{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC038", "name": "[SEC038] HTTP Request Smuggling Risk \u2014 TE/CL mismatch: HTTP Request Smuggling (HRS) abuses parser disagreement between f", "shortDescription": {"text": "[SEC038] HTTP Request Smuggling Risk \u2014 TE/CL mismatch: HTTP Request Smuggling (HRS) abuses parser disagreement between front-end and back-end servers about request boundaries when Transfer-Encoding and Content-Length both present. Attackers"}, "fullDescription": {"text": "Don't set Transfer-Encoding manually \u2014 let the framework. If you must:\n  1. Only set ONE of Transfer-Encoding or Content-Length per response.\n  2. Reject incoming requests with both headers (RFC 7230 \u00a73.3.3 #3).\n  3. Use a battle-tested HTTP server (nginx, envoy) as front-end; never      accept raw HTTP over the network.\n  4. For chunked-encoding handling, use the framework's built-in parser      rather than rolling your own."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/408"}, "properties": {"repository": "psf/requests", "repoUrl": "https://github.com/psf/requests.git", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 16303, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 16302, "scanner": "repobility-threat-engine", "fingerprint": "98d2bd7289cf0996785cb6863d0cb23f85c9e084d524681b9ab8e1e9c4216129", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|src/requests/adapters.py|99|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/requests/adapters.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 22475, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "SEC038", "level": "error", "message": {"text": "[SEC038] HTTP Request Smuggling Risk \u2014 TE/CL mismatch: HTTP Request Smuggling (HRS) abuses parser disagreement between front-end and back-end servers about request boundaries when Transfer-Encoding and Content-Length both present. Attackers smuggle a second request, stealing other users' responses or bypassing auth. CWE-444. Real CVEs: CVE-2019-16276 (Go net/http), CVE-2020-10719 (Undertow), CVE-2022-24735 (Redis-7), Cloudflare/Akamai/Varnish disclosures."}, "properties": {"repobilityId": 23188, "scanner": "repobility-threat-engine", "fingerprint": "c25e7c4b6e630914605499a8b24005ae0900a5eb895105115344b66bdcf56a4a", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "headers[\"Transfer-Encoding\"] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC038", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/requests/models.py|628|sec038"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/requests/models.py"}, "region": {"startLine": 628}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22474, "scanner": "repobility-threat-engine", "fingerprint": "63deaba68a6aa4cf6fd2bc8e70595d879dfdf8298ab294764457cd114f30225d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|63deaba68a6aa4cf6fd2bc8e70595d879dfdf8298ab294764457cd114f30225d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/requests/cookies.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22473, "scanner": "repobility-threat-engine", "fingerprint": "fc9d3483d529ffeb4a5f7525bf0482c6e13d12aca2f1e482bc4673d7d088b1c5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(R", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc9d3483d529ffeb4a5f7525bf0482c6e13d12aca2f1e482bc4673d7d088b1c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/requests/exceptions.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22472, "scanner": "repobility-threat-engine", "fingerprint": "f8f2ca5c53276d31d18b3ffa4fea4b423d6b3644aa361e85e397b510aae3ab20", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f8f2ca5c53276d31d18b3ffa4fea4b423d6b3644aa361e85e397b510aae3ab20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/requests/adapters.py"}, "region": {"startLine": 284}}}]}]}]}