", "fingerprint": "8ec1b8cf62839b71af136001fbbee41b224f5a1dfcd9d590bda929006ddf9312", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8ec1b8cf62839b71af136001fbbee41b224f5a1dfcd9d590bda929006ddf9312"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 88920, "scanner": "repobility-threat-engine", "fingerprint": "66e658aa908d93209562eccc7e123840be761cea4501faa7edb1d5b67800eb93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|66e658aa908d93209562eccc7e123840be761cea4501faa7edb1d5b67800eb93", "aggregated_count": 40}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 88919, "scanner": "repobility-threat-engine", "fingerprint": "981f504f7a44f2a937895a3806424f18c7a3a96e4fe133f3400b2f5189231a24", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|981f504f7a44f2a937895a3806424f18c7a3a96e4fe133f3400b2f5189231a24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/amplifier/amplifier-tests.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 88918, "scanner": "repobility-threat-engine", "fingerprint": "b416fb44c3b9a1cc9e7c0c856ae1e168f03e09fca0db19f7b8455e0cd5d35c37", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b416fb44c3b9a1cc9e7c0c856ae1e168f03e09fca0db19f7b8455e0cd5d35c37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/adlib/adlib-tests.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 88917, "scanner": "repobility-threat-engine", "fingerprint": "68cd44ed5e5c1b766016e8e66f7d93f1b0acf9fe9c316bc91394c9951efef0c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68cd44ed5e5c1b766016e8e66f7d93f1b0acf9fe9c316bc91394c9951efef0c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-shdocvw/activex-shdocvw-tests.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 88916, "scanner": "repobility-threat-engine", "fingerprint": "72310fc40d8ed75d4e1244f49dd17eb52f266142464f29b203eeac8038b4a329", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|72310fc40d8ed75d4e1244f49dd17eb52f266142464f29b203eeac8038b4a329", "aggregated_count": 25}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 88915, "scanner": "repobility-threat-engine", "fingerprint": "e7857d22989222f37406e9aa05a98b6cddca87e12e4155480d2c44e5bd39fce1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7857d22989222f37406e9aa05a98b6cddca87e12e4155480d2c44e5bd39fce1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-resource/angular-resource-tests.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 88914, "scanner": "repobility-threat-engine", "fingerprint": "0e4ee9dc65ce0ddf1c199dd3d610a03d25fa01ab1e7b23317509ff7b21f151c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e4ee9dc65ce0ddf1c199dd3d610a03d25fa01ab1e7b23317509ff7b21f151c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/alloy/alloy-tests.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 88913, "scanner": "repobility-threat-engine", "fingerprint": "b78e89b188a23d07d1f460a1eda4c4821ee7f23257bbfde514e409d4af2bac4f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b78e89b188a23d07d1f460a1eda4c4821ee7f23257bbfde514e409d4af2bac4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-libreoffice/activex-libreoffice-tests.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "properties": {"repobilityId": 88912, "scanner": "repobility-threat-engine", "fingerprint": "7172016ce8246c517d2350c039c5d0cdb96a634b9400c047fca9510ffa3f0659", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 51 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 51 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7172016ce8246c517d2350c039c5d0cdb96a634b9400c047fca9510ffa3f0659"}}}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 88908, "scanner": "repobility-threat-engine", "fingerprint": "3dac6a875fabc632c84e27363587f49ab7ef5df4f1e22b223ca8db733bcb1911", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dac6a875fabc632c84e27363587f49ab7ef5df4f1e22b223ca8db733bcb1911"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 199 more): Same pattern found in 199 additional files. Review if needed."}, "properties": {"repobilityId": 88904, "scanner": "repobility-threat-engine", "fingerprint": "a0ba904fec3f17882d464a5f1596e85c8b386bb56b4e1a66f766d1b482b1f8a3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 199 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a0ba904fec3f17882d464a5f1596e85c8b386bb56b4e1a66f766d1b482b1f8a3", "aggregated_count": 199}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 88903, "scanner": "repobility-threat-engine", "fingerprint": "7a6721ade6de20a0cc750b6e614c34eccee93981ab38a49ef065f3767ee9b211", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a6721ade6de20a0cc750b6e614c34eccee93981ab38a49ef065f3767ee9b211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-dao/activex-dao-tests.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 88902, "scanner": "repobility-threat-engine", "fingerprint": "d70f8cd253b02715182ad0a108298deceeb5a18f0cb21dc884ecd4f09d5fe561", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d70f8cd253b02715182ad0a108298deceeb5a18f0cb21dc884ecd4f09d5fe561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/ace-diff/ace-diff-tests.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 88901, "scanner": "repobility-threat-engine", "fingerprint": "7dc33a72590846f34b129c5d88660da4aa638ab94162bc3d338259a2fd4cc95f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7dc33a72590846f34b129c5d88660da4aa638ab94162bc3d338259a2fd4cc95f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/accepts/accepts-tests.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 88900, "scanner": "repobility-threat-engine", "fingerprint": "bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 341 more): Same pattern found in 341 additional files. Review if needed."}, "properties": {"repobilityId": 88893, "scanner": "repobility-threat-engine", "fingerprint": "e373e4be849bef5fc19d388de452dd99a90078f7b03fb0ff256c1a3be57b2630", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 341 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e373e4be849bef5fc19d388de452dd99a90078f7b03fb0ff256c1a3be57b2630", "aggregated_count": 341}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88892, "scanner": "repobility-threat-engine", "fingerprint": "05421da4a56c1bf47a3e3d02bead838af5a23580e6344aaa30c2d27221e9703d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05421da4a56c1bf47a3e3d02bead838af5a23580e6344aaa30c2d27221e9703d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/get-suggestions-dir.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88891, "scanner": "repobility-threat-engine", "fingerprint": "8bd32cb25b5f5df308f258cad39715fd9c5e55983646a3c386900c7ac8ee0d1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8bd32cb25b5f5df308f258cad39715fd9c5e55983646a3c386900c7ac8ee0d1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/get-ci-matrix.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88890, "scanner": "repobility-threat-engine", "fingerprint": "00f689ff1fa6b501182b2091158ffb5e34343cfe19a0696a2a2854650f47b4f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|00f689ff1fa6b501182b2091158ffb5e34343cfe19a0696a2a2854650f47b4f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/clean-node-modules.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 88889, "scanner": "repobility-threat-engine", "fingerprint": "a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026"}}}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /assert has no auth: Express route POST /assert declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 89018, "scanner": "repobility-route-auth", "fingerprint": "d5164792d4b2ffa6921ce1c06f243e09479b21014a8435ebc0418ec44c2d670d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d5164792d4b2ffa6921ce1c06f243e09479b21014a8435ebc0418ec44c2d670d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/saml2-js/saml2-js-tests.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /login has no auth: Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 89017, "scanner": "repobility-route-auth", "fingerprint": "3fcd116e1219afb507ab5b8ce8fcb7ab93492af468f98ceb10fc4cae209aeecc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3fcd116e1219afb507ab5b8ce8fcb7ab93492af468f98ceb10fc4cae209aeecc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/body-parser/body-parser-tests.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/users has no auth: Express route POST /api/users declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 89016, "scanner": "repobility-route-auth", "fingerprint": "76f1d863661a9b8a1f7ff9047b45cfdb2381c2d63925aa52cc2b5678ccafdb63", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|76f1d863661a9b8a1f7ff9047b45cfdb2381c2d63925aa52cc2b5678ccafdb63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/body-parser/body-parser-tests.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 88983, "scanner": "repobility-threat-engine", "fingerprint": "1dc73efbdd561cb066beebcb1cc61128966b57e7414874f6c3ab94c60830e649", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/\", (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1dc73efbdd561cb066beebcb1cc61128966b57e7414874f6c3ab94c60830e649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/express-serve-static-core/v4/express-serve-static-core-tests.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 88982, "scanner": "repobility-threat-engine", "fingerprint": "945f52acc0bf0701b0287ce8e7fea8a4f8a32c4688bcf1e8aff5ac829d0cb08a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/\", (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|945f52acc0bf0701b0287ce8e7fea8a4f8a32c4688bcf1e8aff5ac829d0cb08a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/express-serve-static-core/express-serve-static-core-tests.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 88981, "scanner": "repobility-threat-engine", "fingerprint": "ee963258d6e4390b95a7c64449a13f93b4b2db5d1429633fc9824d30dc32f489", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post(\"/process\", (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ee963258d6e4390b95a7c64449a13f93b4b2db5d1429633fc9824d30dc32f489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/csurf/csurf-tests.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 88978, "scanner": "repobility-threat-engine", "fingerprint": "b17264f198086b289a1f069185993d9e1a486eaa8890563f24caf917d1f6d855", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(arg", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b17264f198086b289a1f069185993d9e1a486eaa8890563f24caf917d1f6d855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/dashdash/dashdash-tests.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 88977, "scanner": "repobility-threat-engine", "fingerprint": "71a9a286a2ccd09d2c13411eb6edee5c202dc8b4582149bdef2c0206f6513813", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(null", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|71a9a286a2ccd09d2c13411eb6edee5c202dc8b4582149bdef2c0206f6513813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/cordova/cordova-tests.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 88976, "scanner": "repobility-threat-engine", "fingerprint": "7fd0ccbe9c4c5370dc6c8cf683c363e6da6e1de6fe326a09200fdf9148471c8d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(function", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7fd0ccbe9c4c5370dc6c8cf683c363e6da6e1de6fe326a09200fdf9148471c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/browser-harness/browser-harness-tests.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 88962, "scanner": "repobility-threat-engine", "fingerprint": "c053584200bd237a058c75aa432fc968cf7c441516124dd4f3fb40705e60a454", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DomParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c053584200bd237a058c75aa432fc968cf7c441516124dd4f3fb40705e60a454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/dom-parser/dom-parser-tests.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 88961, "scanner": "repobility-threat-engine", "fingerprint": "4c28ee7924409ac25acac2c80f8c1e27b758d120528e5f33968632e5c4829388", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c28ee7924409ac25acac2c80f8c1e27b758d120528e5f33968632e5c4829388"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/appletvjs/appletvjs-tests.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC061", "level": "error", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 88953, "scanner": "repobility-threat-engine", "fingerprint": "e695bee03c61b75c189b002f78fa453193c2ff6b565fe8e763b18a1399cff8f6", "category": "secret", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NhbXBsZXMuYXV0aDAuY29tLyIsInN1YiI6ImZhY2V", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|token", "duplicate_count": 1, "duplicate_rule_ids": ["SEC061"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["a6458d3d5e3ee3d7e30b0eb7dfeb5ca7382bf6b12c83dce7c57c459082fa4796", "e695bee03c61b75c189b002f78fa453193c2ff6b565fe8e763b18a1399cff8f6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/angular-jwt/angular-jwt-tests.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88937, "scanner": "repobility-threat-engine", "fingerprint": "4939b6da51de0ba11d7108a55fc185bae4fdc3b791f6efaeca00d689aaedc0a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4939b6da51de0ba11d7108a55fc185bae4fdc3b791f6efaeca00d689aaedc0a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/arc4/arc4-tests.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88936, "scanner": "repobility-threat-engine", "fingerprint": "0708dc5247408b245febcd582fe12bec2f3f9a8a90fa90a9dc3bfd70f02a54e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0708dc5247408b245febcd582fe12bec2f3f9a8a90fa90a9dc3bfd70f02a54e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/arangodb/arangodb-tests.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88935, "scanner": "repobility-threat-engine", "fingerprint": "dacf60e887258d12ea4040ea0f1deab999f34d9f3f6260ef60d370b81aa03e0a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dacf60e887258d12ea4040ea0f1deab999f34d9f3f6260ef60d370b81aa03e0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/ali-oss/ali-oss-tests.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 88923, "scanner": "repobility-threat-engine", "fingerprint": "1a1f016781d9bc43047a8427d45fab25a34e59c6e365654409f1fc07950a30f7", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`acquired fail open lock with fencing token ${lock.fencingToken}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|4|console.log acquired fail open lock with fencing token lock.fencingtoken"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/dynamodb-lock-client/dynamodb-lock-client-tests.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 88922, "scanner": "repobility-threat-engine", "fingerprint": "a42906b46f2a7b427219045c9fd03c3dc13b9efa54b20b0f829361f702086496", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(headers.authorization)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|3|console.log headers.authorization"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/autocannon/autocannon-tests.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 88921, "scanner": "repobility-threat-engine", "fingerprint": "13892bf060181e96522b0c77ce475eb68590a3803c82659d8aeccfd02781647e", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(\"Making request with token:\", token)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|1|console.log making request with token: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/adal-angular/adal-angular-tests.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88911, "scanner": "repobility-threat-engine", "fingerprint": "fd03484932c2561d9a4ed3f311a83583de5ea5b8b594f2e795bd0f2bbb18126f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "file2.Delete();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd03484932c2561d9a4ed3f311a83583de5ea5b8b594f2e795bd0f2bbb18126f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-scripting/activex-scripting-tests.ts"}, "region": {"startLine": 324}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88910, "scanner": "repobility-threat-engine", "fingerprint": "78cc9cd81df367849c5a2e6ae8e98309c4bbf124361a3c27031fcdb1cf747695", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "doc.save(\"saved.xml\");", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|78cc9cd81df367849c5a2e6ae8e98309c4bbf124361a3c27031fcdb1cf747695"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-msxml2/activex-msxml2-tests.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88909, "scanner": "repobility-threat-engine", "fingerprint": "f94378f8bb9f3505ffedcb812dd8ce968fa2769e1df5fd64307a5ba5c0e25686", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "rstShippers.Update();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f94378f8bb9f3505ffedcb812dd8ce968fa2769e1df5fd64307a5ba5c0e25686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/activex-dao/activex-dao-tests.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 88896, "scanner": "repobility-threat-engine", "fingerprint": "66aadee26c8a67028c06e12e87656a21c7e8aa3cccaddb7c1b97ebcdb674d605", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".html(`${start.format(\"MMMM D, YYYY\")} - ${end.format(\"MMMM D, YYYY\")}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66aadee26c8a67028c06e12e87656a21c7e8aa3cccaddb7c1b97ebcdb674d605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/daterangepicker/daterangepicker-tests.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 88895, "scanner": "repobility-threat-engine", "fingerprint": "1665a639282d9af7b1e95cd82db1b562b79375a5cdfaa36cc97e850584630f85", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(({ name, value }) => `name=${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1665a639282d9af7b1e95cd82db1b562b79375a5cdfaa36cc97e850584630f85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/aria-query/aria-query-tests.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 88894, "scanner": "repobility-threat-engine", "fingerprint": "8d7f786368bdcf145c7e1722c0956d2b91af4c8570239b24a811c82fc3acd861", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((user, i) => `u${i}: user(login: \"${user}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d7f786368bdcf145c7e1722c0956d2b91af4c8570239b24a811c82fc3acd861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ghostbuster.js"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88888, "scanner": "repobility-threat-engine", "fingerprint": "7344ea6bf7602e984fbafaa3796c9fe880664023474fdbc89079d9c4bcc7a6c2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7344ea6bf7602e984fbafaa3796c9fe880664023474fdbc89079d9c4bcc7a6c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/alks-node/alks-node-tests.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88887, "scanner": "repobility-threat-engine", "fingerprint": "b1f5255bf31e8fcf8b76e8162a314e3915788ad93ffecb204100e07eb3616fdc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1f5255bf31e8fcf8b76e8162a314e3915788ad93ffecb204100e07eb3616fdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ghostbuster.js"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88886, "scanner": "repobility-threat-engine", "fingerprint": "2786a29aedaa0600e43b0854dc59e869aa96855b419634ce485c83415a2cf261", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2786a29aedaa0600e43b0854dc59e869aa96855b419634ce485c83415a2cf261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/clean-node-modules.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 88973, "scanner": "repobility-threat-engine", "fingerprint": "0280666ebfa73b05435e661357e7f8cee97e717554c080f31a81264301969dbc", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (3.8 bits) \u2014 likely real secret", "evidence": {"match": "Password = \"<redacted> have a really great password.\"", "reason": "High entropy value (3.8 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|1|password redacted have a really great password."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/credential/credential-tests.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 88968, "scanner": "repobility-threat-engine", "fingerprint": "98a53d544337757c7bd87b889128923ac356da147e63eea7d72d6fbe51ceecab", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(util", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98a53d544337757c7bd87b889128923ac356da147e63eea7d72d6fbe51ceecab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/fbemitter/fbemitter-tests.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 88967, "scanner": "repobility-threat-engine", "fingerprint": "df2a3372fcc90005e43b2f3e38c0fff897a4c059e00c09ad376ad03661746114", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(SOURCE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df2a3372fcc90005e43b2f3e38c0fff897a4c059e00c09ad376ad03661746114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/babel-template/babel-template-tests.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 88959, "scanner": "repobility-threat-engine", "fingerprint": "9196c20fcb1586835b83e4f0e8fe19fccd36c03fcfab7864f3d470345171983b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9196c20fcb1586835b83e4f0e8fe19fccd36c03fcfab7864f3d470345171983b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/camo/camo-tests.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 88958, "scanner": "repobility-threat-engine", "fingerprint": "c6a389a8869741e2c1624ae096493b87e582b2edb2e876c1c834cd25406ab24a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6a389a8869741e2c1624ae096493b87e582b2edb2e876c1c834cd25406ab24a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/any-db/any-db-tests.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 88957, "scanner": "repobility-threat-engine", "fingerprint": "749179b5a709b0f1821329dff204ae561fdc7e624eec2d31dd46d651db7b8979", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|749179b5a709b0f1821329dff204ae561fdc7e624eec2d31dd46d651db7b8979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/any-db-transaction/any-db-transaction-tests.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 88956, "scanner": "repobility-threat-engine", "fingerprint": "d1f020a73bed2f10359cab485fb82ff8e5ae3335f601827500da0a4916ba8303", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mongodb://user:password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|types/camo/camo-tests.ts|1|mongodb://user:password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/camo/camo-tests.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 88934, "scanner": "repobility-threat-engine", "fingerprint": "b39d166bf8c6337e3f275b5aa5a61367f7ba4feac569c84431f11277080a4804", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b39d166bf8c6337e3f275b5aa5a61367f7ba4feac569c84431f11277080a4804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "types/algebra.js/algebra.js-tests.ts"}, "region": {"startLine": 69}}}]}]}]}