{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /X-"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /X-Real-Ip."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 19.6% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 19.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 19.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xcj9-5m2h-648r", "name": "mermaid: GHSA-xcj9-5m2h-648r", "shortDescription": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "fullDescription": {"text": "Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ghcm-xqfw-q4vr", "name": "mermaid: GHSA-ghcm-xqfw-q4vr", "shortDescription": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "fullDescription": {"text": "Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-87f9-hvmw-gh4p", "name": "mermaid: GHSA-87f9-hvmw-gh4p", "shortDescription": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "fullDescription": {"text": "Mermaid: Improper sanitization of configuration leads to CSS injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6m6c-36f7-fhxh", "name": "mermaid: GHSA-6m6c-36f7-fhxh", "shortDescription": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "fullDescription": {"text": "Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "GHSA-q7pp-wcgr-pffx", "name": "github.com/disintegration/imaging: GHSA-q7pp-wcgr-pffx", "shortDescription": {"text": "github.com/disintegration/imaging: GHSA-q7pp-wcgr-pffx"}, "fullDescription": {"text": "Crash when processing crafted TIFF files"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `terser` is minor version(s) behind (^5.47.1 -> 5.48.0)", "shortDescription": {"text": "npm package `terser` is minor version(s) behind (^5.47.1 -> 5.48.0)"}, "fullDescription": {"text": "`terser` is pinned/resolved at ^5.47.1 but the latest stable release on the npm registry is 5.48.0 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 26 more): Same pattern found in 26 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /attachments/:uid/:filename."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /attachments/:uid/:filename."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "GO-2026-5039", "name": "stdlib: GO-2026-5039", "shortDescription": {"text": "stdlib: GO-2026-5039"}, "fullDescription": {"text": "Arbitrary inputs are included in errors without any escaping in net/textproto"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5038", "name": "stdlib: GO-2026-5038", "shortDescription": {"text": "stdlib: GO-2026-5038"}, "fullDescription": {"text": "Quadratic complexity in WordDecoder.DecodeHeader in mime"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5037", "name": "stdlib: GO-2026-5037", "shortDescription": {"text": "stdlib: GO-2026-5037"}, "fullDescription": {"text": "Inefficient candidate hostname parsing in crypto/x509"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4986", "name": "stdlib: GO-2026-4986", "shortDescription": {"text": "stdlib: GO-2026-4986"}, "fullDescription": {"text": "Quadratic string concatentation in consumeComment in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4982", "name": "stdlib: GO-2026-4982", "shortDescription": {"text": "stdlib: GO-2026-4982"}, "fullDescription": {"text": "Bypass of meta content URL escaping causes XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4981", "name": "stdlib: GO-2026-4981", "shortDescription": {"text": "stdlib: GO-2026-4981"}, "fullDescription": {"text": "Crash when handling long CNAME response in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4980", "name": "stdlib: GO-2026-4980", "shortDescription": {"text": "stdlib: GO-2026-4980"}, "fullDescription": {"text": "Escaper bypass leads to XSS in html/template"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4977", "name": "stdlib: GO-2026-4977", "shortDescription": {"text": "stdlib: GO-2026-4977"}, "fullDescription": {"text": "Quadratic string concatenation in consumePhrase in net/mail"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4976", "name": "stdlib: GO-2026-4976", "shortDescription": {"text": "stdlib: GO-2026-4976"}, "fullDescription": {"text": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4971", "name": "stdlib: GO-2026-4971", "shortDescription": {"text": "stdlib: GO-2026-4971"}, "fullDescription": {"text": "Panic in Dial and LookupPort when handling NUL byte on Windows in net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4918", "name": "stdlib: GO-2026-4918", "shortDescription": {"text": "stdlib: GO-2026-4918"}, "fullDescription": {"text": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5024", "name": "golang.org/x/sys: GO-2026-5024", "shortDescription": {"text": "golang.org/x/sys: GO-2026-5024"}, "fullDescription": {"text": "Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5030", "name": "golang.org/x/net: GO-2026-5030", "shortDescription": {"text": "golang.org/x/net: GO-2026-5030"}, "fullDescription": {"text": "Invoking duplicate attributes can cause XSS in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5029", "name": "golang.org/x/net: GO-2026-5029", "shortDescription": {"text": "golang.org/x/net: GO-2026-5029"}, "fullDescription": {"text": "Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5028", "name": "golang.org/x/net: GO-2026-5028", "shortDescription": {"text": "golang.org/x/net: GO-2026-5028"}, "fullDescription": {"text": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5027", "name": "golang.org/x/net: GO-2026-5027", "shortDescription": {"text": "golang.org/x/net: GO-2026-5027"}, "fullDescription": {"text": "Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5026", "name": "golang.org/x/net: GO-2026-5026", "shortDescription": {"text": "golang.org/x/net: GO-2026-5026"}, "fullDescription": {"text": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5025", "name": "golang.org/x/net: GO-2026-5025", "shortDescription": {"text": "golang.org/x/net: GO-2026-5025"}, "fullDescription": {"text": "Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5032", "name": "golang.org/x/image: GO-2026-5032", "shortDescription": {"text": "golang.org/x/image: GO-2026-5032"}, "fullDescription": {"text": "Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5031", "name": "golang.org/x/image: GO-2026-5031", "shortDescription": {"text": "golang.org/x/image: GO-2026-5031"}, "fullDescription": {"text": "Panic when reading out of bound palette index in golang.org/x/image/bmp"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5033", "name": "golang.org/x/crypto: GO-2026-5033", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5033"}, "fullDescription": {"text": "Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5023", "name": "golang.org/x/crypto: GO-2026-5023", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5023"}, "fullDescription": {"text": "Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5021", "name": "golang.org/x/crypto: GO-2026-5021", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5021"}, "fullDescription": {"text": "Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5020", "name": "golang.org/x/crypto: GO-2026-5020", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5020"}, "fullDescription": {"text": "Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5019", "name": "golang.org/x/crypto: GO-2026-5019", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5019"}, "fullDescription": {"text": "Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5018", "name": "golang.org/x/crypto: GO-2026-5018", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5018"}, "fullDescription": {"text": "Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5017", "name": "golang.org/x/crypto: GO-2026-5017", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5017"}, "fullDescription": {"text": "Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5016", "name": "golang.org/x/crypto: GO-2026-5016", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5016"}, "fullDescription": {"text": "Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5015", "name": "golang.org/x/crypto: GO-2026-5015", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5015"}, "fullDescription": {"text": "Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5014", "name": "golang.org/x/crypto: GO-2026-5014", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5014"}, "fullDescription": {"text": "Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5013", "name": "golang.org/x/crypto: GO-2026-5013", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5013"}, "fullDescription": {"text": "Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5006", "name": "golang.org/x/crypto: GO-2026-5006", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5006"}, "fullDescription": {"text": "Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5005", "name": "golang.org/x/crypto: GO-2026-5005", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5005"}, "fullDescription": {"text": "Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage runs as root", "shortDescription": {"text": "Docker final stage runs as root"}, "fullDescription": {"text": "The final runtime stage explicitly uses root. A compromised app process would have root inside the container."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/download-artifact` pinned to mutable ref `@v7`", "shortDescription": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v7`"}, "fullDescription": {"text": "`uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `alpine:3.21` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `alpine:3.21` not pinned by digest"}, "fullDescription": {"text": "`FROM alpine:3.21` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/883"}, "properties": {"repository": "usememos/memos", "repoUrl": "https://github.com/usememos/memos", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 81439, "scanner": "repobility-journey-contract", "fingerprint": "34b8227131e5a7ded0c10ce369ece852c11e77223ceaa0d282184b740eb42187", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/src/auth-state.ts|112|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/auth-state.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 81438, "scanner": "repobility-journey-contract", "fingerprint": "b2dc82858c9129c859a3f03c093010ad3d407a1b92273e24da4d8c3a3b1d4526", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/src/auth-state.ts|84|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/auth-state.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 81437, "scanner": "repobility-journey-contract", "fingerprint": "65e2a3a320fb4b4599c3445c81a9b7c46d4d9742eb5b243d1beb221eb356583d", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/src/auth-state.ts|55|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/auth-state.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /X-Real-Ip."}, "properties": {"repobilityId": 81436, "scanner": "repobility-access-control", "fingerprint": "9fc9fe1ce62cbe6cfd1e238f3ad525935bac0cf953778320d769ca966aab1187", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/X-Real-Ip", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|token|50|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/connect_interceptors.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /err."}, "properties": {"repobilityId": 81435, "scanner": "repobility-access-control", "fingerprint": "09edf6c4fe09750fdd877f72ac6e2b3405b278599dd15e205a01490a5d633383", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/err", "method": "ANY", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|token|614|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/memo_service.go"}, "region": {"startLine": 614}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /user-agent."}, "properties": {"repobilityId": 81434, "scanner": "repobility-access-control", "fingerprint": "4dab7beae9b7ffd3859bb38f09cec349e65fd3bbe6b2cb198c8f235c40fbfaf7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/user-agent", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|token|622|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/auth_service.go"}, "region": {"startLine": 622}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /cookie."}, "properties": {"repobilityId": 81433, "scanner": "repobility-access-control", "fingerprint": "0ea32d29f00a8ec570ab51981ae7c6d33a58aa0815af7ae274f3bc3cd32daccf", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cookie", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|token|415|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/auth_service.go"}, "region": {"startLine": 415}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 81432, "scanner": "repobility-access-control", "fingerprint": "99a4eada5767972c94f736a53c2d6c169fddafa3c051e479c5dfbc70c084a09b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|token|36|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/sse_handler.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/v1/sse."}, "properties": {"repobilityId": 81431, "scanner": "repobility-access-control", "fingerprint": "fffc2a60aae823d1ed72b6f1994377466b48010b9dcae67af57f8a50a02c3c53", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/v1/sse", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|token|27|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/sse_handler.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Cookie."}, "properties": {"repobilityId": 81430, "scanner": "repobility-access-control", "fingerprint": "5715be406e00db6f2921f3d9a4fb6141b56b5d0ef4386513f0bcf8ee74a3d8d9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Cookie", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|token|694|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/fileserver/fileserver.go"}, "region": {"startLine": 694}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /err."}, "properties": {"repobilityId": 81429, "scanner": "repobility-access-control", "fingerprint": "30d4038220c13a17b97d1bdaa00d816c2fd2a419856c7353b8c55ae7090e9758", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/err", "method": "ANY", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|store/attachment.go|290|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/attachment.go"}, "region": {"startLine": 290}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /err."}, "properties": {"repobilityId": 81428, "scanner": "repobility-access-control", "fingerprint": "694b3f77c6b4447c19391218c2f3f54e1b7eb4153cf578f0ffcadf536a5bbf74", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/err", "method": "ANY", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|store/attachment.go|186|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/attachment.go"}, "region": {"startLine": 186}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /err."}, "properties": {"repobilityId": 81427, "scanner": "repobility-access-control", "fingerprint": "8c78058b2e24b8b44f025636a9648b61cf36d2e94e9867985408233fe2726c50", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/err", "method": "ANY", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|store/attachment.go|145|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/attachment.go"}, "region": {"startLine": 145}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 19.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 81425, "scanner": "repobility-access-control", "fingerprint": "eff84b5d5fdd3b0189a2b99506575f5a0d77c300bf0313af6654c330bb2826c5", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 46, "correlation_key": "fp|eff84b5d5fdd3b0189a2b99506575f5a0d77c300bf0313af6654c330bb2826c5", "auth_visible_percent": 19.6}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 81424, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Echo"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 81423, "scanner": "osv-scanner", "fingerprint": "c2cc34c7606ef301fd42a0f4502ecfa56de728ebab721550775c7a23a1f3da42", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xcj9-5m2h-648r", "level": "warning", "message": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "properties": {"repobilityId": 81422, "scanner": "osv-scanner", "fingerprint": "fa9b997b4efbd4faf06d24b607875b46bfa2fba9ac2210810f06d666b65b7ac3", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41148"], "package": "mermaid", "rule_id": "GHSA-xcj9-5m2h-648r", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41148|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghcm-xqfw-q4vr", "level": "warning", "message": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "properties": {"repobilityId": 81421, "scanner": "osv-scanner", "fingerprint": "68fa09a5788a5eee72b8747245cf4281d0012a860ea4c6cd3f6459bb62bbe1e1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41149"], "package": "mermaid", "rule_id": "GHSA-ghcm-xqfw-q4vr", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41149|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87f9-hvmw-gh4p", "level": "warning", "message": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "properties": {"repobilityId": 81420, "scanner": "osv-scanner", "fingerprint": "08bc6940e1ff106e9572afccbfeaa5587a4a866b3f025b9b7e468d30d8dd440e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41159"], "package": "mermaid", "rule_id": "GHSA-87f9-hvmw-gh4p", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41159|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6m6c-36f7-fhxh", "level": "warning", "message": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "properties": {"repobilityId": 81419, "scanner": "osv-scanner", "fingerprint": "d81934f7be0f7b0a2df31110d218aca36fd9151825f9aa1f8e497c2f38eeee37", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41150"], "package": "mermaid", "rule_id": "GHSA-6m6c-36f7-fhxh", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41150|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 81377, "scanner": "repobility-docker", "fingerprint": "946f8dcd75036b3dfda21157e388d9154335f0dd5db495d8bf9e6c1136abc068", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|946f8dcd75036b3dfda21157e388d9154335f0dd5db495d8bf9e6c1136abc068", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 81376, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "store/seed/sqlite/01__dump.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 81371, "scanner": "repobility-threat-engine", "fingerprint": "fd5f18791134781499762371aff8da974513a2e593778f504c87db13ae9578fe", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = authUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd5f18791134781499762371aff8da974513a2e593778f504c87db13ae9578fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/SignIn.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 81370, "scanner": "repobility-threat-engine", "fingerprint": "3b662574ea3a848b025c810235119f7a42ffbc718038592ecf81b565055c96b6", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = authUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b662574ea3a848b025c810235119f7a42ffbc718038592ecf81b565055c96b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/Settings/LinkedIdentitySection.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 81366, "scanner": "repobility-threat-engine", "fingerprint": "6691f6b086e6959058770a66c484ac2f043945ac728b8e94962d338fd16b5dac", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|14|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoEditor/utils/deriveDefaultCreateTime.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 81365, "scanner": "repobility-threat-engine", "fingerprint": "8b39cb286894b22744dae3ecc9c0939e47ff9a45c412240ac6dd0c5d39306631", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|23|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoContent/utils.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 81356, "scanner": "repobility-threat-engine", "fingerprint": "02f2c6121fbdb5a28d542e724c3dcda5ef4fc1ba04cae53e48853c4b637e8d00", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|145|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/map/LocationPicker.tsx"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 81355, "scanner": "repobility-threat-engine", "fingerprint": "38a21b7b7b64730e49afa044e87548dd4bfabaea57cbd44b41bd5a707cd36823", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a className={`text-muted-foreground hover:text-primary ${className}`} href={url} target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|19|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/LearnMore.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 81354, "scanner": "repobility-threat-engine", "fingerprint": "ffb579ffc43661c3c7da897ad9a14987d53075b3c9bd16939b3a01dcc7d4af18", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(attachmentUrl)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|38|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/AttachmentIcon.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 81341, "scanner": "repobility-threat-engine", "fingerprint": "655b27c71e081b9bbd726c2d629438e157d85984aa9364ac0754c8f1d62080eb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{Handler: s.echoServer}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|655b27c71e081b9bbd726c2d629438e157d85984aa9364ac0754c8f1d62080eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/server.go"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 81339, "scanner": "repobility-threat-engine", "fingerprint": "b6320d8097426a8727c865775bd47f46da9cf1bc7113843deeed92c295ac6613", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".ExtractAll(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|80|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/runner/memopayload/runner.go"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 81338, "scanner": "repobility-threat-engine", "fingerprint": "e2eaaf96993bdb3b5cd2dfccb568cd8ca29ea9b98df582aaa345bc1516f37c7a", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".ExtractAll(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|32|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/memo_mention_helpers.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 81310, "scanner": "repobility-agent-runtime", "fingerprint": "12afda0b844e1074195609111422ab570b576d5bd17a175c82538019162ef8d4", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|12afda0b844e1074195609111422ab570b576d5bd17a175c82538019162ef8d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/utils/theme.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 81309, "scanner": "repobility-agent-runtime", "fingerprint": "418bd5773a10b16b2e903590fe3010883dde32ec91665ab7da94075e828982b1", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|418bd5773a10b16b2e903590fe3010883dde32ec91665ab7da94075e828982b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/utils/i18n.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 81308, "scanner": "repobility-agent-runtime", "fingerprint": "29894ea1b6c0f1d8891cde9a8e453d0ce119f867636f0847635d4312853d5925", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|29894ea1b6c0f1d8891cde9a8e453d0ce119f867636f0847635d4312853d5925"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/hooks/useLocalStorage.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 81307, "scanner": "repobility-agent-runtime", "fingerprint": "c7938c73a6cf419ccf2688de2ccb6e0311aa15a5e515cfedba869fe2120c6cad", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c7938c73a6cf419ccf2688de2ccb6e0311aa15a5e515cfedba869fe2120c6cad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 69}}}]}, {"ruleId": "GHSA-q7pp-wcgr-pffx", "level": "note", "message": {"text": "github.com/disintegration/imaging: GHSA-q7pp-wcgr-pffx"}, "properties": {"repobilityId": 81385, "scanner": "osv-scanner", "fingerprint": "829e7f8129a1c711c33038fc9be58fb66d78b6c2cb915948786293574bc17ce5", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-36308"], "package": "github.com/disintegration/imaging", "rule_id": "GHSA-q7pp-wcgr-pffx", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2023-36308|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 81381, "scanner": "repobility-docker", "fingerprint": "41b6b858d8805dcc02a9a07564b5b68a6ceb2a22ca433c47659b2626927d6e42", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "memos", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|41b6b858d8805dcc02a9a07564b5b68a6ceb2a22ca433c47659b2626927d6e42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 81380, "scanner": "repobility-docker", "fingerprint": "74ed7688c510e278e7ba469a400f0e0a0c3bb1e2309546e497542a2b3beb03c5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "memos", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|74ed7688c510e278e7ba469a400f0e0a0c3bb1e2309546e497542a2b3beb03c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 81379, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 81346, "scanner": "repobility-threat-engine", "fingerprint": "dea8dc895efd9f85e3ea99b4ed272f798abc88ae9eaea5910be42a364c92ddd9", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = i", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|web/src/app.tsx|34|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/App.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 81340, "scanner": "repobility-threat-engine", "fingerprint": "16416ed5d1ab8db194eb1d0cfdd380b902475d6974e0d2118bbce6265ef281f4", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Sitemap: \" + instanceURL + \"/sitemap.xml\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16416ed5d1ab8db194eb1d0cfdd380b902475d6974e0d2118bbce6265ef281f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/frontend/frontend.go"}, "region": {"startLine": 138}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 81323, "scanner": "repobility-threat-engine", "fingerprint": "bb574d38474f07d345aed4ed4f3b5df43f21c9b2625f407971ef13d10ac8b3e1", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = listener.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb574d38474f07d345aed4ed4f3b5df43f21c9b2625f407971ef13d10ac8b3e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/server.go"}, "region": {"startLine": 110}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 81322, "scanner": "repobility-threat-engine", "fingerprint": "43e0dd8e1471b9dd054af77a9b751d9daeed4b04af5edd0ec259ebfb223a2c05", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = g.Wait(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43e0dd8e1471b9dd054af77a9b751d9daeed4b04af5edd0ec259ebfb223a2c05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/instance_stats.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 81321, "scanner": "repobility-threat-engine", "fingerprint": "bcc82fd3deb8681cd5eaad593687be3811b97f4713f0901243692d9105a2fe74", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = binary.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bcc82fd3deb8681cd5eaad593687be3811b97f4713f0901243692d9105a2fe74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ai/audio/webm.go"}, "region": {"startLine": 144}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `terser` is minor version(s) behind (^5.47.1 -> 5.48.0)"}, "properties": {"repobilityId": 81306, "scanner": "repobility-dependency-currency", "fingerprint": "39ef8a4bc032c1321dc6ac2331bee6b9d2994a2112fdb705712df9d9afd5b91a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "terser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.48.0", "correlation_key": "fp|39ef8a4bc032c1321dc6ac2331bee6b9d2994a2112fdb705712df9d9afd5b91a", "current_version": "^5.47.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tailwind-merge` is minor version(s) behind (^3.5.0 -> 3.6.0)"}, "properties": {"repobilityId": 81300, "scanner": "repobility-dependency-currency", "fingerprint": "c836ca764924a0ddf11a5349a681cc3e809774ebedf3358f65415bd23f33f607", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tailwind-merge", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.0", "correlation_key": "fp|c836ca764924a0ddf11a5349a681cc3e809774ebedf3358f65415bd23f33f607", "current_version": "^3.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `mermaid` is minor version(s) behind (^11.14.0 -> 11.15.0)"}, "properties": {"repobilityId": 81299, "scanner": "repobility-dependency-currency", "fingerprint": "d62ac59510277ce065722fa52ed1e5f8f83867b2a1db2c420a242201ad0b47d6", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mermaid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.15.0", "correlation_key": "fp|d62ac59510277ce065722fa52ed1e5f8f83867b2a1db2c420a242201ad0b47d6", "current_version": "^11.14.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `katex` is minor version(s) behind (^0.16.45 -> 0.17.0)"}, "properties": {"repobilityId": 81298, "scanner": "repobility-dependency-currency", "fingerprint": "663350f0b53940085bead66597ae80a373f4617cfa45ba66d9f3828f163b474d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "katex", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.17.0", "correlation_key": "fp|663350f0b53940085bead66597ae80a373f4617cfa45ba66d9f3828f163b474d", "current_version": "^0.16.45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `fuse.js` is minor version(s) behind (^7.3.0 -> 7.4.1)"}, "properties": {"repobilityId": 81297, "scanner": "repobility-dependency-currency", "fingerprint": "f76240e93694af87a84296b760a1ac675891ccbe4ed023305bba4e3288c270e0", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fuse.js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.4.1", "correlation_key": "fp|f76240e93694af87a84296b760a1ac675891ccbe4ed023305bba4e3288c270e0", "current_version": "^7.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tanstack/react-query-devtools` is minor version(s) behind (^5.100.9 -> 5.101.0)"}, "properties": {"repobilityId": 81295, "scanner": "repobility-dependency-currency", "fingerprint": "8181c876dfb5a49c3d1efe75242fb7f3935c41705635cb55a955832e71bde523", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tanstack/react-query-devtools", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.101.0", "correlation_key": "fp|8181c876dfb5a49c3d1efe75242fb7f3935c41705635cb55a955832e71bde523", "current_version": "^5.100.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tanstack/react-query` is minor version(s) behind (^5.100.9 -> 5.101.0)"}, "properties": {"repobilityId": 81294, "scanner": "repobility-dependency-currency", "fingerprint": "91e71830f135976c17fc5867066a4cbf884959a62afb64f731c4b6b228e20888", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tanstack/react-query", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.101.0", "correlation_key": "fp|91e71830f135976c17fc5867066a4cbf884959a62afb64f731c4b6b228e20888", "current_version": "^5.100.9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1cba0d3230cb3d1fcc243a26794fab86e2f9cc06281963b857dd86369140e7ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/postgres/memo_share.go", "duplicate_line": 66, "correlation_key": "fp|1cba0d3230cb3d1fcc243a26794fab86e2f9cc06281963b857dd86369140e7ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/memo_share.go"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b75e8a0079cbe2637bc9725524ab0602e4c64c03b4df174829865c6a05ce8c18", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/memo_share.go", "duplicate_line": 35, "correlation_key": "fp|b75e8a0079cbe2637bc9725524ab0602e4c64c03b4df174829865c6a05ce8c18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/memo_share.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "758bf7df6671e30b58311b5cf65326fcaab64a8ed9145d4109450fa1c9ea41f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/memo_relation.go", "duplicate_line": 86, "correlation_key": "fp|758bf7df6671e30b58311b5cf65326fcaab64a8ed9145d4109450fa1c9ea41f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/memo_relation.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "813a01d8ee27038683b8fe7edb534844b5c63081f2265f8ff80dc30c330f8d61", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/postgres/memo_relation.go", "duplicate_line": 2, "correlation_key": "fp|813a01d8ee27038683b8fe7edb534844b5c63081f2265f8ff80dc30c330f8d61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/memo_relation.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ccf8704f6ca520490e65978deb0ed0e571b90d9573c3bf32da49ccd55e47053a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/postgres/memo.go", "duplicate_line": 32, "correlation_key": "fp|ccf8704f6ca520490e65978deb0ed0e571b90d9573c3bf32da49ccd55e47053a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/memo.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c96eba8eb9ab69f703ff4d0904d186ec89f7a475b67fb5c897a1582288c6762b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/memo.go", "duplicate_line": 2, "correlation_key": "fp|c96eba8eb9ab69f703ff4d0904d186ec89f7a475b67fb5c897a1582288c6762b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/memo.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81261, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a59672d66e8dca4d61cced9403b0e177a57a2d8d3d79ac645d4e0393a2294354", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/instance_setting.go", "duplicate_line": 29, "correlation_key": "fp|a59672d66e8dca4d61cced9403b0e177a57a2d8d3d79ac645d4e0393a2294354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/instance_setting.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81260, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17e940bff5c84a50d108a9db569e81d52be0e6e87786746fa8cfe87c558c44e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/postgres/instance_setting.go", "duplicate_line": 13, "correlation_key": "fp|17e940bff5c84a50d108a9db569e81d52be0e6e87786746fa8cfe87c558c44e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/instance_setting.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81259, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a6267017bd959e31aa1c34e330e8cdb9660878cb4e4cc618000962d8879bfc6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/postgres/inbox.go", "duplicate_line": 104, "correlation_key": "fp|0a6267017bd959e31aa1c34e330e8cdb9660878cb4e4cc618000962d8879bfc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/inbox.go"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81258, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c00398ed479112e36299c76b4f942b9942ac94298b7a348e41df891b4e530ec5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/inbox.go", "duplicate_line": 2, "correlation_key": "fp|c00398ed479112e36299c76b4f942b9942ac94298b7a348e41df891b4e530ec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/inbox.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81257, "scanner": "repobility-ai-code-hygiene", "fingerprint": "735b7c852a10ee23b2aafd71cb4fb9ed12fcafa463d339608a4e321b3723239c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/idp.go", "duplicate_line": 34, "correlation_key": "fp|735b7c852a10ee23b2aafd71cb4fb9ed12fcafa463d339608a4e321b3723239c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/idp.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58ebc4368374d2ee4461a7f1d0655e424f1c3836f97576b4f520396fe0e21f2f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/postgres/idp.go", "duplicate_line": 25, "correlation_key": "fp|58ebc4368374d2ee4461a7f1d0655e424f1c3836f97576b4f520396fe0e21f2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/idp.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81255, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c99f21a082a906efedafa6ed36b0ea21580319d7c23cffdb3305d5d43a0f8df4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/postgres/attachment.go", "duplicate_line": 146, "correlation_key": "fp|c99f21a082a906efedafa6ed36b0ea21580319d7c23cffdb3305d5d43a0f8df4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/attachment.go"}, "region": {"startLine": 145}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81254, "scanner": "repobility-ai-code-hygiene", "fingerprint": "264bae0b6c8f196566b587d14303820dc77471cf7270666c2d5e8e4e979e4b2f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/attachment.go", "duplicate_line": 2, "correlation_key": "fp|264bae0b6c8f196566b587d14303820dc77471cf7270666c2d5e8e4e979e4b2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/sqlite/attachment.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81253, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1130cafd92d8ab0cb4a3f9eea0f997a2d22541b1183e1c9f68dc48ce5d3df38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/user_setting.go", "duplicate_line": 25, "correlation_key": "fp|d1130cafd92d8ab0cb4a3f9eea0f997a2d22541b1183e1c9f68dc48ce5d3df38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/user_setting.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "192bd64614186cc7bcdf1f05893b36cf4bf16a6abcbefe32c82a204dd4a54541", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/user_identity.go", "duplicate_line": 41, "correlation_key": "fp|192bd64614186cc7bcdf1f05893b36cf4bf16a6abcbefe32c82a204dd4a54541"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/user_identity.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee3fdb3f0ee41260d57130464c6531290349dfc3704596a52c2d79f005dd9372", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/user_delete.go", "duplicate_line": 2, "correlation_key": "fp|ee3fdb3f0ee41260d57130464c6531290349dfc3704596a52c2d79f005dd9372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/user_delete.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32abef074b6ed25f07b49944e94eb9d240cc46dbd4ae9240e432610b04c73b95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/user.go", "duplicate_line": 146, "correlation_key": "fp|32abef074b6ed25f07b49944e94eb9d240cc46dbd4ae9240e432610b04c73b95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/user.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5a40f19c18df01161d374af0648c73c8323558f264cda2625625a54c32fd65b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/reaction.go", "duplicate_line": 54, "correlation_key": "fp|5a40f19c18df01161d374af0648c73c8323558f264cda2625625a54c32fd65b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/reaction.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "573c113d97d22cd7b3cba4f0eb0ac2cfc31d1f9809d3102706c9f487229bb35d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/memo_share.go", "duplicate_line": 49, "correlation_key": "fp|573c113d97d22cd7b3cba4f0eb0ac2cfc31d1f9809d3102706c9f487229bb35d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/memo_share.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d38ab3d86a19a7520f58fedaf7f41abc4b6b7fdabb8e1229fcd4d9b15a0c425", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/memo_relation.go", "duplicate_line": 86, "correlation_key": "fp|1d38ab3d86a19a7520f58fedaf7f41abc4b6b7fdabb8e1229fcd4d9b15a0c425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/memo_relation.go"}, "region": {"startLine": 113}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81246, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56b2614ecfe7c7f772679d1e5dd21b69b1dbca75cea6d4b6893df583ec5aa039", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/memo.go", "duplicate_line": 141, "correlation_key": "fp|56b2614ecfe7c7f772679d1e5dd21b69b1dbca75cea6d4b6893df583ec5aa039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/memo.go"}, "region": {"startLine": 126}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81245, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1bdd7ba0be36d4d9d8c495022545cdaf05cfe9cd047c0b0aca02fa86d0722531", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/instance_setting.go", "duplicate_line": 29, "correlation_key": "fp|1bdd7ba0be36d4d9d8c495022545cdaf05cfe9cd047c0b0aca02fa86d0722531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/instance_setting.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81244, "scanner": "repobility-ai-code-hygiene", "fingerprint": "afea0b6542fc390465187fcbf486a86144321259a53b9c65ef80997012171abb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/inbox.go", "duplicate_line": 2, "correlation_key": "fp|afea0b6542fc390465187fcbf486a86144321259a53b9c65ef80997012171abb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/inbox.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81243, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4548edfd1e01bcd14ae95823c36ea9c4fb18077c1d2e47114bafda8d913df1bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/idp.go", "duplicate_line": 34, "correlation_key": "fp|4548edfd1e01bcd14ae95823c36ea9c4fb18077c1d2e47114bafda8d913df1bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/idp.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81242, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c08e921b79f6d8afed7fec6636770cb4e2dec0c7c9144bcf5bd911bb2ca3d6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "store/db/mysql/attachment.go", "duplicate_line": 2, "correlation_key": "fp|1c08e921b79f6d8afed7fec6636770cb4e2dec0c7c9144bcf5bd911bb2ca3d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/db/postgres/attachment.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81241, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c6bd689246e7535cb55f53fc0aa92b33c75962089cdf2f1a70ea2c831b637708", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/router/api/v1/attachment_service.go", "duplicate_line": 554, "correlation_key": "fp|c6bd689246e7535cb55f53fc0aa92b33c75962089cdf2f1a70ea2c831b637708"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/shortcut_service.go"}, "region": {"startLine": 300}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81240, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b10bff344f41a7bdccb812ebaee6a1e913fa5ee5fbfad91b5c2855ae449fb892", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/router/api/v1/memo_attachment_service.go", "duplicate_line": 177, "correlation_key": "fp|b10bff344f41a7bdccb812ebaee6a1e913fa5ee5fbfad91b5c2855ae449fb892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/reaction_service.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81239, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f04b089d073a54e3ff76aaa7d6e6be1b827bcf04872fd565697edbdbf8f2bdcf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/router/api/v1/memo_relation_service.go", "duplicate_line": 21, "correlation_key": "fp|f04b089d073a54e3ff76aaa7d6e6be1b827bcf04872fd565697edbdbf8f2bdcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/memo_share_service.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 81238, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d19ba741b859b5ef539be446e59db38525a2ccb6998aa037538bb4a0e8bd803e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/router/api/v1/memo_attachment_service.go", "duplicate_line": 13, "correlation_key": "fp|d19ba741b859b5ef539be446e59db38525a2ccb6998aa037538bb4a0e8bd803e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/memo_relation_service.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 81375, "scanner": "repobility-threat-engine", "fingerprint": "aaa249fb80065b45e3f660625ce7bb8a3f61cff5ae11c4dab44b71f7b2a42f0a", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(\"Use devProxyServer from environment: \", process.env.DEV_PROXY_SERVER)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|web/vite.config.mts|1|console.log use devproxyserver from environment: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/vite.config.mts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 81374, "scanner": "repobility-threat-engine", "fingerprint": "1c87a8820a85716e1df74565837a77c38e2b1c44d9022f352fb3ce1b00ba8728", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.debug(\"[useTokenRefreshOnFocus] Token expired/expiring, refreshing before queries refetch\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|console.debug usetokenrefreshonfocus token expired/expiring refreshing before queries refetch"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/hooks/useTokenRefreshOnFocus.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 81369, "scanner": "repobility-threat-engine", "fingerprint": "41e6e546f6296e044c2c990b740ddefccb2010b71e12bb812290df15e83ff090", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|67|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoEditor/hooks/useFileUpload.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 81364, "scanner": "repobility-threat-engine", "fingerprint": "912fc2006ed26da478294adb66a20644ca312fe0d61a30312b567d4822d73639", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|912fc2006ed26da478294adb66a20644ca312fe0d61a30312b567d4822d73639"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoContent/MermaidBlock.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 81363, "scanner": "repobility-threat-engine", "fingerprint": "b978a0664e686989915f8bda8d2870bd2ad87fcc213d3fae3b7306ca82727023", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b978a0664e686989915f8bda8d2870bd2ad87fcc213d3fae3b7306ca82727023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoContent/CodeBlock.tsx"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 81362, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81361, "scanner": "repobility-threat-engine", "fingerprint": "ce625440231f0cb893e343cb73e1c58198e4995a63e5784970532bc125e87f16", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce625440231f0cb893e343cb73e1c58198e4995a63e5784970532bc125e87f16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoContent/markdown/Paragraph.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81360, "scanner": "repobility-threat-engine", "fingerprint": "23b3d4f0230aab5f43a2748c66a68a3141835e083329962046c9bfcd960eee60", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23b3d4f0230aab5f43a2748c66a68a3141835e083329962046c9bfcd960eee60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoActionMenu/memoShareImage.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 81359, "scanner": "repobility-threat-engine", "fingerprint": "f953ad3ebf084ad28f6da5f6182b896097251a7e83ff2cf539465beb8f5d1233", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f953ad3ebf084ad28f6da5f6182b896097251a7e83ff2cf539465beb8f5d1233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoActionMenu/MemoShareImageDialog.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 81358, "scanner": "repobility-threat-engine", "fingerprint": "c8b427207421f2d3820efb6489939902c9cc3531011ee4976189e8ca8a13d2eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c8b427207421f2d3820efb6489939902c9cc3531011ee4976189e8ca8a13d2eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/Settings/MyAccountSection.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 81357, "scanner": "repobility-threat-engine", "fingerprint": "4187c2f94c0496877472ae714dcb30c8705fb6c601d3ec5da6f91d863776d277", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4187c2f94c0496877472ae714dcb30c8705fb6c601d3ec5da6f91d863776d277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/ChangeMemberPasswordDialog.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 81353, "scanner": "repobility-threat-engine", "fingerprint": "d548b6ab8c8e51fad2d225e4a60af8dbfaa7bf30d30674d01c220331265cd689", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d548b6ab8c8e51fad2d225e4a60af8dbfaa7bf30d30674d01c220331265cd689"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/Skeleton.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 81352, "scanner": "repobility-threat-engine", "fingerprint": "ec66cb2ea0b0675a821e21b759e956ae312b877e31b32eab3149cb059d98d982", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec66cb2ea0b0675a821e21b759e956ae312b877e31b32eab3149cb059d98d982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/AttachmentLibrary/AttachmentLibraryStates.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 81351, "scanner": "repobility-threat-engine", "fingerprint": "74cb4186dd21c991d8af82d5766db26fc913c1777b1f86feb5f81995421ff8b0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|74cb4186dd21c991d8af82d5766db26fc913c1777b1f86feb5f81995421ff8b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/ActivityCalendar/MonthCalendar.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 81350, "scanner": "repobility-threat-engine", "fingerprint": "9d7350027374ebe62f4d747e478eca80ef54bedb43dadb56de7cb7e0ed9e40a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9d7350027374ebe62f4d747e478eca80ef54bedb43dadb56de7cb7e0ed9e40a8", "aggregated_count": 17}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81349, "scanner": "repobility-threat-engine", "fingerprint": "046ec1fdac828b2e16d2e7315d6ebfa0954124456281eb3163e9a6c84522b5c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|046ec1fdac828b2e16d2e7315d6ebfa0954124456281eb3163e9a6c84522b5c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/ConfirmDialog/index.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81348, "scanner": "repobility-threat-engine", "fingerprint": "610311b855e76c2271ef1c22714ec5dc12fa9d00501aa1b009df3f98dfade53a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|610311b855e76c2271ef1c22714ec5dc12fa9d00501aa1b009df3f98dfade53a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/AttachmentIcon.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 81347, "scanner": "repobility-threat-engine", "fingerprint": "1c07c7dedea80fc85d972a0c217ba89d837848a03fb9f3f775432f740e32cbae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1c07c7dedea80fc85d972a0c217ba89d837848a03fb9f3f775432f740e32cbae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/auth-state.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 81345, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 81336, "scanner": "repobility-threat-engine", "fingerprint": "cbd5e323f4a830242ab36252b67c9fde2f3af9cfcad5c7058e14e8a1dd603086", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cbd5e323f4a830242ab36252b67c9fde2f3af9cfcad5c7058e14e8a1dd603086", "aggregated_count": 12}}}, {"ruleId": "MINED033", "level": "none", "message": {"text": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 81332, "scanner": "repobility-threat-engine", "fingerprint": "fbb07e72cc11e3b4572ea89c723fe2134675efa8683fd803c2aec97628259c34", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fbb07e72cc11e3b4572ea89c723fe2134675efa8683fd803c2aec97628259c34", "aggregated_count": 1}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 81328, "scanner": "repobility-threat-engine", "fingerprint": "03167f5ecff39d939f08b149b84bf4446e9369cd2c6afa17da160bcd3ba6bc8d", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|03167f5ecff39d939f08b149b84bf4446e9369cd2c6afa17da160bcd3ba6bc8d"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 81324, "scanner": "repobility-threat-engine", "fingerprint": "ffe4d81a7489f28099dfb64f1d43f221c7bd1f8d79fc0a1d608b942842e235c6", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ffe4d81a7489f28099dfb64f1d43f221c7bd1f8d79fc0a1d608b942842e235c6"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 81320, "scanner": "repobility-threat-engine", "fingerprint": "85c4896443af68563c201765b60383810d346ee42e0660a82238ba53d71ba096", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|85c4896443af68563c201765b60383810d346ee42e0660a82238ba53d71ba096", "aggregated_count": 1}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 81319, "scanner": "repobility-threat-engine", "fingerprint": "ff2f7c22b8354d843efd72a935106d31bff0bf7b01d1ff48af885d7a7641b945", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff2f7c22b8354d843efd72a935106d31bff0bf7b01d1ff48af885d7a7641b945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/webhook/validate.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 81318, "scanner": "repobility-threat-engine", "fingerprint": "a55215ca57976d29fd73c5dbded080e0a0d5bc82bfb1e7ad2eb95c0b0543d893", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a55215ca57976d29fd73c5dbded080e0a0d5bc82bfb1e7ad2eb95c0b0543d893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cron/parser.go"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 81317, "scanner": "repobility-threat-engine", "fingerprint": "21f943ea5f58b8daa8bc4d599a6ed8bf7874c2eb56816a08e2675e0901116411", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21f943ea5f58b8daa8bc4d599a6ed8bf7874c2eb56816a08e2675e0901116411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/memos/main.go"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 81316, "scanner": "repobility-threat-engine", "fingerprint": "ec3b5f33dcee2622cf0dc05c18f1eb8aded39882efcce3add85b04df60d0c8d4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ec3b5f33dcee2622cf0dc05c18f1eb8aded39882efcce3add85b04df60d0c8d4", "aggregated_count": 3}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 81315, "scanner": "repobility-threat-engine", "fingerprint": "95ac8c49a80195b820ec1c6facc4433505529d2d77fc896c5425c8e7e9824a57", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95ac8c49a80195b820ec1c6facc4433505529d2d77fc896c5425c8e7e9824a57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cron/cron.go"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 81314, "scanner": "repobility-threat-engine", "fingerprint": "6aef855e1c9fab233971ae71a963defb7b4407f69147180fb70017e81bf8f90f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6aef855e1c9fab233971ae71a963defb7b4407f69147180fb70017e81bf8f90f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ai/audiollm/gemini/gemini.go"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 81313, "scanner": "repobility-threat-engine", "fingerprint": "f31203d76a998712c7d47674836a46675cff44f6bf75d9140ec294b41e8ca4e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f31203d76a998712c7d47674836a46675cff44f6bf75d9140ec294b41e8ca4e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/memos/main.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 81312, "scanner": "repobility-threat-engine", "fingerprint": "56acde559d2abaf2dcb8af6a9e79447ad2ffd102579607e0b27c45b858f4a253", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56acde559d2abaf2dcb8af6a9e79447ad2ffd102579607e0b27c45b858f4a253"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/frontend/frontend.go"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 81311, "scanner": "repobility-threat-engine", "fingerprint": "2463772bce25b4f2a7b17bc9cebc2588297cab144ad28f36efb7e74458753d31", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2463772bce25b4f2a7b17bc9cebc2588297cab144ad28f36efb7e74458753d31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/memos/main.go"}, "region": {"startLine": 190}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `baseline-browser-mapping` is patch version(s) behind (^2.10.27 -> 2.10.33)"}, "properties": {"repobilityId": 81305, "scanner": "repobility-dependency-currency", "fingerprint": "8fdd2e827300d892fe7ad646f67ddf80a42beaf9f1dd8ffdc7e03084b0c61a4b", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "baseline-browser-mapping", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.10.33", "correlation_key": "fp|8fdd2e827300d892fe7ad646f67ddf80a42beaf9f1dd8ffdc7e03084b0c61a4b", "current_version": "^2.10.27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitejs/plugin-react` is patch version(s) behind (^6.0.1 -> 6.0.2)"}, "properties": {"repobilityId": 81304, "scanner": "repobility-dependency-currency", "fingerprint": "625ca5277955f3db58d2d7a999980fdacf84c5440efe2bce86799a46b94f5648", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|625ca5277955f3db58d2d7a999980fdacf84c5440efe2bce86799a46b94f5648", "current_version": "^6.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@biomejs/biome` is patch version(s) behind (^2.4.14 -> 2.4.16)"}, "properties": {"repobilityId": 81303, "scanner": "repobility-dependency-currency", "fingerprint": "767944cd2f0eb98738e9af873bcb68652f6612d7107d30bbd454a06557c5a2cf", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@biomejs/biome", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.4.16", "correlation_key": "fp|767944cd2f0eb98738e9af873bcb68652f6612d7107d30bbd454a06557c5a2cf", "current_version": "^2.4.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@babel/plugin-transform-runtime` is patch version(s) behind (7.29.0 -> 7.29.7)"}, "properties": {"repobilityId": 81302, "scanner": "repobility-dependency-currency", "fingerprint": "4de1dd4ff8f6b256b37885890238f401b71e52167aadd306abee6c7c13f41698", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/plugin-transform-runtime", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|4de1dd4ff8f6b256b37885890238f401b71e52167aadd306abee6c7c13f41698", "current_version": "7.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@babel/core` is patch version(s) behind (7.29.0 -> 7.29.7)"}, "properties": {"repobilityId": 81301, "scanner": "repobility-dependency-currency", "fingerprint": "c1b5aa62529246fd3cb4fe9cc310df251f31d1e9298d483e0f3356bba831178a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@babel/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.29.7", "correlation_key": "fp|c1b5aa62529246fd3cb4fe9cc310df251f31d1e9298d483e0f3356bba831178a", "current_version": "7.29.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `dayjs` is patch version(s) behind (^1.11.20 -> 1.11.21)"}, "properties": {"repobilityId": 81296, "scanner": "repobility-dependency-currency", "fingerprint": "91248a3a90953a369ba5e001fd0a0bc888bd3c82054fb4b66bc1a96f111f841a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dayjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.11.21", "correlation_key": "fp|91248a3a90953a369ba5e001fd0a0bc888bd3c82054fb4b66bc1a96f111f841a", "current_version": "^1.11.20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 81443, "scanner": "repobility-journey-contract", "fingerprint": "23eee97810ce2995e7c5bde6aac82ed4458a4e43995f25dbf1cabce659db086f", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/src/pages/signup.tsx|119|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/SignUp.tsx"}, "region": {"startLine": 119}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 81442, "scanner": "repobility-journey-contract", "fingerprint": "008fa78530bd5fb285357ad33e81223670b9b3f088a9450011f4076978fa316c", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|513|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/Settings/AISection.tsx"}, "region": {"startLine": 513}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 81441, "scanner": "repobility-journey-contract", "fingerprint": "ea3e51f48fffdb93d4ec0cd724604c28db3adc9d73f7bde142dc0c2fb028fe07", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|96|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/PasswordSignInForm.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 81440, "scanner": "repobility-journey-contract", "fingerprint": "310295633c199201cd9d0feb2221c6e1df8a95ece51ecd6e95040af0ca5efecc", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|106|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/CreateUserDialog.tsx"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /attachments/:uid/:filename."}, "properties": {"repobilityId": 81426, "scanner": "repobility-access-control", "fingerprint": "f583a5accd99e96536725c725758eb026dbff71f6ae370649a19a8bca96b12c7", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/attachments/:uid/:filename", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|token|123|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/fileserver/fileserver.go"}, "region": {"startLine": 123}}}]}, {"ruleId": "GO-2026-5039", "level": "error", "message": {"text": "stdlib: GO-2026-5039"}, "properties": {"repobilityId": 81418, "scanner": "osv-scanner", "fingerprint": "a83e627c146ec5ae6354a209b08e46b90552fb3a55f244faf312d2b6a843ac55", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42507", "CVE-2026-42507"], "package": "stdlib", "rule_id": "GO-2026-5039", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42507|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5038", "level": "error", "message": {"text": "stdlib: GO-2026-5038"}, "properties": {"repobilityId": 81417, "scanner": "osv-scanner", "fingerprint": "26372ffc012a6e2f27ce548bd31a794161794f6db76480f81788e01849ca8dcf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42504", "CVE-2026-42504"], "package": "stdlib", "rule_id": "GO-2026-5038", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42504|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5037", "level": "error", "message": {"text": "stdlib: GO-2026-5037"}, "properties": {"repobilityId": 81416, "scanner": "osv-scanner", "fingerprint": "7541d4dba5fe7d349432ff80e6bd46b2c38dd49496f069ec8dc88c96fdceac42", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-27145", "CVE-2026-27145"], "package": "stdlib", "rule_id": "GO-2026-5037", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-27145|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4986", "level": "error", "message": {"text": "stdlib: GO-2026-4986"}, "properties": {"repobilityId": 81415, "scanner": "osv-scanner", "fingerprint": "55d3beed68a8f5e42f18723efe918ad21fc61328525c12c89ad625c5d23b7d9a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39820", "CVE-2026-39820"], "package": "stdlib", "rule_id": "GO-2026-4986", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39820|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4982", "level": "error", "message": {"text": "stdlib: GO-2026-4982"}, "properties": {"repobilityId": 81414, "scanner": "osv-scanner", "fingerprint": "06597abb53f8beb41690d7c819ff1d3e8a2462b14165f2aec6adf584ae5391fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39823", "CVE-2026-39823"], "package": "stdlib", "rule_id": "GO-2026-4982", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39823|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4981", "level": "error", "message": {"text": "stdlib: GO-2026-4981"}, "properties": {"repobilityId": 81413, "scanner": "osv-scanner", "fingerprint": "28de4e8cade658d2e44ab8fd3e29ba0bdfdf0b1eeb2ffec399deac5678b03a31", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33811", "CVE-2026-33811"], "package": "stdlib", "rule_id": "GO-2026-4981", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33811|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4980", "level": "error", "message": {"text": "stdlib: GO-2026-4980"}, "properties": {"repobilityId": 81412, "scanner": "osv-scanner", "fingerprint": "10ec7b10c93ff987796c913ebbfb76a710d8ed93bbbe45b13f6f0d10e2b211e6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39826", "CVE-2026-39826"], "package": "stdlib", "rule_id": "GO-2026-4980", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39826|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4977", "level": "error", "message": {"text": "stdlib: GO-2026-4977"}, "properties": {"repobilityId": 81411, "scanner": "osv-scanner", "fingerprint": "3620a62e00e33214f96ebc7312d23fec44851a9ee712599ee745845147c40e21", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-42499", "CVE-2026-42499"], "package": "stdlib", "rule_id": "GO-2026-4977", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-42499|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4976", "level": "error", "message": {"text": "stdlib: GO-2026-4976"}, "properties": {"repobilityId": 81410, "scanner": "osv-scanner", "fingerprint": "68c9ed164767bc1abc8d6a8706cf655bcaa445cc8f997e11de5c53701466a0a6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39825", "CVE-2026-39825"], "package": "stdlib", "rule_id": "GO-2026-4976", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39825|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4971", "level": "error", "message": {"text": "stdlib: GO-2026-4971"}, "properties": {"repobilityId": 81409, "scanner": "osv-scanner", "fingerprint": "1a9b8779ea85b5b0ef026400c900b7f27dcd6628d9b6df9f442929c24844f89e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-39836", "CVE-2026-39836"], "package": "stdlib", "rule_id": "GO-2026-4971", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-39836|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4918", "level": "error", "message": {"text": "stdlib: GO-2026-4918"}, "properties": {"repobilityId": 81408, "scanner": "osv-scanner", "fingerprint": "b5a44e944ffd7c105aa62904a3469805e8033225279767b94a0d562437b7e9f6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33814", "CVE-2026-33814"], "package": "stdlib", "rule_id": "GO-2026-4918", "scanner": "osv-scanner", "correlation_key": "vuln|stdlib|CVE-2026-33814|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5024", "level": "error", "message": {"text": "golang.org/x/sys: GO-2026-5024"}, "properties": {"repobilityId": 81407, "scanner": "osv-scanner", "fingerprint": "79f10c25369703a3754463aae8a0158f89425541907e3182ad0da8006916ee19", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39824"], "package": "golang.org/x/sys", "rule_id": "GO-2026-5024", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/sys|CVE-2026-39824|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5030", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5030"}, "properties": {"repobilityId": 81406, "scanner": "osv-scanner", "fingerprint": "f56f13f5fd0d02e616781fb4e263264064c55d496b56f34e2e697db0a1750dd6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27136"], "package": "golang.org/x/net", "rule_id": "GO-2026-5030", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-27136|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5029", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5029"}, "properties": {"repobilityId": 81405, "scanner": "osv-scanner", "fingerprint": "346c97831be09b89603f8819967a1caf39f8f572a2d5dc5925a9ae0a6b98856e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25681"], "package": "golang.org/x/net", "rule_id": "GO-2026-5029", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25681|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5028", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5028"}, "properties": {"repobilityId": 81404, "scanner": "osv-scanner", "fingerprint": "796445bee725d6616761216b224cb420e85017321d01a56e43bf03efe210c5f5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25680"], "package": "golang.org/x/net", "rule_id": "GO-2026-5028", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25680|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5027", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5027"}, "properties": {"repobilityId": 81403, "scanner": "osv-scanner", "fingerprint": "acf4f4ae909e3489f7be9bc36808d846c836956d4a36bc26ba43890f213b1436", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42502"], "package": "golang.org/x/net", "rule_id": "GO-2026-5027", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42502|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5026", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5026"}, "properties": {"repobilityId": 81402, "scanner": "osv-scanner", "fingerprint": "2a9be343e7c5c43785f4d36c5506f23f8b055fb0d461a84395ad634441be541a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39821"], "package": "golang.org/x/net", "rule_id": "GO-2026-5026", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-39821|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5025", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5025"}, "properties": {"repobilityId": 81401, "scanner": "osv-scanner", "fingerprint": "be62fe7df92442560f1a21cceb16f1ca23f3e9cbe2e00b9699b8ae286a0012ce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42506"], "package": "golang.org/x/net", "rule_id": "GO-2026-5025", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42506|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5032", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-5032"}, "properties": {"repobilityId": 81400, "scanner": "osv-scanner", "fingerprint": "0c775caf0e9b5d80077a020cff5c96d5cd6efbd3197e928f8b8fa1f0cd633b68", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46599"], "package": "golang.org/x/image", "rule_id": "GO-2026-5032", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-46599|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5031", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-5031"}, "properties": {"repobilityId": 81399, "scanner": "osv-scanner", "fingerprint": "b66bc87e9087f2fbb63a1b7be38f59ce4d0fef8e698ea3827a99ca094a92efc9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42500"], "package": "golang.org/x/image", "rule_id": "GO-2026-5031", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-42500|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5033", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5033"}, "properties": {"repobilityId": 81398, "scanner": "osv-scanner", "fingerprint": "ad1d47a6aef958448f22a42c2d60392dc7008e25932b619f84e66221eb131e95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46598"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5033", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46598|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5023", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5023"}, "properties": {"repobilityId": 81397, "scanner": "osv-scanner", "fingerprint": "2d612844c17f0f3569717978b60331059540fefc1c2346e38678f12228b2ebdb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46595"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5023", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46595|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5021", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5021"}, "properties": {"repobilityId": 81396, "scanner": "osv-scanner", "fingerprint": "9cfea8adee448a2428e663f481c352e77e2cd449655562d5b118efedfb7da4f8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42508"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5021", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-42508|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5020", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5020"}, "properties": {"repobilityId": 81395, "scanner": "osv-scanner", "fingerprint": "93b646b3920c3a2193a1efdebfdfa5196ce3475c1dc5bae6355a6e1f9cbf460a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39834"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5020", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39834|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5019", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5019"}, "properties": {"repobilityId": 81394, "scanner": "osv-scanner", "fingerprint": "345537a037a5b3177ae140a9e9c405ec64da8434ead8931918ec7573a6ce20b3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39831"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5019", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39831|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5018", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5018"}, "properties": {"repobilityId": 81393, "scanner": "osv-scanner", "fingerprint": "949f77a9611832376c508d55bf01659a712274ac105d24e504e15dd5e1dbf16f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39829"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5018", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39829|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5017", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5017"}, "properties": {"repobilityId": 81392, "scanner": "osv-scanner", "fingerprint": "2930f2404722144c851cb9051c8ebf92002718de31c8d9fd7a648ca0f2ef6ada", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39830"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5017", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39830|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5016", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5016"}, "properties": {"repobilityId": 81391, "scanner": "osv-scanner", "fingerprint": "ac67bbb6c13f69fe38c8bbe16cf8fe7e2ed0ab66e0c5b15dba53f20834fe3d86", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39827"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5016", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39827|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5015", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5015"}, "properties": {"repobilityId": 81390, "scanner": "osv-scanner", "fingerprint": "2e502398ad2ca483c07bc43556f4c4eb205c7761c2c9cd89d2d1aee4f087438f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39835"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5015", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39835|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5014", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5014"}, "properties": {"repobilityId": 81389, "scanner": "osv-scanner", "fingerprint": "8daae6fef532b43e67fa01a55acbd01bab03899e2f5d4ad247bee8e8442024dd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39828"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5014", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39828|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5013", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5013"}, "properties": {"repobilityId": 81388, "scanner": "osv-scanner", "fingerprint": "ccaa102abe73278dc6503207bd926859d7ba8955ec415d747a72b6b58b6a3dc3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46597"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5013", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46597|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5006", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5006"}, "properties": {"repobilityId": 81387, "scanner": "osv-scanner", "fingerprint": "8b88451b530e190692c439835073029a47d5722b48b6a00ddb5e3369824775a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39832"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5006", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39832|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5005", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5005"}, "properties": {"repobilityId": 81386, "scanner": "osv-scanner", "fingerprint": "ae98cdae0aac80f7b5a30a91f9180936ed79f348030d056d429d20e8b082f033", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39833"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5005", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39833|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 81378, "scanner": "repobility-docker", "fingerprint": "6e01b72a7bc6ee4a50ecabcc0643f7e5d6b5159f5e613115b4699e8ae3d264de", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6e01b72a7bc6ee4a50ecabcc0643f7e5d6b5159f5e613115b4699e8ae3d264de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/Dockerfile"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 81373, "scanner": "repobility-threat-engine", "fingerprint": "e18cd3128c6ecc7a20d8c2b0e5ac7ddb6fff486783dacf5f7a353577a34ca83a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((v) => `\"${getVisibilityName(v)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e18cd3128c6ecc7a20d8c2b0e5ac7ddb6fff486783dacf5f7a353577a34ca83a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/hooks/useMemoFilters.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 81372, "scanner": "repobility-threat-engine", "fingerprint": "5b060fd253e55300b6000bf894dc2cf2329adc43e1f024ce8e80989c8d73be18", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((filter) => `${filter.factor}:${encodeURIComponent(filter.value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5b060fd253e55300b6000bf894dc2cf2329adc43e1f024ce8e80989c8d73be18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/contexts/MemoFilterContext.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 81368, "scanner": "repobility-threat-engine", "fingerprint": "3a3c61b366565aaf6bfa4cdc40bf51fc6bf733458d10a8e885daf5f037b8077c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(dateFilter", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a3c61b366565aaf6bfa4cdc40bf51fc6bf733458d10a8e885daf5f037b8077c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoEditor/utils/deriveDefaultCreateTime.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 81367, "scanner": "repobility-threat-engine", "fingerprint": "b175690e80cff32219abaa11a1292978b356241959ca038599be919b639fde20", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(className", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b175690e80cff32219abaa11a1292978b356241959ca038599be919b639fde20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoContent/utils.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81344, "scanner": "repobility-threat-engine", "fingerprint": "72e1dd53f0153c3b8f9358071882769c47d4036a2b5cf259e82b695ade6c39ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urlsRef.current.delete(url);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72e1dd53f0153c3b8f9358071882769c47d4036a2b5cf259e82b695ade6c39ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoEditor/hooks/useBlobUrls.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81343, "scanner": "repobility-threat-engine", "fingerprint": "45c05afd6c3d0ea0fbfc579baec0af973c5416845ce891a44d05202d7f79d3b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cacheService.save(key, content);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|45c05afd6c3d0ea0fbfc579baec0af973c5416845ce891a44d05202d7f79d3b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/MemoEditor/hooks/useAutoSave.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 81342, "scanner": "repobility-threat-engine", "fingerprint": "1de5beb7687c0ee9e0b3c6e69209162c52f205737dcea8a364d50024cb1b150a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "c.data.Delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1de5beb7687c0ee9e0b3c6e69209162c52f205737dcea8a364d50024cb1b150a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "store/cache/cache.go"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 81337, "scanner": "repobility-threat-engine", "fingerprint": "e57647689453694b34de84370e571c65932b86d7323f25465f94237b0f5fe189", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e57647689453694b34de84370e571c65932b86d7323f25465f94237b0f5fe189"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install.sh"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 81335, "scanner": "repobility-threat-engine", "fingerprint": "cb821746ec8e39854a3f04779de3a909a179a9a0a0f3b55b93072af09752f997", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb821746ec8e39854a3f04779de3a909a179a9a0a0f3b55b93072af09752f997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth/token.go"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 81334, "scanner": "repobility-threat-engine", "fingerprint": "dfa52bdfb8243baffb3913f1242776045876a822e5d5c598e841139f36cfb85e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dfa52bdfb8243baffb3913f1242776045876a822e5d5c598e841139f36cfb85e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth/authenticator.go"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 81333, "scanner": "repobility-threat-engine", "fingerprint": "11a84a04423c0b094748bf4eda8ce8f29fbd92fadf9883da8c2ee49014ac8c74", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11a84a04423c0b094748bf4eda8ce8f29fbd92fadf9883da8c2ee49014ac8c74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/storage/s3/s3.go"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 81331, "scanner": "repobility-threat-engine", "fingerprint": "4cd57c4566786c00a3919349da5278e2d5f7a40a1b488d146a1fff445aa1fca0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4cd57c4566786c00a3919349da5278e2d5f7a40a1b488d146a1fff445aa1fca0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/router/api/v1/connect_interceptors.go"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 81330, "scanner": "repobility-threat-engine", "fingerprint": "72cb4ddeeda30004fafa69fc4435e60738c2d439bf300bedf983d8d9093921a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72cb4ddeeda30004fafa69fc4435e60738c2d439bf300bedf983d8d9093921a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/scheduler/middleware.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 81329, "scanner": "repobility-threat-engine", "fingerprint": "c2b24b259650bfe412abea3a514a9e9c893bbc0e178e15aade25c927430a9cb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2b24b259650bfe412abea3a514a9e9c893bbc0e178e15aade25c927430a9cb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cron/chain.go"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81327, "scanner": "repobility-threat-engine", "fingerprint": "b86b790fd395596157af27499c24e97ed9147e13ad7f7987a6d4cec0950e046a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b86b790fd395596157af27499c24e97ed9147e13ad7f7987a6d4cec0950e046a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpgetter/image.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81326, "scanner": "repobility-threat-engine", "fingerprint": "18e4c1e5ef8b3b32a9df456a03aa7e80671285065df0dc0cb23d57cbfd064e39", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18e4c1e5ef8b3b32a9df456a03aa7e80671285065df0dc0cb23d57cbfd064e39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/httpgetter/html_meta.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 81325, "scanner": "repobility-threat-engine", "fingerprint": "2a25d838d7827500c33538acbdde942fbdd2f3e1dce3a3b1b7dadac70e65df80", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a25d838d7827500c33538acbdde942fbdd2f3e1dce3a3b1b7dadac70e65df80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ai/stt/openai/openai.go"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 81293, "scanner": "repobility-supply-chain", "fingerprint": "7bcf581ae0813847df513d0d4c8aa8155a6a027759ff274cfee691e90413d8c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7bcf581ae0813847df513d0d4c8aa8155a6a027759ff274cfee691e90413d8c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81292, "scanner": "repobility-supply-chain", "fingerprint": "cbb5b88f6bf80a040f98287977f09572a6378e77a3d96d16b7b225921a123f64", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbb5b88f6bf80a040f98287977f09572a6378e77a3d96d16b7b225921a123f64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 81291, "scanner": "repobility-supply-chain", "fingerprint": "2b6f44e5b48a8a2ae6365c9ab5328c0e42fa8345f37f9dbb380b0636deafc243", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b6f44e5b48a8a2ae6365c9ab5328c0e42fa8345f37f9dbb380b0636deafc243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81290, "scanner": "repobility-supply-chain", "fingerprint": "921767640adca1c085a24957e6cb1e50423e390ee975a51c9cba0138b4457eed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|921767640adca1c085a24957e6cb1e50423e390ee975a51c9cba0138b4457eed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81289, "scanner": "repobility-supply-chain", "fingerprint": "88649e60043348ecd85cdb9344aa250f3a9df6d5824ac1622420980cb5f2adf2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88649e60043348ecd85cdb9344aa250f3a9df6d5824ac1622420980cb5f2adf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 81288, "scanner": "repobility-supply-chain", "fingerprint": "322ec7610baa5789951250bd52ff60c06305e8d8f54c064aece4a37b4f17cdd9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|322ec7610baa5789951250bd52ff60c06305e8d8f54c064aece4a37b4f17cdd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81287, "scanner": "repobility-supply-chain", "fingerprint": "bd8a7cad535d3c4aba5ccbff97bf34854e08c3117d5f874cb298ca65da4150d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd8a7cad535d3c4aba5ccbff97bf34854e08c3117d5f874cb298ca65da4150d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4.2.0`"}, "properties": {"repobilityId": 81286, "scanner": "repobility-supply-chain", "fingerprint": "1add4297c8f153b387405451a4d071401b66530f31916a8365b15cc8dce787d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1add4297c8f153b387405451a4d071401b66530f31916a8365b15cc8dce787d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81285, "scanner": "repobility-supply-chain", "fingerprint": "d6a9018f39645b0288d6cb2dfb9eb82455c03e966c6b68acf2050dc9af4f19a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6a9018f39645b0288d6cb2dfb9eb82455c03e966c6b68acf2050dc9af4f19a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-canary-image.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `codecov/codecov-action` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 81284, "scanner": "repobility-supply-chain", "fingerprint": "0a262521154a6b767441f2e3a83b1be500cd375a3184d2ca6aac51f3c316c1b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a262521154a6b767441f2e3a83b1be500cd375a3184d2ca6aac51f3c316c1b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-tests.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81283, "scanner": "repobility-supply-chain", "fingerprint": "2a09a66a698c61a47a88e92fe40d12e102ee8e4dff1dc3434f3e1ad2e29dbaad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a09a66a698c61a47a88e92fe40d12e102ee8e4dff1dc3434f3e1ad2e29dbaad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-tests.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81282, "scanner": "repobility-supply-chain", "fingerprint": "cf9a468147ef8d1a44f132351a27569118a2ccde394afba38d9d5d5afc71ace2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf9a468147ef8d1a44f132351a27569118a2ccde394afba38d9d5d5afc71ace2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-tests.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 81281, "scanner": "repobility-supply-chain", "fingerprint": "aa56110c954b2ea80fa716124b090f82454061a0f8b3e2dc82f470c050ef34b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa56110c954b2ea80fa716124b090f82454061a0f8b3e2dc82f470c050ef34b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-tests.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81280, "scanner": "repobility-supply-chain", "fingerprint": "d608de5b54e3a718dc802743240e4a642c32e2048d5d98d4b7d5d9b0997e61cb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d608de5b54e3a718dc802743240e4a642c32e2048d5d98d4b7d5d9b0997e61cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-tests.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81279, "scanner": "repobility-supply-chain", "fingerprint": "6adbb903e4b879de816b59ad13329c09ba2e985d5ac94e49d30549fdffd7c551", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6adbb903e4b879de816b59ad13329c09ba2e985d5ac94e49d30549fdffd7c551"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backend-tests.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81278, "scanner": "repobility-supply-chain", "fingerprint": "2e812bfe5c9d707aeaace9887d79d158662040dcc342483f7e3c3e2d3be252b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e812bfe5c9d707aeaace9887d79d158662040dcc342483f7e3c3e2d3be252b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend-tests.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4.2.0`"}, "properties": {"repobilityId": 81277, "scanner": "repobility-supply-chain", "fingerprint": "9030e3e59521dc6c523503a4004ea52239c00f523ec6d45328b94f907e64ff80", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9030e3e59521dc6c523503a4004ea52239c00f523ec6d45328b94f907e64ff80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend-tests.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81276, "scanner": "repobility-supply-chain", "fingerprint": "eb047466436cd55b5c81e6230bd58b467b24429ea03f255efdc1ec65b96787c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb047466436cd55b5c81e6230bd58b467b24429ea03f255efdc1ec65b96787c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend-tests.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81275, "scanner": "repobility-supply-chain", "fingerprint": "cab340770bab2543fa04d88d03de5f65634b6510b9669486ea643b445fdbd75f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cab340770bab2543fa04d88d03de5f65634b6510b9669486ea643b445fdbd75f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend-tests.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4.2.0`"}, "properties": {"repobilityId": 81274, "scanner": "repobility-supply-chain", "fingerprint": "3e7c241bd284d5ab7709a03b8941d1285d9400e6b78a5c76096b209274b4a860", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e7c241bd284d5ab7709a03b8941d1285d9400e6b78a5c76096b209274b4a860"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend-tests.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81273, "scanner": "repobility-supply-chain", "fingerprint": "dfc2b38029ba968739fbb0c32da01c9d9a673df3ae7311ac7456748c053cbc03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfc2b38029ba968739fbb0c32da01c9d9a673df3ae7311ac7456748c053cbc03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/frontend-tests.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bufbuild/buf-lint-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 81272, "scanner": "repobility-supply-chain", "fingerprint": "d0f52f5596291d8739f008257a82c757d1afd7b5c8dcd1689abc9d9743ac4d00", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0f52f5596291d8739f008257a82c757d1afd7b5c8dcd1689abc9d9743ac4d00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/proto-linter.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bufbuild/buf-setup-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 81271, "scanner": "repobility-supply-chain", "fingerprint": "0aba846bf9555a14e923168f09886e95b3bf347ef01f8c60388dfb3fde11864c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0aba846bf9555a14e923168f09886e95b3bf347ef01f8c60388dfb3fde11864c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/proto-linter.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 81270, "scanner": "repobility-supply-chain", "fingerprint": "f64e5ef4f80cff59de02de7801b73963054f39e215732c727485a585e87b56ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f64e5ef4f80cff59de02de7801b73963054f39e215732c727485a585e87b56ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/proto-linter.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `googleapis/release-please-action` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 81269, "scanner": "repobility-supply-chain", "fingerprint": "9964646ddaf623a1a91527df16bb2517ff34da331f3f47a50bddbecc0aa1cda0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9964646ddaf623a1a91527df16bb2517ff34da331f3f47a50bddbecc0aa1cda0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-please.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine:3.21` not pinned by digest"}, "properties": {"repobilityId": 81268, "scanner": "repobility-supply-chain", "fingerprint": "6bfbad63f715d460b08c5086144bd54e424038daddeeeb8a541f1dd8cb0c72a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6bfbad63f715d460b08c5086144bd54e424038daddeeeb8a541f1dd8cb0c72a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 81384, "scanner": "gitleaks", "fingerprint": "2188b5a75353982bd269b4fec10d957601ac6dee735ed26f2322e4cc8982a372", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token2 := \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|server/auth/token_test.go|18|token2 : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth/token_test.go"}, "region": {"startLine": 188}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 81383, "scanner": "gitleaks", "fingerprint": "a104427ed54aa823733b1d7ff0bf77760785ffda7d7b99e7b76be1b4d8493280", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token1 := \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|server/auth/token_test.go|18|token1 : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth/token_test.go"}, "region": {"startLine": 187}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 81382, "scanner": "gitleaks", "fingerprint": "f2516dc6f5c36e899442cdac050cb4e2f54c25449729d1be058766c1eb775999", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "token :<redacted> \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|server/auth/token_test.go|17|token : redacted redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["2b06aad565936c6deac336e3ba11824cf154221a98c61e1380b6b4b5fd8a98ff", "f2516dc6f5c36e899442cdac050cb4e2f54c25449729d1be058766c1eb775999"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth/token_test.go"}, "region": {"startLine": 173}}}]}]}]}