{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{sandbox_id}/settings"}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{sandbox_id}/settings/secrets/{secret_name}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 31.8% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 31.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-65pc-fj4g-8rjx", "name": "idna: GHSA-65pc-fj4g-8rjx", "shortDescription": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "fullDescription": {"text": "Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r95x-qfjj-fjj2", "name": "authlib: GHSA-r95x-qfjj-fjj2", "shortDescription": {"text": "authlib: GHSA-r95x-qfjj-fjj2"}, "fullDescription": {"text": "Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jg22-mg44-37j8", "name": "aiohttp: GHSA-jg22-mg44-37j8", "shortDescription": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "fullDescription": {"text": "AIOHTTP is Vulnerable to Deserialization of Untrusted Data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hg6j-4rv6-33pg", "name": "aiohttp: GHSA-hg6j-4rv6-33pg", "shortDescription": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "fullDescription": {"text": "AIOHTTP is vulnerable to cross-origin redirect with per-request cookies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-48c2-rrv3-qjmp", "name": "yaml: GHSA-48c2-rrv3-qjmp", "shortDescription": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "fullDescription": {"text": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-93m4-6634-74q7", "name": "vite: GHSA-93m4-6634-74q7", "shortDescription": {"text": "vite: GHSA-93m4-6634-74q7"}, "fullDescription": {"text": "vite allows server.fs.deny bypass via backslash on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f22v-gfqf-p8f3", "name": "react-router: GHSA-f22v-gfqf-p8f3", "shortDescription": {"text": "react-router: GHSA-f22v-gfqf-p8f3"}, "fullDescription": {"text": "React Router has stored XSS via unescaped Location header in prerendered redirect HTML"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2j2x-hqr9-3h42", "name": "react-router: GHSA-2j2x-hqr9-3h42", "shortDescription": {"text": "react-router: GHSA-2j2x-hqr9-3h42"}, "fullDescription": {"text": "React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jggg-4jg4-v7c6", "name": "protobufjs: GHSA-jggg-4jg4-v7c6", "shortDescription": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "fullDescription": {"text": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q89c-q3h5-w34g", "name": "i18next-http-backend: GHSA-q89c-q3h5-w34g", "shortDescription": {"text": "i18next-http-backend: GHSA-q89c-q3h5-w34g"}, "fullDescription": {"text": " i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `openhands` image uses the latest tag", "shortDescription": {"text": "Compose service `openhands` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `find_prs_between_commits` has cognitive complexity 15 (SonarSource scale)", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `find_prs_between_commits` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, an"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 15."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `lint-staged` is 1 major version(s) behind (16.2.7 -> 17.0.7)", "shortDescription": {"text": "npm package `lint-staged` is 1 major version(s) behind (16.2.7 -> 17.0.7)"}, "fullDescription": {"text": "`lint-staged` is pinned/resolved at 16.2.7 but the latest stable release on the npm registry is 17.0.7 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `cachetools` is 2 major version(s) behind (5.5.2 -> 7.1.4)", "shortDescription": {"text": "Python package `cachetools` is 2 major version(s) behind (5.5.2 -> 7.1.4)"}, "fullDescription": {"text": "poetry.lock pins `cachetools` at 5.5.2 but the latest stable release on PyPI is 7.1.4 (2 major version(s) behind)."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-jqfw-vq24-v9c3", "name": "vite: GHSA-jqfw-vq24-v9c3", "shortDescription": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "fullDescription": {"text": "Vite's `server.fs` settings were not applied to HTML files"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-g4jq-h2w9-997c", "name": "vite: GHSA-g4jq-h2w9-997c", "shortDescription": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "fullDescription": {"text": "Vite middleware may serve files starting with the same name with the public directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED072] Python Pass Only Class (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 26 more): Same pattern found in 26 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 48 more): Same pattern found in 48 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 48 more): Same pattern found in 48 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{sandbox_id}/pause."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{sandbox_id}/pause."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "PYSEC-2026-161", "name": "starlette: PYSEC-2026-161", "shortDescription": {"text": "starlette: PYSEC-2026-161"}, "fullDescription": {"text": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-179", "name": "pyjwt: PYSEC-2026-179", "shortDescription": {"text": "pyjwt: PYSEC-2026-179"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-178", "name": "pyjwt: PYSEC-2026-178", "shortDescription": {"text": "pyjwt: PYSEC-2026-178"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (\"b64\": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled \u201cwork amplifier\u201d: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-177", "name": "pyjwt: PYSEC-2026-177", "shortDescription": {"text": "pyjwt: PYSEC-2026-177"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-175", "name": "pyjwt: PYSEC-2026-175", "shortDescription": {"text": "pyjwt: PYSEC-2026-175"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained \"plant a JWKS to forge tokens\" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2022-42969", "name": "py: PYSEC-2022-42969", "shortDescription": {"text": "py: PYSEC-2022-42969"}, "fullDescription": {"text": "The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p9ff-h696-f583", "name": "vite: GHSA-p9ff-h696-f583", "shortDescription": {"text": "vite: GHSA-p9ff-h696-f583"}, "fullDescription": {"text": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6q2-hw4h-h46w", "name": "tar: GHSA-r6q2-hw4h-h46w", "shortDescription": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "fullDescription": {"text": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qffp-2rhf-9h96", "name": "tar: GHSA-qffp-2rhf-9h96", "shortDescription": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "fullDescription": {"text": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9ppj-qmqm-q256", "name": "tar: GHSA-9ppj-qmqm-q256", "shortDescription": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "fullDescription": {"text": "node-tar Symlink Path Traversal via Drive-Relative Linkpath"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8qq5-rm4j-mr97", "name": "tar: GHSA-8qq5-rm4j-mr97", "shortDescription": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "fullDescription": {"text": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-83g3-92jg-28cx", "name": "tar: GHSA-83g3-92jg-28cx", "shortDescription": {"text": "tar: GHSA-83g3-92jg-28cx"}, "fullDescription": {"text": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-34x7-hfp2-rc4v", "name": "tar: GHSA-34x7-hfp2-rc4v", "shortDescription": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "fullDescription": {"text": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mjf5-7g4m-gx5w", "name": "storybook: GHSA-mjf5-7g4m-gx5w", "shortDescription": {"text": "storybook: GHSA-mjf5-7g4m-gx5w"}, "fullDescription": {"text": "Storybook Dev Server is Vulnerable to WebSocket Hijacking"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8452-54wp-rmv6", "name": "storybook: GHSA-8452-54wp-rmv6", "shortDescription": {"text": "storybook: GHSA-8452-54wp-rmv6"}, "fullDescription": {"text": "Storybook manager bundle may expose environment variables during build"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mw96-cpmx-2vgc", "name": "rollup: GHSA-mw96-cpmx-2vgc", "shortDescription": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "fullDescription": {"text": "Rollup 4 has Arbitrary File Write via Path Traversal"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7mvr-c777-76hp", "name": "playwright: GHSA-7mvr-c777-76hp", "shortDescription": {"text": "playwright: GHSA-7mvr-c777-76hp"}, "fullDescription": {"text": "Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5j98-mcp5-4vw2", "name": "glob: GHSA-5j98-mcp5-4vw2", "shortDescription": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "fullDescription": {"text": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rxv8-25v2-qmq8", "name": "react-router: GHSA-rxv8-25v2-qmq8", "shortDescription": {"text": "react-router: GHSA-rxv8-25v2-qmq8"}, "fullDescription": {"text": "React Router vulnerable to Denial of Service via reflected user input in single-fetch"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8x6r-g9mw-2r78", "name": "react-router: GHSA-8x6r-g9mw-2r78", "shortDescription": {"text": "react-router: GHSA-8x6r-g9mw-2r78"}, "fullDescription": {"text": "React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8646-j5j9-6r62", "name": "react-router: GHSA-8646-j5j9-6r62", "shortDescription": {"text": "react-router: GHSA-8646-j5j9-6r62"}, "fullDescription": {"text": "React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-49rj-9fvp-4h2h", "name": "react-router: GHSA-49rj-9fvp-4h2h", "shortDescription": {"text": "react-router: GHSA-49rj-9fvp-4h2h"}, "fullDescription": {"text": "React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-25", "name": "authlib: PYSEC-2026-25", "shortDescription": {"text": "authlib: PYSEC-2026-25"}, "fullDescription": {"text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth.  This vulnerability is fixed in 1.6.11."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-188", "name": "authlib: PYSEC-2026-188", "shortDescription": {"text": "authlib: PYSEC-2026-188"}, "fullDescription": {"text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED020", "name": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / s", "shortDescription": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `ghcr.io/openhands/enterprise-server` unpinned", "shortDescription": {"text": "Workflow container/services image `ghcr.io/openhands/enterprise-server` unpinned"}, "fullDescription": {"text": "`container/services image: ghcr.io/openhands/enterprise-server` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-python` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.13.7-slim-trixie` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.13.7-slim-trixie` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.13.7-slim-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.9.0`", "shortDescription": {"text": "pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.9.0`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/pre-commit/mirrors-mypy` at `rev: v1.9.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST /workspaces/unlink has no auth", "shortDescription": {"text": "FastAPI POST /workspaces/unlink has no auth"}, "fullDescription": {"text": "Handler `unlink_workspace` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "Blocking call `time.sleep` inside async function `test_search_events_timestamp_filter_with_desc_sort`", "shortDescription": {"text": "Blocking call `time.sleep` inside async function `test_search_events_timestamp_filter_with_desc_sort`"}, "fullDescription": {"text": "`time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_delete_key_by_alias_not_found", "shortDescription": {"text": "Phantom test coverage: test_delete_key_by_alias_not_found"}, "fullDescription": {"text": "Test function `test_delete_key_by_alias_not_found` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self._ensure_api_key` used but never assigned in __init__", "shortDescription": {"text": "`self._ensure_api_key` used but never assigned in __init__"}, "fullDescription": {"text": "Method `store` of class `SaasSettingsStore` reads `self._ensure_api_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-5xrq-8626-4rwp", "name": "vitest: GHSA-5xrq-8626-4rwp", "shortDescription": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "fullDescription": {"text": "When Vitest UI server is listening, arbitrary file can be read and executed"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "DKC001", "name": "Compose service runs privileged", "shortDescription": {"text": "Compose service runs privileged"}, "fullDescription": {"text": "Privileged containers receive broad host kernel capabilities and can bypass container isolation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `email` used but not imported", "shortDescription": {"text": "Missing import: `email` used but not imported"}, "fullDescription": {"text": "The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/813"}, "properties": {"repository": "OpenHands/OpenHands", "repoUrl": "https://github.com/OpenHands/OpenHands", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 71377, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71376, "scanner": "repobility-journey-contract", "fingerprint": "75d7a2aa86366ca50864214df6a53bc211734c82238d1ce63333d39478dbb810", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/vscode/url", "correlation_key": "fp|75d7a2aa86366ca50864214df6a53bc211734c82238d1ce63333d39478dbb810", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/conversation-service/v1-conversation-service.api.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71375, "scanner": "repobility-journey-contract", "fingerprint": "ad8d116f0f728dc773ec290472d032b26839a79541b1e2e5b65416f07867f741", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/conversations/{param}", "correlation_key": "fp|ad8d116f0f728dc773ec290472d032b26839a79541b1e2e5b65416f07867f741", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/conversation-service/conversation-service.api.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71374, "scanner": "repobility-journey-contract", "fingerprint": "bcd412cd8505f6dd1c174634e726260f156c80261955ab9e7438156d038d4912", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/config/providers/search", "correlation_key": "fp|bcd412cd8505f6dd1c174634e726260f156c80261955ab9e7438156d038d4912", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/config-service/config-service.api.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71373, "scanner": "repobility-journey-contract", "fingerprint": "3c51ac86698a1ed0457400e5d109f245cf850c2ca2058ddacfbe1a509169b8ed", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/config/models/search", "correlation_key": "fp|3c51ac86698a1ed0457400e5d109f245cf850c2ca2058ddacfbe1a509169b8ed", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/config-service/config-service.api.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71372, "scanner": "repobility-journey-contract", "fingerprint": "ad611b52ac6eb167e415064db6fdb5bee704738a38de1910e02405d400530a4e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/billing/credits", "correlation_key": "fp|ad611b52ac6eb167e415064db6fdb5bee704738a38de1910e02405d400530a4e", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/billing-service/billing-service.api.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71371, "scanner": "repobility-journey-contract", "fingerprint": "d2d55df7f354637e5e38657c12e535ee43a34506aa5ccc8c20d525cbab386751", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/billing/create-customer-setup-session", "correlation_key": "fp|d2d55df7f354637e5e38657c12e535ee43a34506aa5ccc8c20d525cbab386751", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/billing-service/billing-service.api.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71370, "scanner": "repobility-journey-contract", "fingerprint": "a3caa89183043734f99a0170a9db8b4764f4c912e988b3ab5efef6ef65b5cac2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/billing/create-checkout-session", "correlation_key": "fp|a3caa89183043734f99a0170a9db8b4764f4c912e988b3ab5efef6ef65b5cac2", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/billing-service/billing-service.api.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71369, "scanner": "repobility-journey-contract", "fingerprint": "637aa74b8c01779ed9db1c3ad49a18049805bc1c63988e8ceb49141c4338d2ed", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/logout", "correlation_key": "fp|637aa74b8c01779ed9db1c3ad49a18049805bc1c63988e8ceb49141c4338d2ed", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/auth-service/auth-service.api.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71368, "scanner": "repobility-journey-contract", "fingerprint": "6fdace442b8f0fbee23fc432382fc75e29ae34a28eb8070de4d55f00d76621be", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/keycloak/callback", "correlation_key": "fp|6fdace442b8f0fbee23fc432382fc75e29ae34a28eb8070de4d55f00d76621be", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/auth-service/auth-service.api.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71367, "scanner": "repobility-journey-contract", "fingerprint": "699d6fe1a67ff5589d29e0f80d44a4750c180a9f4d49593f46328fba9338af41", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/authenticate", "correlation_key": "fp|699d6fe1a67ff5589d29e0f80d44a4750c180a9f4d49593f46328fba9338af41", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/auth-service/auth-service.api.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71366, "scanner": "repobility-journey-contract", "fingerprint": "4d081bdc4aca77300193bd67508f2ce4ea0805c9e759a28476a7fa9ea6028cfc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/keys/{param}", "correlation_key": "fp|4d081bdc4aca77300193bd67508f2ce4ea0805c9e759a28476a7fa9ea6028cfc", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/api-keys.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71365, "scanner": "repobility-journey-contract", "fingerprint": "07f4b760ef2d9a4394b3eeac4618d41fb0bd50712fcd194340efbb06c94ddb2f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/keys", "correlation_key": "fp|07f4b760ef2d9a4394b3eeac4618d41fb0bd50712fcd194340efbb06c94ddb2f", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/api-keys.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71364, "scanner": "repobility-journey-contract", "fingerprint": "49c8d3c9dcc16a3f436faffd86649cda1ecf469da32246872550b3d583ee70d5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/keys", "correlation_key": "fp|49c8d3c9dcc16a3f436faffd86649cda1ecf469da32246872550b3d583ee70d5", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/api-keys.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 71363, "scanner": "repobility-journey-contract", "fingerprint": "22e05b3ee40827a11e5ad1af2372258e991f2b59d1a9c61c3800fa88ed10ed8a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/analytics/events", "correlation_key": "fp|22e05b3ee40827a11e5ad1af2372258e991f2b59d1a9c61c3800fa88ed10ed8a", "backend_endpoint_count": 66}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/analytics-service/analytics-events.api.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 71362, "scanner": "repobility-journey-contract", "fingerprint": "cea7d1ab3264c63344b01412f24ec713b1a5eff81ed708bd23475e5e58992bb1", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|57|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/use-invitation.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 71361, "scanner": "repobility-journey-contract", "fingerprint": "8302fd4ebda879e861275bb055e46257fc91a6c889bc6a39de488123a7bd63b3", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|44|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/use-invitation.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 71360, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 27, "file_path": "enterprise/tests/unit/test_api_key_aware_cors_middleware.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 20, "file_path": "enterprise/tests/unit/test_org_invitations_router.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 73, "file_path": "enterprise/tests/unit/test_org_invitations_router.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 205, "file_path": "enterprise/tests/unit/test_org_invitations_router.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 32, "file_path": "enterprise/tests/unit/server/test_rate_limit.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{id}."}, "properties": {"repobilityId": 71359, "scanner": "repobility-access-control", "fingerprint": "9869e9a98e42d929965c17929ebaafd18733f1a1e9f4e78ad36e972235763235", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|108|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/sandbox/sandbox_router.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{secret_id}."}, "properties": {"repobilityId": 71358, "scanner": "repobility-access-control", "fingerprint": "bc55564db721f97ad020202ea8caa74b5f2d66fdec0e00d24531b73ce4bb0f3a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{secret_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|348|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/secrets/secrets_router.py"}, "region": {"startLine": 348}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{conversation_id}/download."}, "properties": {"repobilityId": 71357, "scanner": "repobility-access-control", "fingerprint": "aee47fdbe07d9a69dec1bfea3828c27bb8e40b18fcc46a0cf7fda8a55bed34df", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}/download", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|1437|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/app_conversation_router.py"}, "region": {"startLine": 1437}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{conversation_id}."}, "properties": {"repobilityId": 71356, "scanner": "repobility-access-control", "fingerprint": "d25de068a9b20db35278d20d166ab60b27463c85578cda06a135ebf5730a8123", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|779|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/app_conversation_router.py"}, "region": {"startLine": 779}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /{org_id}/profiles/{name}/rename."}, "properties": {"repobilityId": 71355, "scanner": "repobility-access-control", "fingerprint": "fb2a5ae3f4e750de6fd6c3dac72639d237949101f72f730d51465f323e070beb", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{org_id}/profiles/{name}/rename", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|344|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/org_profiles.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{org_id}/profiles/{name}."}, "properties": {"repobilityId": 71354, "scanner": "repobility-access-control", "fingerprint": "5f4b27f9422365ae1ba77a2848462c5d2df40f0a4e6b75375e9083e54d14dda6", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{org_id}/profiles/{name}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|233|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/org_profiles.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /{org_id}/profiles/{name}."}, "properties": {"repobilityId": 71353, "scanner": "repobility-access-control", "fingerprint": "1be6dcfaa046156749326955e59514e2a5c5e8e52ad94787a8f590b2b3d3e5e8", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{org_id}/profiles/{name}", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|202|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/org_profiles.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{org_id}/profiles/{name}."}, "properties": {"repobilityId": 71352, "scanner": "repobility-access-control", "fingerprint": "f67ad0e1aac0692521317b5a717de6f93cc8b1beacc394dc6b63e9256b20171b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{org_id}/profiles/{name}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|181|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/org_profiles.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{org_id}/profiles."}, "properties": {"repobilityId": 71351, "scanner": "repobility-access-control", "fingerprint": "b59d14d72282e6cf24c3923e3587884b5da04c366488dde405ee0f218e872c4d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{org_id}/profiles", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|164|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/org_profiles.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /oauth2/userinfo."}, "properties": {"repobilityId": 71350, "scanner": "repobility-access-control", "fingerprint": "6e6602a5b8849cb9f139a13b758ef98734f82c6bea2cc2500ee3d6503e9ec4c9", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/oauth2/userinfo", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|19|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/bitbucket_dc_proxy.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{sandbox_id}/settings/secrets/{secret_name}."}, "properties": {"repobilityId": 71349, "scanner": "repobility-access-control", "fingerprint": "bccd106647d8e25d523d230440d2b7efa937302ad2c417a45b11d1d7cff70820", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{sandbox_id}/settings/secrets/{secret_name}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|185|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/sandbox/sandbox_router.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{sandbox_id}/settings/secrets."}, "properties": {"repobilityId": 71348, "scanner": "repobility-access-control", "fingerprint": "dda1b3bceb8cb7bcf9cc6221ec91b7b27ea8c707df53676fea8bbb0390cd5aa9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{sandbox_id}/settings/secrets", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|154|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/sandbox/sandbox_router.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{org_id}/settings."}, "properties": {"repobilityId": 71347, "scanner": "repobility-access-control", "fingerprint": "1db38d6abd99bf2d4c21c99861827794d528bb40818278857e929b04126243a4", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{org_id}/settings", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|258|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/auth/authorization.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PATCH /{org_id}/settings."}, "properties": {"repobilityId": 71346, "scanner": "repobility-access-control", "fingerprint": "0b544e5537ced9d75f2dd42e9c8f6f70ce5a3cc7992e44eeb452f260bc358bba", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{org_id}/settings", "method": "PATCH", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|26|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/auth/authorization.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{org_id}/settings."}, "properties": {"repobilityId": 71345, "scanner": "repobility-access-control", "fingerprint": "8dffea3af3a632d12ca416a59ec54f98258c8d30f99b77a8630f18ab32da4c47", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{org_id}/settings", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|18|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/auth/authorization.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /endpoint."}, "properties": {"repobilityId": 71344, "scanner": "repobility-access-control", "fingerprint": "1360e4cc3ee6d43ddadec859071b0c2dd5d4dc8e5ce1c7f0e97687dac86c083b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/endpoint", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|36|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/email_validation.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.8% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 71333, "scanner": "repobility-access-control", "fingerprint": "7a55a545c4c327316de959832c9e83ae658fd52fa42a83c525786965a7980be7", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 66, "correlation_key": "fp|7a55a545c4c327316de959832c9e83ae658fd52fa42a83c525786965a7980be7", "auth_visible_percent": 31.8}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 71332, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 71325, "scanner": "osv-scanner", "fingerprint": "3cb0e6e51097792f0802522bd5a1c534f3c96b9d90576d70a538075f8c4d5bb0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r95x-qfjj-fjj2", "level": "warning", "message": {"text": "authlib: GHSA-r95x-qfjj-fjj2"}, "properties": {"repobilityId": 71324, "scanner": "osv-scanner", "fingerprint": "651ec6538ea46c30ab63024f4c3df80cdb0863d9e217da20a138ee7953f1fa19", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44681", "PYSEC-2026-188"], "package": "authlib", "rule_id": "GHSA-r95x-qfjj-fjj2", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2026-44681|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 71323, "scanner": "osv-scanner", "fingerprint": "f360dcc0eba31763fb048fbf952ff9aaacd93fae36b950018274d5457fa1322d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 71322, "scanner": "osv-scanner", "fingerprint": "2da1f8cf81a5e62587e98e266536e6b0ec96ebc178f00a59702cebb0a7957e28", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 71315, "scanner": "osv-scanner", "fingerprint": "695e0196bf22183709a69e3e5535f2409e9912da6e7a31c6984375e9f05b495a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 71314, "scanner": "osv-scanner", "fingerprint": "fce47bc7d33de2fde6298a9945fd89e9167e98b399eef8943f1dcbfa1c258492", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 71313, "scanner": "osv-scanner", "fingerprint": "67a99dff426642504115da7d889ba1752758b338ed81939a578e76f5db81c207", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 71312, "scanner": "osv-scanner", "fingerprint": "38b250381b9d8a1eae242f2bd5727ff63bfd31cab64e44aadac8cd0a3b2da388", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 71311, "scanner": "osv-scanner", "fingerprint": "d890ed7d6110d9c285e8e58c962b27ca3d39ba88fc52924259e02aa01bd6c33b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-93m4-6634-74q7", "level": "warning", "message": {"text": "vite: GHSA-93m4-6634-74q7"}, "properties": {"repobilityId": 71306, "scanner": "osv-scanner", "fingerprint": "92ea8200ff045b8de60e7612dc5440def34fdd1b9ba64bb943971b503c2a30ca", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-62522"], "package": "vite", "rule_id": "GHSA-93m4-6634-74q7", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-62522|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 71305, "scanner": "osv-scanner", "fingerprint": "3e4572ee5ea9d42d3e2f6c106b434653785c03a57f6fbed0c7dca98522652c6d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 71295, "scanner": "osv-scanner", "fingerprint": "61f05b88a7589cc5f8b97ab910071cc4da504a50bfef9c6995b4381d46337d46", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 71292, "scanner": "osv-scanner", "fingerprint": "d7861e02fee76084f81295ea125764c0c57e1dead0954376ac15f8365d675626", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 71288, "scanner": "osv-scanner", "fingerprint": "8591e830961431a71d3969f6a9c1ba950e95d7e34efdef28d84d3c798433d574", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2025-13465|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 71286, "scanner": "osv-scanner", "fingerprint": "4e21fcd25b9c2a69be10548deb5028c59bb70e9bfffa287ac38852902911f19e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 71284, "scanner": "osv-scanner", "fingerprint": "54d59e860bebbf8c0edc8e381ea06b1575ca40751ef18e1c5a879e6b8a3dcbe1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 71283, "scanner": "osv-scanner", "fingerprint": "96cfa64df6e21e2d098aca54c5d67f96c63bf27e9c278c36ac04744d0f897943", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-48c2-rrv3-qjmp", "level": "warning", "message": {"text": "yaml: GHSA-48c2-rrv3-qjmp"}, "properties": {"repobilityId": 71282, "scanner": "osv-scanner", "fingerprint": "45dcd1dd3aeb35739480ac576898e9f6b3ba8af26b164ff397d760c319dd2e7f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33532"], "package": "yaml", "rule_id": "GHSA-48c2-rrv3-qjmp", "scanner": "osv-scanner", "correlation_key": "vuln|yaml|CVE-2026-33532|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 71281, "scanner": "osv-scanner", "fingerprint": "aa2320cf52664eafdcaa81627c166a6124ae4d6a1c693cffd019693704affa2c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f22v-gfqf-p8f3", "level": "warning", "message": {"text": "react-router: GHSA-f22v-gfqf-p8f3"}, "properties": {"repobilityId": 71279, "scanner": "osv-scanner", "fingerprint": "3c7b4ed6e8235f2f31e3bfa17e21e4dcea20953eca79a9879be3c5c91a0d2013", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33244"], "package": "react-router", "rule_id": "GHSA-f22v-gfqf-p8f3", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-33244|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2j2x-hqr9-3h42", "level": "warning", "message": {"text": "react-router: GHSA-2j2x-hqr9-3h42"}, "properties": {"repobilityId": 71275, "scanner": "osv-scanner", "fingerprint": "652850f02ab10c0c944e2247b67bcd996c523c6dcdbcf6ea4d6d2cee68c4511c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-40181"], "package": "react-router", "rule_id": "GHSA-2j2x-hqr9-3h42", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-40181|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 71274, "scanner": "osv-scanner", "fingerprint": "1c4147233e185f976867cdb724b0a2ec7d0ecf354dc8311a94d4819d92a9eec6", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jggg-4jg4-v7c6", "level": "warning", "message": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "properties": {"repobilityId": 71273, "scanner": "osv-scanner", "fingerprint": "c8ebe6100a3f68431e0a21a617ec699912b9a01725f6cfe3e18a68d1df03d1f9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45740"], "package": "protobufjs", "rule_id": "GHSA-jggg-4jg4-v7c6", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-45740|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 71272, "scanner": "osv-scanner", "fingerprint": "2510b8057924327e9299fe8e0754f99daed52ce3ac1ece31b2a82e243beabb2e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q89c-q3h5-w34g", "level": "warning", "message": {"text": "i18next-http-backend: GHSA-q89c-q3h5-w34g"}, "properties": {"repobilityId": 71271, "scanner": "osv-scanner", "fingerprint": "da8c1dfb96b7b40741e87b1977dbeadbfbb892657a0f62a57c5622eda346a5ee", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41691"], "package": "i18next-http-backend", "rule_id": "GHSA-q89c-q3h5-w34g", "scanner": "osv-scanner", "correlation_key": "vuln|i18next-http-backend|CVE-2026-41691|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 71270, "scanner": "osv-scanner", "fingerprint": "98a1120465a5f7efd7e77749832ffebc052c57b25def61de9cdb3f7030748265", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 71269, "scanner": "osv-scanner", "fingerprint": "b1c137f64d26194e8a5a68d9f9910132470516aebc0c0885b6571a0c29cfa1c8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-65pc-fj4g-8rjx", "level": "warning", "message": {"text": "idna: GHSA-65pc-fj4g-8rjx"}, "properties": {"repobilityId": 71262, "scanner": "osv-scanner", "fingerprint": "d8666d6cf991dbc13297c8075aeef5dc0a3f68c8026894849a73bc5ba7a06884", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45409"], "package": "idna", "rule_id": "GHSA-65pc-fj4g-8rjx", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|enterprise/poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 71259, "scanner": "osv-scanner", "fingerprint": "8b8cc359116ce909f2be4d562fc3edf025b894d771fbc86e225333cd16f7b750", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|enterprise/poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 71258, "scanner": "osv-scanner", "fingerprint": "f4333cad9515c4870d434c17dd433c0e1f86bf0ddd827cfd1ba346b961cf9d6c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|enterprise/poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `openhands` image uses the latest tag"}, "properties": {"repobilityId": 71233, "scanner": "repobility-docker", "fingerprint": "9e49f1fb3747c9a8bf81aa3211ae86388150f974c68bd155fad9fba4b89e8e79", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "openhands:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9e49f1fb3747c9a8bf81aa3211ae86388150f974c68bd155fad9fba4b89e8e79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 71223, "scanner": "repobility-docker", "fingerprint": "e4f524574bb4b8ec3bd9f3cfc20468786ef0098a5294d35ea149d3eef8c58f0f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "openhands", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e4f524574bb4b8ec3bd9f3cfc20468786ef0098a5294d35ea149d3eef8c58f0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 92}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 71217, "scanner": "repobility-docker", "fingerprint": "fa9ac7efdf22b2a586e11c01b0b7cf824ac70e20d9d8f4678cff4f71a1198dd2", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fa9ac7efdf22b2a586e11c01b0b7cf824ac70e20d9d8f4678cff4f71a1198dd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 71206, "scanner": "repobility-threat-engine", "fingerprint": "ef3595e9df900f8f5110ca240c6f966e35fda9ba7f5e6300909abdfc0b7f941d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        text = file_path.read_text(encoding='utf-8')\n    except Exception:\n        return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef3595e9df900f8f5110ca240c6f966e35fda9ba7f5e6300909abdfc0b7f941d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/user/skills_router.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 71203, "scanner": "repobility-threat-engine", "fingerprint": "0195f381dc31c08e0bdb1957b7138bc89d453c74bef1c8ee8d8028243168df66", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def get_user_info(self) -> UserInfo:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0195f381dc31c08e0bdb1957b7138bc89d453c74bef1c8ee8d8028243168df66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/user/specifiy_user_context.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 71202, "scanner": "repobility-threat-engine", "fingerprint": "f7b8b8a64b85f7926748458e6f2278febffe5e8f8bec3d7be6aa7a8d7ff6e3b0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def provider(self) -> str:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7b8b8a64b85f7926748458e6f2278febffe5e8f8bec3d7be6aa7a8d7ff6e3b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/integrations/service_types.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 71194, "scanner": "repobility-threat-engine", "fingerprint": "54866d6cebc7dbe16d7137e00be1a34583c55db99b1a5fb60854294287252c71", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = finalRedirectUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54866d6cebc7dbe16d7137e00be1a34583c55db99b1a5fb60854294287252c71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/mutation/use-accept-tos.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 71193, "scanner": "repobility-threat-engine", "fingerprint": "76c5f766860f0e3dd4648d451938cd1e9edbc0f462e4ce0282b9021579f4fc3c", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = redirectUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|76c5f766860f0e3dd4648d451938cd1e9edbc0f462e4ce0282b9021579f4fc3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/mutation/stripe/use-create-stripe-checkout-session.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 71192, "scanner": "repobility-threat-engine", "fingerprint": "28705e6b164b4995235841036118319d698815437705e39f2330a083062d4394", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = authUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|28705e6b164b4995235841036118319d698815437705e39f2330a083062d4394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/settings/git-settings/configure-azure-devops-anchor.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 71190, "scanner": "repobility-threat-engine", "fingerprint": "0ad849cdb617ed77b34acdda79814c408ab2ec48c30c0697a2361c7df79d55cb", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\n            `https://github.com/apps/${slug}/installations/new`,\n            \"_blank\",", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|21|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/settings/git-settings/configure-github-repositories-anchor.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 71189, "scanner": "repobility-threat-engine", "fingerprint": "a01096674dd137d9804f7e7e7ea713c7b6c935fc3f595b07ff014e332e144500", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(vscodeUrl, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|26|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/conversation/conversation-tabs/vscode-tooltip-content.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 71188, "scanner": "repobility-threat-engine", "fingerprint": "9a3a231397bf9a4c7f909bc78f4de0e92f6a020972cbb9ed26c90fb5f703c1c2", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(transformedUrl, \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|92|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/conversation-panel/conversation-card/conversation-card.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 71166, "scanner": "repobility-threat-engine", "fingerprint": "3acdba0ba3c539afab3cd60ff8480688295ac87c14b2b0a0d83152e85bc8bbcc", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|27|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/v1/chat/event-content-helpers/get-skill-ready-content.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 71165, "scanner": "repobility-threat-engine", "fingerprint": "2c576174b5284927f5ecadf28abd219a4cd57ec94b1d5cffc77a425cd7728183", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|18|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/markdown/code.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 71164, "scanner": "repobility-threat-engine", "fingerprint": "f56a0784cd50a351722c02b7457a8ca8cc793c76c2bf6fb254af9f5f0c6171a4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|24|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/check-translation-completeness.cjs"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 71160, "scanner": "repobility-threat-engine", "fingerprint": "08f00dd45e73f6d91daf8bed063473a0c3f7eeea7ed664031687d9e59e63b445", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_jws_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|65|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/services/jwt_service.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 71159, "scanner": "repobility-threat-engine", "fingerprint": "8fa8ee642e285c8f9e131a34013ea7efb04a54d8ba313371d700065fa9f28cc0", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|28|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/org_invitation_store.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 71139, "scanner": "repobility-threat-engine", "fingerprint": "aa589117ff09e1c160d9265e94e8b52f446635ca888559db6fd69b7fa3d6c53d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa589117ff09e1c160d9265e94e8b52f446635ca888559db6fd69b7fa3d6c53d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/email.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 71138, "scanner": "repobility-threat-engine", "fingerprint": "bb3055e951acd3699214ce6d7ed6dd9e4781b2a238d17c89d990f3fdfdf0a625", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb3055e951acd3699214ce6d7ed6dd9e4781b2a238d17c89d990f3fdfdf0a625"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira_dc/jira_dc_v1_callback_processor.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 71137, "scanner": "repobility-threat-engine", "fingerprint": "60f036ede4e5935674d2f55ea8f27c4790505b35082a87029efdad2698b8a9c7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60f036ede4e5935674d2f55ea8f27c4790505b35082a87029efdad2698b8a9c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira/jira_v1_callback_processor.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 71116, "scanner": "repobility-threat-engine", "fingerprint": "87fb1508b2538971d32f2ec1da32e1ceb8698e3bc064714d225e4ee4381da477", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.debug(\n            f'SaaSBitbucketDCService created with user_id {user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|87fb1508b2538971d32f2ec1da32e1ceb8698e3bc064714d225e4ee4381da477"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 71115, "scanner": "repobility-threat-engine", "fingerprint": "e9327bc50aada2268c60b36cfa3acccc5be1ba0f8a410ec4fe1808eaf73306b7", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(\n            f'SaaSBitBucketService created with user_id {user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9327bc50aada2268c60b36cfa3acccc5be1ba0f8a410ec4fe1808eaf73306b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket/bitbucket_service.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 71114, "scanner": "repobility-threat-engine", "fingerprint": "688fc2e7263072e289957ec0cf6a5510d6a6de95ab32360048576e2f48c10e00", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(\n                    f'[Bitbucket] Starting job for {user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|688fc2e7263072e289957ec0cf6a5510d6a6de95ab32360048576e2f48c10e00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket/bitbucket_manager.py"}, "region": {"startLine": 168}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `find_prs_between_commits` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, except=1, for=3, if=4, nested_bonus=6."}, "properties": {"repobilityId": 71107, "scanner": "repobility-threat-engine", "fingerprint": "2763e86b0f3ef611576a9713a4b3d5365b562d04ea888fc31aecc7fe266fa0fd", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 15 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "find_prs_between_commits", "breakdown": {"if": 4, "for": 3, "except": 1, "continue": 1, "nested_bonus": 6}, "complexity": 15, "correlation_key": "fp|2763e86b0f3ef611576a9713a4b3d5365b562d04ea888fc31aecc7fe266fa0fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/find_prs_between_commits.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `print_results` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, for=2, if=5, nested_bonus=10."}, "properties": {"repobilityId": 71106, "scanner": "repobility-threat-engine", "fingerprint": "35147427a7332c23cb965b81c491e51c623d01d450aaa453f7139d6f20b8d164", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_results", "breakdown": {"if": 5, "for": 2, "else": 2, "nested_bonus": 10}, "complexity": 19, "correlation_key": "fp|35147427a7332c23cb965b81c491e51c623d01d450aaa453f7139d6f20b8d164"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/find_prs_between_commits.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 71102, "scanner": "repobility-agent-runtime", "fingerprint": "d5dce589555d8b342d11b9f5ab6587a0cb5f3bbff309ff2b5088306c09b3cfe4", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d5dce589555d8b342d11b9f5ab6587a0cb5f3bbff309ff2b5088306c09b3cfe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/setup.sh"}, "region": {"startLine": 11}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `lint-staged` is 1 major version(s) behind (16.2.7 -> 17.0.7)"}, "properties": {"repobilityId": 71100, "scanner": "repobility-dependency-currency", "fingerprint": "47aeb5b30a7533853400add09c73b7398589e3b97d0e6f7df65f31bf5f54bf29", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "lint-staged", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.0.7", "correlation_key": "fp|47aeb5b30a7533853400add09c73b7398589e3b97d0e6f7df65f31bf5f54bf29", "current_version": "16.2.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `jsdom` is 2 major version(s) behind (27.4.0 -> 29.1.1)"}, "properties": {"repobilityId": 71099, "scanner": "repobility-dependency-currency", "fingerprint": "72f2891dfbdeefccbafe0916d5238ead5a93d5b63b095f08022082533a2c70e2", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsdom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "29.1.1", "correlation_key": "fp|72f2891dfbdeefccbafe0916d5238ead5a93d5b63b095f08022082533a2c70e2", "current_version": "27.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `i18next-http-backend` is 1 major version(s) behind (3.0.2 -> 4.0.0)"}, "properties": {"repobilityId": 71091, "scanner": "repobility-dependency-currency", "fingerprint": "448b7a58e737552a407211a15bfe00b9e5cb82a015ccd9f56dc9521c9b372245", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "i18next-http-backend", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.0.0", "correlation_key": "fp|448b7a58e737552a407211a15bfe00b9e5cb82a015ccd9f56dc9521c9b372245", "current_version": "3.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@heroui/react` is 1 major version(s) behind (2.8.8 -> 3.1.0)"}, "properties": {"repobilityId": 71084, "scanner": "repobility-dependency-currency", "fingerprint": "f377117ccf901d4ced225f635f6a159e78a25e86e7ce76706bd9f3afae636a04", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@heroui/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.1.0", "correlation_key": "fp|f377117ccf901d4ced225f635f6a159e78a25e86e7ce76706bd9f3afae636a04", "current_version": "2.8.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `vite-plugin-dts` is 1 major version(s) behind (^4.5.4 -> 5.0.2)"}, "properties": {"repobilityId": 71082, "scanner": "repobility-dependency-currency", "fingerprint": "e44acc144446bf9ed1c6b4633a4feabd23d2278923c6b7795e2e4f39ce4b9ef6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vite-plugin-dts", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.2", "correlation_key": "fp|e44acc144446bf9ed1c6b4633a4feabd23d2278923c6b7795e2e4f39ce4b9ef6", "current_version": "^4.5.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitest/browser` is 1 major version(s) behind (^3.2.4 -> 4.1.8)"}, "properties": {"repobilityId": 71081, "scanner": "repobility-dependency-currency", "fingerprint": "d4ca551bdb84294c8383fa30a07aa8327ea201d6cab7bb3fdf4b3b0c93060057", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitest/browser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.8", "correlation_key": "fp|d4ca551bdb84294c8383fa30a07aa8327ea201d6cab7bb3fdf4b3b0c93060057", "current_version": "^3.2.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (^4.5.2 -> 6.0.2)"}, "properties": {"repobilityId": 71080, "scanner": "repobility-dependency-currency", "fingerprint": "633ddb6db1be65c722f3f079118997e8fd5de497178dd5b74e3fa6f30f0cf489", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|633ddb6db1be65c722f3f079118997e8fd5de497178dd5b74e3fa6f30f0cf489", "current_version": "^4.5.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `focus-trap-react` is 1 major version(s) behind (^11.0.4 -> 12.0.2)"}, "properties": {"repobilityId": 71078, "scanner": "repobility-dependency-currency", "fingerprint": "7031e7ae115f887b4e01e4c68fd05663d58d49978db571c5c091adb89d0db2bd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "focus-trap-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.0.2", "correlation_key": "fp|7031e7ae115f887b4e01e4c68fd05663d58d49978db571c5c091adb89d0db2bd", "current_version": "^11.0.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `cachetools` is 2 major version(s) behind (5.5.2 -> 7.1.4)"}, "properties": {"repobilityId": 71065, "scanner": "repobility-dependency-currency", "fingerprint": "dc0b8aa2851d95187b33496848217d77767dc55c21c01654b13b83155ce24b1e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cachetools", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "7.1.4", "correlation_key": "fp|dc0b8aa2851d95187b33496848217d77767dc55c21c01654b13b83155ce24b1e", "current_version": "5.5.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "warning", "message": {"text": "Python package `aiofiles` is 1 major version(s) behind (24.1.0 -> 25.1.0)"}, "properties": {"repobilityId": 71054, "scanner": "repobility-dependency-currency", "fingerprint": "caa03fe5307f56e30bf905058cb3c2935a10a4c4e2a2a9d070c033d2a6140194", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "aiofiles", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "25.1.0", "correlation_key": "fp|caa03fe5307f56e30bf905058cb3c2935a10a4c4e2a2a9d070c033d2a6140194", "current_version": "24.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70988, "scanner": "repobility-ast-engine", "fingerprint": "5ed49a83a0a380780ed4a124524fa2d0cc1167eb54dd5fd088f3eaf15c6e545c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ed49a83a0a380780ed4a124524fa2d0cc1167eb54dd5fd088f3eaf15c6e545c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/sandbox/remote_sandbox_service.py"}, "region": {"startLine": 405}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70987, "scanner": "repobility-ast-engine", "fingerprint": "e048af9829b00828260942aed1ffd79a96406fbfb3f488cd32a614f53e364ecf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e048af9829b00828260942aed1ffd79a96406fbfb3f488cd32a614f53e364ecf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/services/jwt_service.py"}, "region": {"startLine": 301}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70986, "scanner": "repobility-ast-engine", "fingerprint": "c5de43e7f1b5e3bf80ef9314fe37f0a8c24c7a03cdad9ad16f50affe40d799d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5de43e7f1b5e3bf80ef9314fe37f0a8c24c7a03cdad9ad16f50affe40d799d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/user/skills_router.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70985, "scanner": "repobility-ast-engine", "fingerprint": "453265930b53d9e13db2ef56edbea7e5c45a970fd51b6bc70e8938e7d87439f1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|453265930b53d9e13db2ef56edbea7e5c45a970fd51b6bc70e8938e7d87439f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/skill_loader.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70984, "scanner": "repobility-ast-engine", "fingerprint": "bb22778e6db2b6934c283d3e9e3424a214c5f752cf434bf9bfa4833f2d0bb7bd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bb22778e6db2b6934c283d3e9e3424a214c5f752cf434bf9bfa4833f2d0bb7bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/skill_loader.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70983, "scanner": "repobility-ast-engine", "fingerprint": "44e91a887b594d4624b1a39fb96abc79fc0222a64ae79d183a5778c88678fba4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44e91a887b594d4624b1a39fb96abc79fc0222a64ae79d183a5778c88678fba4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/version.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70982, "scanner": "repobility-ast-engine", "fingerprint": "1824d80798f6898922768e1d53e8e1056bb4a6f709ef9ceb9018a83f5bd9012f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1824d80798f6898922768e1d53e8e1056bb4a6f709ef9ceb9018a83f5bd9012f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/static.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70981, "scanner": "repobility-ast-engine", "fingerprint": "c8598e97a9cbaea4df2c30b1d40df518a86dcda7e1fd87f14f76f62c2a7d65c8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8598e97a9cbaea4df2c30b1d40df518a86dcda7e1fd87f14f76f62c2a7d65c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/file_store/test_file_store.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70980, "scanner": "repobility-ast-engine", "fingerprint": "5ea58a370ae0b72be9fe1d19d22920bd3356010e61fadbe0bd03dffa4477602d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ea58a370ae0b72be9fe1d19d22920bd3356010e61fadbe0bd03dffa4477602d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/frontend/test_translation_completeness.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70965, "scanner": "repobility-ast-engine", "fingerprint": "48d3526df72429f22bcb39245843165213feb3a283f9780d760c02c08aaa5c46", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48d3526df72429f22bcb39245843165213feb3a283f9780d760c02c08aaa5c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira_dc.py"}, "region": {"startLine": 1037}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70960, "scanner": "repobility-ast-engine", "fingerprint": "b13128f6688c5c096b8d9786ac60c9face998c542e85e99293b32ea08306e4af", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b13128f6688c5c096b8d9786ac60c9face998c542e85e99293b32ea08306e4af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/auth.py"}, "region": {"startLine": 681}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70959, "scanner": "repobility-ast-engine", "fingerprint": "5fcae69139954c700bda394f3204c58a9855cc9ecb8aaab3546c858a05e72b27", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5fcae69139954c700bda394f3204c58a9855cc9ecb8aaab3546c858a05e72b27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/auth.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70955, "scanner": "repobility-ast-engine", "fingerprint": "1fcaf81ad48b1551b8a1a03e19714cde06eed35a62c4fe08120de634dea7c97f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1fcaf81ad48b1551b8a1a03e19714cde06eed35a62c4fe08120de634dea7c97f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_maintenance_task_runner_standalone.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70954, "scanner": "repobility-ast-engine", "fingerprint": "53d0f3baeb358c686688bcb85c3e826cdd834529130f090bc783171112fc9ccc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|53d0f3baeb358c686688bcb85c3e826cdd834529130f090bc783171112fc9ccc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_maintenance_task_runner_standalone.py"}, "region": {"startLine": 617}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70953, "scanner": "repobility-ast-engine", "fingerprint": "42897fd5c1dc731782d4da77f6bba02c63aad9af8840aec89666d59a45afbb9f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|42897fd5c1dc731782d4da77f6bba02c63aad9af8840aec89666d59a45afbb9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_user_version_upgrade_processor_standalone.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70927, "scanner": "repobility-ast-engine", "fingerprint": "c5e4c8259065f050d3e4d46425365f7fb301ead7f5498c56b851dbb96b5ab10f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5e4c8259065f050d3e4d46425365f7fb301ead7f5498c56b851dbb96b5ab10f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/github/data_collector.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70926, "scanner": "repobility-ast-engine", "fingerprint": "7b1ea7ae9ae52c0566a78578a81250810911977a65ce5b738e64538a2f938884", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b1ea7ae9ae52c0566a78578a81250810911977a65ce5b738e64538a2f938884"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/github/data_collector.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70925, "scanner": "repobility-ast-engine", "fingerprint": "815faf01daac495a95071f4e92cfff10517c7722f751c10fadc5a9d7bb03fa91", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|815faf01daac495a95071f4e92cfff10517c7722f751c10fadc5a9d7bb03fa91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/gitlab/gitlab_service.py"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70924, "scanner": "repobility-ast-engine", "fingerprint": "ebaa6ab825fde11e4fef298f2d6c730727b159fff95090de8e46093a9d6d7af0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebaa6ab825fde11e4fef298f2d6c730727b159fff95090de8e46093a9d6d7af0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/utils.py"}, "region": {"startLine": 352}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70922, "scanner": "repobility-ast-engine", "fingerprint": "549c05816baa4505fd37876e64601c0084388742a4db09b22a8ca56ae9a9b390", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|549c05816baa4505fd37876e64601c0084388742a4db09b22a8ca56ae9a9b390"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/enterprise_local/convert_to_env.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70921, "scanner": "repobility-ast-engine", "fingerprint": "a52830d33fa1de194aae8347b3002783252524d014561412f434749fec988437", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a52830d33fa1de194aae8347b3002783252524d014561412f434749fec988437"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/enterprise_local/convert_to_env.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70913, "scanner": "repobility-ast-engine", "fingerprint": "27493b0debda32d9a6b1c03cfd773f15dea6a886711c38e061f140edbdf7c92c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27493b0debda32d9a6b1c03cfd773f15dea6a886711c38e061f140edbdf7c92c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/user_store.py"}, "region": {"startLine": 1156}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70907, "scanner": "repobility-ast-engine", "fingerprint": "98604d81cdd0800c862a45d42b6f0256a24d24ec4b34d4e4f08f8f6eb8f42aa6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98604d81cdd0800c862a45d42b6f0256a24d24ec4b34d4e4f08f8f6eb8f42aa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/user_settings.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70890, "scanner": "repobility-ast-engine", "fingerprint": "c46c1ab489a15554b247b9fc617e45cff855ac6a8b7081b23eb1042da6c3f920", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c46c1ab489a15554b247b9fc617e45cff855ac6a8b7081b23eb1042da6c3f920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/run_maintenance_tasks.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 70889, "scanner": "repobility-ast-engine", "fingerprint": "aed978e29292ff18e602af69723fb24dbb9481f3b09203841571ee1ccc60f770", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aed978e29292ff18e602af69723fb24dbb9481f3b09203841571ee1ccc60f770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update_openapi.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "GHSA-jqfw-vq24-v9c3", "level": "note", "message": {"text": "vite: GHSA-jqfw-vq24-v9c3"}, "properties": {"repobilityId": 71308, "scanner": "osv-scanner", "fingerprint": "f2a79d1d3f5564b0ec6226a35e0c3cb4ba3fb0c11aaa6ac164f412f01f36c319", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58752"], "package": "vite", "rule_id": "GHSA-jqfw-vq24-v9c3", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58752|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-g4jq-h2w9-997c", "level": "note", "message": {"text": "vite: GHSA-g4jq-h2w9-997c"}, "properties": {"repobilityId": 71307, "scanner": "osv-scanner", "fingerprint": "0059103534f21e49221a31124a8ef4da7a9b77a5e315ac84498e4fc086a514a6", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-58751"], "package": "vite", "rule_id": "GHSA-g4jq-h2w9-997c", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2025-58751|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 71236, "scanner": "repobility-docker", "fingerprint": "b475622bc6c7ce56787d76ba73adf53e45403f7a8f2512d3760503f86cb3db5f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "openhands", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b475622bc6c7ce56787d76ba73adf53e45403f7a8f2512d3760503f86cb3db5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 71234, "scanner": "repobility-docker", "fingerprint": "97dfa280054fe91053c0b8faca2031f5a1f0c150e6a81ab204ad66cc0a0e6cca", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "openhands", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|97dfa280054fe91053c0b8faca2031f5a1f0c150e6a81ab204ad66cc0a0e6cca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 71232, "scanner": "repobility-docker", "fingerprint": "d93989063fbb1eec66b0c1bbe69a653a12218f7147454bcf8c78e9258878d778", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d93989063fbb1eec66b0c1bbe69a653a12218f7147454bcf8c78e9258878d778"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 71230, "scanner": "repobility-docker", "fingerprint": "26089baa62340bb8f8f53ab8981ea7171f01653547ae287e6a13b1c9b66ed186", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|26089baa62340bb8f8f53ab8981ea7171f01653547ae287e6a13b1c9b66ed186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 71228, "scanner": "repobility-docker", "fingerprint": "391d316bf569d8f80a89cd8d244b043869eb83eb97ff7c4daebe81e4823bfad0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|391d316bf569d8f80a89cd8d244b043869eb83eb97ff7c4daebe81e4823bfad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 71227, "scanner": "repobility-docker", "fingerprint": "e4ee97e5647a5d66450a31b9dc9c21cd346af94130f20b5687a6c08d577b5039", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e4ee97e5647a5d66450a31b9dc9c21cd346af94130f20b5687a6c08d577b5039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71226, "scanner": "repobility-docker", "fingerprint": "7e100681cf05ea2b5d555ce572ef713efe18f593388dda671c6ed2c72e7a9a64", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7e100681cf05ea2b5d555ce572ef713efe18f593388dda671c6ed2c72e7a9a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71222, "scanner": "repobility-docker", "fingerprint": "55530e530bbd6cdbe5519a7d63c84f695f13e2043d760dfee251add8b463e356", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|55530e530bbd6cdbe5519a7d63c84f695f13e2043d760dfee251add8b463e356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71221, "scanner": "repobility-docker", "fingerprint": "dc5adb076554982c4ea1ead361c2a6fe2b37b646fc47c36283bd6cabbfb83c0b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dc5adb076554982c4ea1ead361c2a6fe2b37b646fc47c36283bd6cabbfb83c0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71219, "scanner": "repobility-docker", "fingerprint": "16ee56e0c7621cb9264000baade1fade94f066a5f8c4009b2368706a90898b55", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|16ee56e0c7621cb9264000baade1fade94f066a5f8c4009b2368706a90898b55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 71218, "scanner": "repobility-docker", "fingerprint": "34c28431678e8f897b3081172e5bb4a7df41181e84029b4d665abc613183d7ec", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|34c28431678e8f897b3081172e5bb4a7df41181e84029b4d665abc613183d7ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71216, "scanner": "repobility-docker", "fingerprint": "9ed77248f8daba738bed490496d567231ddd0eb6a97abe4456761f158323e91b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9ed77248f8daba738bed490496d567231ddd0eb6a97abe4456761f158323e91b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71215, "scanner": "repobility-docker", "fingerprint": "94c877eca489cd05681599e37792d2dd60b7752b8148685da3eeb6dc4481bddc", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|94c877eca489cd05681599e37792d2dd60b7752b8148685da3eeb6dc4481bddc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71214, "scanner": "repobility-docker", "fingerprint": "85d9237da119b8715a5ba53d6a5ddf4619b49219e3149e90062270b26ef29d76", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|85d9237da119b8715a5ba53d6a5ddf4619b49219e3149e90062270b26ef29d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 71213, "scanner": "repobility-docker", "fingerprint": "35b70b0428c8d92fdf5bfc9dbc45cafe524bac53aa31d420dc4b624bf8bf7a25", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|35b70b0428c8d92fdf5bfc9dbc45cafe524bac53aa31d420dc4b624bf8bf7a25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 71212, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71210, "scanner": "repobility-docker", "fingerprint": "b57fe529a6e461b11ebca9fff5192ce5204982023d26e3ebd0c7581927585446", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b57fe529a6e461b11ebca9fff5192ce5204982023d26e3ebd0c7581927585446"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/app/Dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 71209, "scanner": "repobility-docker", "fingerprint": "66b0f970704f3bbcea9c481d4f946e092b1abb113ba10852d7b44a412c305f24", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|66b0f970704f3bbcea9c481d4f946e092b1abb113ba10852d7b44a412c305f24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/app/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 71208, "scanner": "repobility-docker", "fingerprint": "3eaed4d3f4bdcaedd340939829488f89ea525b687de0529705b9d661f3915f92", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3eaed4d3f4bdcaedd340939829488f89ea525b687de0529705b9d661f3915f92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/app/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 71207, "scanner": "repobility-docker", "fingerprint": "59c8821dd37302a19b4f23f2b235343e1e617dd662c5ce4d58a9a67b56cd8dd0", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|59c8821dd37302a19b4f23f2b235343e1e617dd662c5ce4d58a9a67b56cd8dd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/app/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 71198, "scanner": "repobility-threat-engine", "fingerprint": "6119e4a27d797962ae64f07a2bd9ee8b6c2455bd310018721a7157e3440827e3", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.isfile(full_path):\n                os.remove(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6119e4a27d797962ae64f07a2bd9ee8b6c2455bd310018721a7157e3440827e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/file_store/local.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, if=7, nested_bonus=4."}, "properties": {"repobilityId": 71108, "scanner": "repobility-threat-engine", "fingerprint": "e5420c21710a67c42ec6db10d63adf22d5d2fac461a08367c93140f7f8b578d3", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 7, "else": 1, "nested_bonus": 4}, "complexity": 12, "correlation_key": "fp|e5420c21710a67c42ec6db10d63adf22d5d2fac461a08367c93140f7f8b578d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/find_prs_between_commits.py"}, "region": {"startLine": 248}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tanstack/eslint-plugin-query` is minor version(s) behind (5.100.10 -> 5.101.0)"}, "properties": {"repobilityId": 71097, "scanner": "repobility-dependency-currency", "fingerprint": "07cb71f93bf5a2e2e621ef6b2d8c5a7a2f4b24d83a00cafe1c318c8fc55bfca3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tanstack/eslint-plugin-query", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.101.0", "correlation_key": "fp|07cb71f93bf5a2e2e621ef6b2d8c5a7a2f4b24d83a00cafe1c318c8fc55bfca3", "current_version": "5.100.10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tailwind-merge` is minor version(s) behind (3.4.0 -> 3.6.0)"}, "properties": {"repobilityId": 71095, "scanner": "repobility-dependency-currency", "fingerprint": "5552a29636ae1c2e87312c0b521d911d3a9cc5e5f8ff0ad224ccde35e2c2019a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tailwind-merge", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.0", "correlation_key": "fp|5552a29636ae1c2e87312c0b521d911d3a9cc5e5f8ff0ad224ccde35e2c2019a", "current_version": "3.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `react-icons` is minor version(s) behind (5.5.0 -> 5.6.0)"}, "properties": {"repobilityId": 71093, "scanner": "repobility-dependency-currency", "fingerprint": "62d33f951e8a0df268cdcc5d6922d66be4e3d38b4540c64e3d7305a3a2c736ff", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-icons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.0", "correlation_key": "fp|62d33f951e8a0df268cdcc5d6922d66be4e3d38b4540c64e3d7305a3a2c736ff", "current_version": "5.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `axios` is minor version(s) behind (1.16.0 -> 1.17.0)"}, "properties": {"repobilityId": 71089, "scanner": "repobility-dependency-currency", "fingerprint": "c0d2b839389045bf85cc4549c26a72e32603f280b56bdf979c9101110df1cf93", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "axios", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.17.0", "correlation_key": "fp|c0d2b839389045bf85cc4549c26a72e32603f280b56bdf979c9101110df1cf93", "current_version": "1.16.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tanstack/react-query` is minor version(s) behind (5.90.20 -> 5.101.0)"}, "properties": {"repobilityId": 71088, "scanner": "repobility-dependency-currency", "fingerprint": "1704e9d8052fb00c1d7311ce59e4899c5b4453455292570863fdf40eed4e806d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tanstack/react-query", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.101.0", "correlation_key": "fp|1704e9d8052fb00c1d7311ce59e4899c5b4453455292570863fdf40eed4e806d", "current_version": "5.90.20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@react-router/serve` is minor version(s) behind (7.13.0 -> 7.17.0)"}, "properties": {"repobilityId": 71087, "scanner": "repobility-dependency-currency", "fingerprint": "2f8827d257386121409b869258386a49a8ad3891421d9ffacdec7ef128098a1d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@react-router/serve", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.17.0", "correlation_key": "fp|2f8827d257386121409b869258386a49a8ad3891421d9ffacdec7ef128098a1d", "current_version": "7.13.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@react-router/node` is minor version(s) behind (7.13.0 -> 7.17.0)"}, "properties": {"repobilityId": 71086, "scanner": "repobility-dependency-currency", "fingerprint": "ea96e11328a059b804639695559fa4617ed0b7224aa4d228b0206ce4b2b65c65", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@react-router/node", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.17.0", "correlation_key": "fp|ea96e11328a059b804639695559fa4617ed0b7224aa4d228b0206ce4b2b65c65", "current_version": "7.13.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@microlink/react-json-view` is minor version(s) behind (1.27.1 -> 1.31.20)"}, "properties": {"repobilityId": 71085, "scanner": "repobility-dependency-currency", "fingerprint": "b286722def2951c5579a857738ed36e4d10356d5e34db8f4be395b5ced9dc791", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@microlink/react-json-view", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.31.20", "correlation_key": "fp|b286722def2951c5579a857738ed36e4d10356d5e34db8f4be395b5ced9dc791", "current_version": "1.27.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tailwind-merge` is minor version(s) behind (3.4.0 -> 3.6.0)"}, "properties": {"repobilityId": 71083, "scanner": "repobility-dependency-currency", "fingerprint": "2377ff759b9efee3d32a2b38ad1487877b2cb210acfcac726d608df862694ff6", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tailwind-merge", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.0", "correlation_key": "fp|2377ff759b9efee3d32a2b38ad1487877b2cb210acfcac726d608df862694ff6", "current_version": "3.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `fakeredis` is minor version(s) behind (2.34.1 -> 2.36.0)"}, "properties": {"repobilityId": 71076, "scanner": "repobility-dependency-currency", "fingerprint": "451ad9cdea3754e94f9df81ea6d27e2e598aec2058d7f88e9faf3ea9d26bd102", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fakeredis", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.36.0", "correlation_key": "fp|451ad9cdea3754e94f9df81ea6d27e2e598aec2058d7f88e9faf3ea9d26bd102", "current_version": "2.34.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `docutils` is minor version(s) behind (0.22.4 -> 0.23)"}, "properties": {"repobilityId": 71075, "scanner": "repobility-dependency-currency", "fingerprint": "9568d1137b85c54e12f4e4c54948d2d226bbba1ae02169bc4e6433ceef27f124", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "docutils", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.23", "correlation_key": "fp|9568d1137b85c54e12f4e4c54948d2d226bbba1ae02169bc4e6433ceef27f124", "current_version": "0.22.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `docstring-parser` is minor version(s) behind (0.17.0 -> 0.18.0)"}, "properties": {"repobilityId": 71074, "scanner": "repobility-dependency-currency", "fingerprint": "ae652364d9ac93c9789ee2d6fb4512ec748ad13e196bcc9e1fa576359328ca6d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "docstring-parser", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.18.0", "correlation_key": "fp|ae652364d9ac93c9789ee2d6fb4512ec748ad13e196bcc9e1fa576359328ca6d", "current_version": "0.17.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `decorator` is minor version(s) behind (5.2.1 -> 5.3.1)"}, "properties": {"repobilityId": 71072, "scanner": "repobility-dependency-currency", "fingerprint": "b73eaeb4d6bbe547156879ea7e5a6beccae8552f58351e6ee52581d58332eab5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "decorator", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "5.3.1", "correlation_key": "fp|b73eaeb4d6bbe547156879ea7e5a6beccae8552f58351e6ee52581d58332eab5", "current_version": "5.2.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `cyclopts` is minor version(s) behind (4.10.1 -> 4.16.1)"}, "properties": {"repobilityId": 71070, "scanner": "repobility-dependency-currency", "fingerprint": "d50a00f00ca98c254c2a1879ded6fcb2d2858a47877c9fedc71c771a4cb0fc68", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cyclopts", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.16.1", "correlation_key": "fp|d50a00f00ca98c254c2a1879ded6fcb2d2858a47877c9fedc71c771a4cb0fc68", "current_version": "4.10.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `clr-loader` is minor version(s) behind (0.2.10 -> 0.3.1)"}, "properties": {"repobilityId": 71069, "scanner": "repobility-dependency-currency", "fingerprint": "bdd222f982fcbf1946b72b79721ecb579a9ed8b1c390f94e880754b0d66ce240", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "clr-loader", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.3.1", "correlation_key": "fp|bdd222f982fcbf1946b72b79721ecb579a9ed8b1c390f94e880754b0d66ce240", "current_version": "0.2.10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `click` is minor version(s) behind (8.1.8 -> 8.4.1)"}, "properties": {"repobilityId": 71068, "scanner": "repobility-dependency-currency", "fingerprint": "efaeb5f3e4abe15b7c826e9450cd8adec2cc8285819c5568ce12d013b01001f8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "click", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "8.4.1", "correlation_key": "fp|efaeb5f3e4abe15b7c826e9450cd8adec2cc8285819c5568ce12d013b01001f8", "current_version": "8.1.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `certifi` is minor version(s) behind (2026.2.25 -> 2026.5.20)"}, "properties": {"repobilityId": 71066, "scanner": "repobility-dependency-currency", "fingerprint": "e90326128cd3f85034d1f242b5e21873581f4745f87db9ed4f62cd961eb79850", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "certifi", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2026.5.20", "correlation_key": "fp|e90326128cd3f85034d1f242b5e21873581f4745f87db9ed4f62cd961eb79850", "current_version": "2026.2.25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `build` is minor version(s) behind (1.4.2 -> 1.5.0)"}, "properties": {"repobilityId": 71064, "scanner": "repobility-dependency-currency", "fingerprint": "81d728fa8b67d5fd8f24c904c3bd76d8fe59047ef81adaf9095737f073247df8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "build", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.5.0", "correlation_key": "fp|81d728fa8b67d5fd8f24c904c3bd76d8fe59047ef81adaf9095737f073247df8", "current_version": "1.4.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `browsergym-core` is minor version(s) behind (0.13.3 -> 0.14.3)"}, "properties": {"repobilityId": 71063, "scanner": "repobility-dependency-currency", "fingerprint": "8ab22c5888f50a0d58701da390509b576b4c1e567da9562521f0afe3ca0b4c3f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "browsergym-core", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.14.3", "correlation_key": "fp|8ab22c5888f50a0d58701da390509b576b4c1e567da9562521f0afe3ca0b4c3f", "current_version": "0.13.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `browser-use-sdk` is minor version(s) behind (3.4.0 -> 3.8.1)"}, "properties": {"repobilityId": 71062, "scanner": "repobility-dependency-currency", "fingerprint": "3f857e6b2a4368d0c8624df1d3c3eb980e77cdfcb000bf66eed431cd3c44dd1c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "browser-use-sdk", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.8.1", "correlation_key": "fp|3f857e6b2a4368d0c8624df1d3c3eb980e77cdfcb000bf66eed431cd3c44dd1c", "current_version": "3.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `browser-use` is minor version(s) behind (0.11.13 -> 0.12.9)"}, "properties": {"repobilityId": 71061, "scanner": "repobility-dependency-currency", "fingerprint": "05026ae24aa2c017c55a232d49c4d20f632a20be40e5c1bb44982cd5c13c72aa", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "browser-use", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.12.9", "correlation_key": "fp|05026ae24aa2c017c55a232d49c4d20f632a20be40e5c1bb44982cd5c13c72aa", "current_version": "0.11.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `binaryornot` is minor version(s) behind (0.4.4 -> 0.6.0)"}, "properties": {"repobilityId": 71060, "scanner": "repobility-dependency-currency", "fingerprint": "816a3403a434141b8807d15c5b66984b64b3b18d0c8ef97e2d17d6c14f201ca7", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "binaryornot", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.6.0", "correlation_key": "fp|816a3403a434141b8807d15c5b66984b64b3b18d0c8ef97e2d17d6c14f201ca7", "current_version": "0.4.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `authlib` is minor version(s) behind (1.6.12 -> 1.7.2)"}, "properties": {"repobilityId": 71059, "scanner": "repobility-dependency-currency", "fingerprint": "212cec295c99e3f4d08d1347a4e927e43442ed0619005d6cb0cbd60fd3b49c7f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "authlib", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.7.2", "correlation_key": "fp|212cec295c99e3f4d08d1347a4e927e43442ed0619005d6cb0cbd60fd3b49c7f", "current_version": "1.6.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `asyncpg` is minor version(s) behind (0.30.0 -> 0.31.0)"}, "properties": {"repobilityId": 71058, "scanner": "repobility-dependency-currency", "fingerprint": "6ab6a8223b2da4303489edeecaeed53ea51023e5f21148b47f5498842524c757", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "asyncpg", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.31.0", "correlation_key": "fp|6ab6a8223b2da4303489edeecaeed53ea51023e5f21148b47f5498842524c757", "current_version": "0.30.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `anyio` is minor version(s) behind (4.9.0 -> 4.13.0)"}, "properties": {"repobilityId": 71057, "scanner": "repobility-dependency-currency", "fingerprint": "439e4413fa9eaa6f444aefa807cab80c577318a72ded0808f56ac2797b81fe32", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "anyio", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.13.0", "correlation_key": "fp|439e4413fa9eaa6f444aefa807cab80c577318a72ded0808f56ac2797b81fe32", "current_version": "4.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `anthropic` is minor version(s) behind (0.88.0 -> 0.105.2)"}, "properties": {"repobilityId": 71056, "scanner": "repobility-dependency-currency", "fingerprint": "bb62c7545e922f0e38b8dab53bdcd28db1dc3b74ae1f3cb02ff865a31b5532ac", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "anthropic", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.105.2", "correlation_key": "fp|bb62c7545e922f0e38b8dab53bdcd28db1dc3b74ae1f3cb02ff865a31b5532ac", "current_version": "0.88.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `aiofile` is minor version(s) behind (3.9.0 -> 3.11.1)"}, "properties": {"repobilityId": 71053, "scanner": "repobility-dependency-currency", "fingerprint": "b37f9f2b9dd432a36413bc400f940fb433cddd9596dc107bbc34584c53668c43", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "aiofile", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "3.11.1", "correlation_key": "fp|b37f9f2b9dd432a36413bc400f940fb433cddd9596dc107bbc34584c53668c43", "current_version": "3.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `agent-client-protocol` is minor version(s) behind (0.9.0 -> 0.10.1)"}, "properties": {"repobilityId": 71052, "scanner": "repobility-dependency-currency", "fingerprint": "c62a18311f2d2b2b4f858f5121dfbfb44920464e2baf1427fba380f65bb82670", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "agent-client-protocol", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.10.1", "correlation_key": "fp|c62a18311f2d2b2b4f858f5121dfbfb44920464e2baf1427fba380f65bb82670", "current_version": "0.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb2ca0f1e6d408268354b52959f93076116c27bcbc1715d7b7631196d8679ec1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/storage/jira_dc_workspace.py", "duplicate_line": 13, "correlation_key": "fp|bb2ca0f1e6d408268354b52959f93076116c27bcbc1715d7b7631196d8679ec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/jira_workspace.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27ae93f4490b139556fabbc46a51f1edfa6513546cfaaa89524c805390ffdf20", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/storage/jira_dc_user.py", "duplicate_line": 20, "correlation_key": "fp|27ae93f4490b139556fabbc46a51f1edfa6513546cfaaa89524c805390ffdf20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/jira_user.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a5648ff66b8d5e31b0d729a7d4683cf4e77a7fb2e8c1a0fc9391cc9442cc854", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/storage/jira_dc_user.py", "duplicate_line": 20, "correlation_key": "fp|0a5648ff66b8d5e31b0d729a7d4683cf4e77a7fb2e8c1a0fc9391cc9442cc854"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/jira_dc_workspace.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae73b27a057e39a65212cfc4cef122bd87d90cbf0e5fa3d337638ed740cd2a9e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/github/github_v1_callback_processor.py", "duplicate_line": 204, "correlation_key": "fp|ae73b27a057e39a65212cfc4cef122bd87d90cbf0e5fa3d337638ed740cd2a9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/utils/conversation_utils.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70884, "scanner": "repobility-ai-code-hygiene", "fingerprint": "622e17eb76dacad82b567fc80c96f97af763a81c0991d6718de2438c30d8184a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/server/sharing/aws_shared_event_service.py", "duplicate_line": 18, "correlation_key": "fp|622e17eb76dacad82b567fc80c96f97af763a81c0991d6718de2438c30d8184a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/sharing/google_cloud_shared_event_service.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70883, "scanner": "repobility-ai-code-hygiene", "fingerprint": "754c2f4ce95d8ca5d4fae9cf7af37c2d9cf4aa6723d9628ef65e215526e3ff54", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/server/sharing/aws_shared_event_service.py", "duplicate_line": 56, "correlation_key": "fp|754c2f4ce95d8ca5d4fae9cf7af37c2d9cf4aa6723d9628ef65e215526e3ff54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/sharing/filesystem_shared_event_service.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70882, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d044c99fb98c576d469044286df4049d1c133af98eaecb3efe2bea69809f71ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/server/config.py", "duplicate_line": 31, "correlation_key": "fp|d044c99fb98c576d469044286df4049d1c133af98eaecb3efe2bea69809f71ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/github.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70881, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12c710e2af1b555bd6b5a30de367b699ceb0cbd57c6b2879df45f2d7f9621373", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/server/routes/integration/bitbucket.py", "duplicate_line": 41, "correlation_key": "fp|12c710e2af1b555bd6b5a30de367b699ceb0cbd57c6b2879df45f2d7f9621373"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/bitbucket_dc.py"}, "region": {"startLine": 231}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70880, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a338f0696d9f02b64830b348cd873b8734315ac1d28ae23ca55694fc772691d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/github/github_v1_callback_processor.py", "duplicate_line": 205, "correlation_key": "fp|1a338f0696d9f02b64830b348cd873b8734315ac1d28ae23ca55694fc772691d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/slack/slack_view.py"}, "region": {"startLine": 265}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70879, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af07959e0093c426fa3e322ec4dedff0320fb868c12c80bd91f2d578c2748f6f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/gitlab/gitlab_v1_callback_processor.py", "duplicate_line": 197, "correlation_key": "fp|af07959e0093c426fa3e322ec4dedff0320fb868c12c80bd91f2d578c2748f6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/slack/slack_v1_callback_processor.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70878, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d82f99a6ff46061458df4f8efb10d11fe746254b6891f18a9dad8a921ab80054", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/github/github_v1_callback_processor.py", "duplicate_line": 132, "correlation_key": "fp|d82f99a6ff46061458df4f8efb10d11fe746254b6891f18a9dad8a921ab80054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/slack/slack_v1_callback_processor.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70877, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45ef75f22bfbf5e80032f764056391e13129b76a0f4efcff9a1e8a40ea7cad9f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_v1_callback_processor.py", "duplicate_line": 8, "correlation_key": "fp|45ef75f22bfbf5e80032f764056391e13129b76a0f4efcff9a1e8a40ea7cad9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/slack/slack_v1_callback_processor.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70876, "scanner": "repobility-ai-code-hygiene", "fingerprint": "016c6919eef7d355b83dbeb6eede3e1cf82f7a6650f07c0fe5f9ecc29cef730f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/gitlab/gitlab_v1_callback_processor.py", "duplicate_line": 197, "correlation_key": "fp|016c6919eef7d355b83dbeb6eede3e1cf82f7a6650f07c0fe5f9ecc29cef730f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira_dc/jira_dc_v1_callback_processor.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70875, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e60844b3b8e835876fb7c604b87639794c3c21678560d6dc582ecdb2aee0160", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/github/github_v1_callback_processor.py", "duplicate_line": 203, "correlation_key": "fp|4e60844b3b8e835876fb7c604b87639794c3c21678560d6dc582ecdb2aee0160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira_dc/jira_dc_v1_callback_processor.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70874, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b332000d86cfb79697b908faaa8d7917256709867186ff361f867a9bc191e38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/jira/jira_v1_callback_processor.py", "duplicate_line": 11, "correlation_key": "fp|9b332000d86cfb79697b908faaa8d7917256709867186ff361f867a9bc191e38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira_dc/jira_dc_v1_callback_processor.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70873, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72b9879e8375c7cae98a82164d4f4e477e6332167e7d712822d4ced714d8a8f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_v1_callback_processor.py", "duplicate_line": 8, "correlation_key": "fp|72b9879e8375c7cae98a82164d4f4e477e6332167e7d712822d4ced714d8a8f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira_dc/jira_dc_v1_callback_processor.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70872, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea04bbe498b1df4d38b1893e5a46555874161c57cd83fb913580e9e74ec76443", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/gitlab/gitlab_v1_callback_processor.py", "duplicate_line": 197, "correlation_key": "fp|ea04bbe498b1df4d38b1893e5a46555874161c57cd83fb913580e9e74ec76443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira/jira_v1_callback_processor.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70871, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4a7998370fad1323941e459dc4601b364ea5c1a40da0398b0cd0cadba00a7fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/github/github_v1_callback_processor.py", "duplicate_line": 203, "correlation_key": "fp|c4a7998370fad1323941e459dc4601b364ea5c1a40da0398b0cd0cadba00a7fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira/jira_v1_callback_processor.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70870, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b3efc2ec58bd42b75adef34f6a4d0330424487af67303c1119e9ae9ad3886f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_v1_callback_processor.py", "duplicate_line": 7, "correlation_key": "fp|5b3efc2ec58bd42b75adef34f6a4d0330424487af67303c1119e9ae9ad3886f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira/jira_v1_callback_processor.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70869, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9664f291867a4566f98d10e1e8aa4bb1ceea271e13be9a4b685b04a4166063e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/github/github_view.py", "duplicate_line": 117, "correlation_key": "fp|9664f291867a4566f98d10e1e8aa4bb1ceea271e13be9a4b685b04a4166063e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/gitlab/gitlab_view.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70868, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f2773a127a6a7f4ddddda40451060b596b2e8c4db57827f4ea36eaeb03d8e59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_view.py", "duplicate_line": 90, "correlation_key": "fp|2f2773a127a6a7f4ddddda40451060b596b2e8c4db57827f4ea36eaeb03d8e59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/gitlab/gitlab_view.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70867, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22fc42730958187bba3994dedd08955f7daf9032113a715e7be289352515b4bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/github/github_v1_callback_processor.py", "duplicate_line": 133, "correlation_key": "fp|22fc42730958187bba3994dedd08955f7daf9032113a715e7be289352515b4bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/gitlab/gitlab_v1_callback_processor.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70866, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f32e9d3bbaef2b7449574fbdbfc2e57ad6a88bd6f23f29652bf224ccc2ad640", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_v1_callback_processor.py", "duplicate_line": 6, "correlation_key": "fp|1f32e9d3bbaef2b7449574fbdbfc2e57ad6a88bd6f23f29652bf224ccc2ad640"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/gitlab/gitlab_v1_callback_processor.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70865, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b81e8872f8e74bb440c2ce8608d187a40a6e174dca329ac89486ba95e12d413", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_service.py", "duplicate_line": 20, "correlation_key": "fp|3b81e8872f8e74bb440c2ce8608d187a40a6e174dca329ac89486ba95e12d413"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/gitlab/gitlab_service.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70864, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e62bb8edae0f5b1ade3728f8e3beb3204109c0df70835144eafe17784cebb8f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_view.py", "duplicate_line": 90, "correlation_key": "fp|e62bb8edae0f5b1ade3728f8e3beb3204109c0df70835144eafe17784cebb8f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/github/github_view.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70863, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60dd31498b31cf1a6f9e0cdbf15b0f40814f7c77fcccb0f2243b46d710fb45c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_v1_callback_processor.py", "duplicate_line": 8, "correlation_key": "fp|60dd31498b31cf1a6f9e0cdbf15b0f40814f7c77fcccb0f2243b46d710fb45c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/github/github_v1_callback_processor.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70862, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00b44b7468f0105d23f3560f7ae582e4f69691699b1db3258a4b736dfb6771bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_service.py", "duplicate_line": 20, "correlation_key": "fp|00b44b7468f0105d23f3560f7ae582e4f69691699b1db3258a4b736dfb6771bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/github/github_service.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70861, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8561e10805baf53af0e5bc0d5cd7dad041192edb353588dd962074711d0c8e09", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_view.py", "duplicate_line": 8, "correlation_key": "fp|8561e10805baf53af0e5bc0d5cd7dad041192edb353588dd962074711d0c8e09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket_data_center/bitbucket_dc_view.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70860, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b4c3fe8d4954b79a967e90ed6ad59e7d04c21b167467b4cb2286f669226e9f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_v1_callback_processor.py", "duplicate_line": 6, "correlation_key": "fp|2b4c3fe8d4954b79a967e90ed6ad59e7d04c21b167467b4cb2286f669226e9f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket_data_center/bitbucket_dc_v1_callback_processor.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70859, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73eedff703438b20f2a11be553fe766d1336b5b7daab3efe51d37fa6612c70ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "enterprise/integrations/bitbucket/bitbucket_manager.py", "duplicate_line": 175, "correlation_key": "fp|73eedff703438b20f2a11be553fe766d1336b5b7daab3efe51d37fa6612c70ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket_data_center/bitbucket_dc_manager.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 71224, "scanner": "repobility-docker", "fingerprint": "71ca3ddd147028e2c49da4f9f8644f6e5178c0e538667a4500ea5df9308764df", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE}:${OPENHANDS_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|71ca3ddd147028e2c49da4f9f8644f6e5178c0e538667a4500ea5df9308764df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 71201, "scanner": "repobility-threat-engine", "fingerprint": "14120127e91f683b352e55e57d68aaade27c43310475729af038b3729ff55756", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14120127e91f683b352e55e57d68aaade27c43310475729af038b3729ff55756"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/integrations/gitlab/gitlab_service.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 71200, "scanner": "repobility-threat-engine", "fingerprint": "6e038d8e3fdf9a6638a8d628a4377d08e5c632d37afacce1eef8fc45f64e0751", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e038d8e3fdf9a6638a8d628a4377d08e5c632d37afacce1eef8fc45f64e0751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/integrations/github/github_service.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 71196, "scanner": "repobility-threat-engine", "fingerprint": "3d9b012c87281ac180be117c655a107e3944aef680e0c755a8689e77fb2f16a3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d9b012c87281ac180be117c655a107e3944aef680e0c755a8689e77fb2f16a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/components/icon/Icon.stories.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC046", "level": "none", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 71195, "scanner": "repobility-threat-engine", "fingerprint": "421c093ac37dfcc53989f926795c89f28e8098a914d8e5f7a865eb8d1653b5ef", "category": "open_redirect", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|421c093ac37dfcc53989f926795c89f28e8098a914d8e5f7a865eb8d1653b5ef"}}}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 71191, "scanner": "repobility-threat-engine", "fingerprint": "0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 71187, "scanner": "repobility-threat-engine", "fingerprint": "7b2e5c504cd185fd9b95eae283ee38e5b0dfa29f675fe4283cf6a69dddabd815", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7b2e5c504cd185fd9b95eae283ee38e5b0dfa29f675fe4283cf6a69dddabd815", "aggregated_count": 14}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 71186, "scanner": "repobility-threat-engine", "fingerprint": "2436240c57c73d1c433ba1bf809a58cddf07a81a68360e8738179b2edbb81c4e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2436240c57c73d1c433ba1bf809a58cddf07a81a68360e8738179b2edbb81c4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/chat/messages.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 71185, "scanner": "repobility-threat-engine", "fingerprint": "0519eda54a3ce29eb63012b305d3007a33e9351ff6541de33eb24b36d04ccc86", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0519eda54a3ce29eb63012b305d3007a33e9351ff6541de33eb24b36d04ccc86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/chat/chat-messages-skeleton.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 71184, "scanner": "repobility-threat-engine", "fingerprint": "75144fafe2209544f927e0da0e506189c31f71a0a632b1e1d8e7df4f9ea7c752", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75144fafe2209544f927e0da0e506189c31f71a0a632b1e1d8e7df4f9ea7c752"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/chat/chat-message.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 71183, "scanner": "repobility-threat-engine", "fingerprint": "608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "aggregated_count": 13}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 71182, "scanner": "repobility-threat-engine", "fingerprint": "7ac916965785e37f281bf9599badf91dd660e0f122453d914396233b6859d128", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ac916965785e37f281bf9599badf91dd660e0f122453d914396233b6859d128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/conversation-panel/hooks-modal.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 71181, "scanner": "repobility-threat-engine", "fingerprint": "3f2ebc0ce3c3a854663ab03b5810e64ccd15d88d3a289aa9b892a7cc12a742d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f2ebc0ce3c3a854663ab03b5810e64ccd15d88d3a289aa9b892a7cc12a742d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/conversation-panel/conversation-card/conversation-card.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 71180, "scanner": "repobility-threat-engine", "fingerprint": "1060241ad8d219b23728c156ba3e3a920f06b5cc2bee5ffc0f3c4a00e45d00f0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1060241ad8d219b23728c156ba3e3a920f06b5cc2bee5ffc0f3c4a00e45d00f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/alerts/alert-banner.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 71179, "scanner": "repobility-threat-engine", "fingerprint": "976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "aggregated_count": 1}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 71178, "scanner": "repobility-threat-engine", "fingerprint": "a7f058cc4e3b07d3d2f402149e2e707c3a2d4411015d3572aceaa5ff1316a31c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7f058cc4e3b07d3d2f402149e2e707c3a2d4411015d3572aceaa5ff1316a31c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/mutation/use-validate-integration.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 71177, "scanner": "repobility-threat-engine", "fingerprint": "b6090d78b9b50ade347a72eb65a0fd7665a7262c06de6ff9819e659ba8b2f334", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6090d78b9b50ade347a72eb65a0fd7665a7262c06de6ff9819e659ba8b2f334"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/home/git-provider-dropdown/git-provider-dropdown.tsx"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 71176, "scanner": "repobility-threat-engine", "fingerprint": "2d080cfeecce932dba0780110d106c071e708785fd088b5b97907eb303e8b327", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d080cfeecce932dba0780110d106c071e708785fd088b5b97907eb303e8b327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/open-hands-axios.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 71175, "scanner": "repobility-threat-engine", "fingerprint": "ea93f5492ff921e9618c4e30a2631c7b1a2bef829e99f8007e5face821b69969", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ea93f5492ff921e9618c4e30a2631c7b1a2bef829e99f8007e5face821b69969", "aggregated_count": 6}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 71174, "scanner": "repobility-threat-engine", "fingerprint": "1b45a0f2ee226da33c1d32ed43e67160baaaa2717348ccd39bacde3f210c4ade", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b45a0f2ee226da33c1d32ed43e67160baaaa2717348ccd39bacde3f210c4ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/context/conversation-subscriptions-provider.tsx"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 71173, "scanner": "repobility-threat-engine", "fingerprint": "a578debc9cc0055c6197405dbde8cee8e9738c12f9909072b9427cf351014b22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a578debc9cc0055c6197405dbde8cee8e9738c12f9909072b9427cf351014b22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/detect-node-version.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 71172, "scanner": "repobility-threat-engine", "fingerprint": "38fa7870c118a3eab068e85e6d9a618c163c3424c47f4cb5c66094edc2280362", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38fa7870c118a3eab068e85e6d9a618c163c3424c47f4cb5c66094edc2280362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/check-translation-completeness.cjs"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 71163, "scanner": "repobility-threat-engine", "fingerprint": "6837a39f57fa963ae4956c915462bec1dd533162c88916885eaa8cbcc216f9fb", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|55|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/stores/model-store.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 71162, "scanner": "repobility-threat-engine", "fingerprint": "9b02c3dd51aaf3b743aaf33bf90050c755a3d25dad33e30bf05f86f3f01ce29f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|46|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/stores/btw-store.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 71161, "scanner": "repobility-threat-engine", "fingerprint": "6351df1a89a614ad3d9d7b5ec9b74318ccbbec641edc83702773a96be291bb47", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|115|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/public/mockServiceWorker.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 71158, "scanner": "repobility-threat-engine", "fingerprint": "4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4"}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 71154, "scanner": "repobility-threat-engine", "fingerprint": "78085dc706f707972d585f11b03e926df5718320fed3b96a53b5f64d12975f09", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78085dc706f707972d585f11b03e926df5718320fed3b96a53b5f64d12975f09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/config.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 71152, "scanner": "repobility-threat-engine", "fingerprint": "94713b55842843093e018fc9d6b7788b195eba0910146dc3bc1bced5f17053d1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|94713b55842843093e018fc9d6b7788b195eba0910146dc3bc1bced5f17053d1", "aggregated_count": 8}}}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 71151, "scanner": "repobility-threat-engine", "fingerprint": "bab677ef04d70458e907db9e5b089033be37295946e61518832708f55684f036", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bab677ef04d70458e907db9e5b089033be37295946e61518832708f55684f036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/sharing/shared_event_service.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 71150, "scanner": "repobility-threat-engine", "fingerprint": "d0adb6f94a8c70155e0c9eea11836e5b0f5b6ee2fda8923b41d8594ba223255e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d0adb6f94a8c70155e0c9eea11836e5b0f5b6ee2fda8923b41d8594ba223255e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/sharing/shared_conversation_info_service.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 71149, "scanner": "repobility-threat-engine", "fingerprint": "52e23143c23a4ed6f0dd95a2809b02e6891508bbdd58c1344d7b43840bf70643", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52e23143c23a4ed6f0dd95a2809b02e6891508bbdd58c1344d7b43840bf70643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/auth/user/user_authorizer.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 71148, "scanner": "repobility-threat-engine", "fingerprint": "e973c240dbc4f89f3ed23634248c27c341c4e2b97022c76d007ae21bef62c680", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e973c240dbc4f89f3ed23634248c27c341c4e2b97022c76d007ae21bef62c680", "aggregated_count": 7}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 71147, "scanner": "repobility-threat-engine", "fingerprint": "7742e484e37ead3e8774f00e14acb187a079725c21f055f2ac01c4d5dfcb791a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7742e484e37ead3e8774f00e14acb187a079725c21f055f2ac01c4d5dfcb791a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/mutation/use-submit-onboarding.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 71146, "scanner": "repobility-threat-engine", "fingerprint": "373183e99f364a427b309b572cda1c09a13ac93bdf9a1e5d9a597438664e7211", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|373183e99f364a427b309b572cda1c09a13ac93bdf9a1e5d9a597438664e7211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/mutation/use-accept-tos.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 71145, "scanner": "repobility-threat-engine", "fingerprint": "650e4bdf1402e4ab75f2e3ba1eec40e6695676abbb87b29b07422b8f3c023a86", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|650e4bdf1402e4ab75f2e3ba1eec40e6695676abbb87b29b07422b8f3c023a86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/auth/constants.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 71144, "scanner": "repobility-threat-engine", "fingerprint": "5b220fbbcc5595f790c3c8a72a3eb99e3ab75cd2a6fa3d88c2a598ac73068a2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5b220fbbcc5595f790c3c8a72a3eb99e3ab75cd2a6fa3d88c2a598ac73068a2d", "aggregated_count": 2}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 71143, "scanner": "repobility-threat-engine", "fingerprint": "33950bc238fe5c0d4b151f1258d18132018a31ba4dae6e3d508ee2551dd0b1e6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33950bc238fe5c0d4b151f1258d18132018a31ba4dae6e3d508ee2551dd0b1e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/constants.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 71142, "scanner": "repobility-threat-engine", "fingerprint": "01a2497ffec963b6189cb443360f1b93f52ed1a029e6f3a3fede2ef5681f3d21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01a2497ffec963b6189cb443360f1b93f52ed1a029e6f3a3fede2ef5681f3d21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/constants.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 71141, "scanner": "repobility-threat-engine", "fingerprint": "4ffb5be67d2947c38856931b42d21db41947f39071a56fd7e0c7a71b63c9f98b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ffb5be67d2947c38856931b42d21db41947f39071a56fd7e0c7a71b63c9f98b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/saas_server.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 71140, "scanner": "repobility-threat-engine", "fingerprint": "4ffea2800599adb663df46ab31003467b0a25ff84f83dd40a996e94f4d40f164", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4ffea2800599adb663df46ab31003467b0a25ff84f83dd40a996e94f4d40f164"}}}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 71136, "scanner": "repobility-threat-engine", "fingerprint": "a9cd3dfdb88c4ab2e663fdce8c44e30de99d61cc5311baf8505f74a40d4e7706", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9cd3dfdb88c4ab2e663fdce8c44e30de99d61cc5311baf8505f74a40d4e7706", "aggregated_count": 11}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 71132, "scanner": "repobility-threat-engine", "fingerprint": "9de2cf638fac4c017ddc913db23370f3b930d1b72557cdc2419df018c85d35c1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9de2cf638fac4c017ddc913db23370f3b930d1b72557cdc2419df018c85d35c1", "aggregated_count": 26}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 71131, "scanner": "repobility-threat-engine", "fingerprint": "300bb79b425df800d495e2a26a623b3fa83744ea03d8cedaffa343fee89b3964", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|300bb79b425df800d495e2a26a623b3fa83744ea03d8cedaffa343fee89b3964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/auth/recaptcha_service.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 71130, "scanner": "repobility-threat-engine", "fingerprint": "2f05bd04e8d63c129a6d9893a8cfa63b5b21d853807c31f4a3c5cf771099c11d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f05bd04e8d63c129a6d9893a8cfa63b5b21d853807c31f4a3c5cf771099c11d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/slack/slack_types.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 71129, "scanner": "repobility-threat-engine", "fingerprint": "469bc80f4ec4bfa2570d81bd85ed14841a77a848d78afd7ed5abe952283a2823", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|469bc80f4ec4bfa2570d81bd85ed14841a77a848d78afd7ed5abe952283a2823"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira/jira_payload.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "properties": {"repobilityId": 71128, "scanner": "repobility-threat-engine", "fingerprint": "b13b0a7a8bb74ca2d81dc12323eb1c7f6b3a9681090a54be187e59a2c3e9f7e3", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b13b0a7a8bb74ca2d81dc12323eb1c7f6b3a9681090a54be187e59a2c3e9f7e3"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 48 more): Same pattern found in 48 additional files. Review if needed."}, "properties": {"repobilityId": 71124, "scanner": "repobility-threat-engine", "fingerprint": "4857e130881cb7ba35b895638c49a0fe89791d62e0d82f2bb89fea9438932246", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 48 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4857e130881cb7ba35b895638c49a0fe89791d62e0d82f2bb89fea9438932246", "aggregated_count": 48}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 71123, "scanner": "repobility-threat-engine", "fingerprint": "2e2d299758237789f5f122e2c9133bcfce4af72fbaf783d4a00547b2ded5bbd3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e2d299758237789f5f122e2c9133bcfce4af72fbaf783d4a00547b2ded5bbd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/github/github_v1_callback_processor.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 71122, "scanner": "repobility-threat-engine", "fingerprint": "2a8ca91b2b714bc1d09fe050316e1ac9972827756f335005b7294dc216d2c02e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a8ca91b2b714bc1d09fe050316e1ac9972827756f335005b7294dc216d2c02e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket_data_center/bitbucket_dc_v1_callback_processor.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 71121, "scanner": "repobility-threat-engine", "fingerprint": "11db174f73e5ba1a647d0305db3894945181ce59c3e96fe4f25a604db4d6d2c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11db174f73e5ba1a647d0305db3894945181ce59c3e96fe4f25a604db4d6d2c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket/bitbucket_v1_callback_processor.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC034", "level": "none", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 71117, "scanner": "repobility-threat-engine", "fingerprint": "1463c5f15774b141fd6a9008165a2e290be1368f339be01f9c278f6a91d8dc4b", "category": "log_injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1463c5f15774b141fd6a9008165a2e290be1368f339be01f9c278f6a91d8dc4b"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 71113, "scanner": "repobility-threat-engine", "fingerprint": "3c1512ec1e531167a3aa928d567398e9cb8cbf7ff40fccf993810ebf40229e88", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3c1512ec1e531167a3aa928d567398e9cb8cbf7ff40fccf993810ebf40229e88"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 71112, "scanner": "repobility-threat-engine", "fingerprint": "9a5752cbb824fbec3d66bc79849988ff59f74358f553bfbc32744593bfe8553f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.debug('Got Bitbucket DC token via external_auth_token')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.debug got bitbucket dc token via external_auth_token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 71111, "scanner": "repobility-threat-engine", "fingerprint": "863d4eb775a7445455e542c0681a0e73af57833373aabd4647462b98e1591317", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "logger.warning('external_auth_token and user_id not set!')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|logger.warning external_auth_token and user_id not set"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket/bitbucket_service.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 71110, "scanner": "repobility-threat-engine", "fingerprint": "4e669aa5952f21c60c45c31a81d2b385edc642d9397c6aabbacc37c9fbd34bba", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.debug('Got Azure DevOps token via external_auth_token')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.debug got azure devops token via external_auth_token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/azure_devops/azure_devops_service.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 86 more): Same pattern found in 86 additional files. Review if needed."}, "properties": {"repobilityId": 71109, "scanner": "repobility-threat-engine", "fingerprint": "0203a0f520bc9565e8f19ee85bdbd6c4a3a3916ef4dbce1402c21771a926941a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 86 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "print_results", "breakdown": {"if": 5, "for": 2, "else": 2, "nested_bonus": 10}, "aggregated": true, "complexity": 19, "correlation_key": "fp|0203a0f520bc9565e8f19ee85bdbd6c4a3a3916ef4dbce1402c21771a926941a", "aggregated_count": 86}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 71105, "scanner": "repobility-threat-engine", "fingerprint": "3eb3a4e92ecb6ecad3363655a6f096664d2e28207b7a8876df5f4e2bdb3888e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3eb3a4e92ecb6ecad3363655a6f096664d2e28207b7a8876df5f4e2bdb3888e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/enterprise_local/convert_to_env.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 71104, "scanner": "repobility-threat-engine", "fingerprint": "b222a18f91c26145a8f4bca4ed03ea3aa9a7195e37fab25343239ae482f5e099", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b222a18f91c26145a8f4bca4ed03ea3aa9a7195e37fab25343239ae482f5e099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/find_prs_between_commits.py"}, "region": {"startLine": 273}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `prettier` is patch version(s) behind (3.8.1 -> 3.8.3)"}, "properties": {"repobilityId": 71101, "scanner": "repobility-dependency-currency", "fingerprint": "bc6baba175fd07ef416ed40dcac713f9cfe542d0267e377c20456dff57816ceb", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|bc6baba175fd07ef416ed40dcac713f9cfe542d0267e377c20456dff57816ceb", "current_version": "3.8.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `eslint-plugin-prettier` is patch version(s) behind (5.5.5 -> 5.5.6)"}, "properties": {"repobilityId": 71098, "scanner": "repobility-dependency-currency", "fingerprint": "2491d93e579da43f151185bdbab5dc5894afdd3ac5bd8e6cd0b98d7034f457e2", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.5.6", "correlation_key": "fp|2491d93e579da43f151185bdbab5dc5894afdd3ac5bd8e6cd0b98d7034f457e2", "current_version": "5.5.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `zustand` is patch version(s) behind (5.0.13 -> 5.0.14)"}, "properties": {"repobilityId": 71096, "scanner": "repobility-dependency-currency", "fingerprint": "25f4b6ee6d752479a53f6bfdab028feaae915eb60f47fc23cca45d16fbbf311a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "zustand", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.14", "correlation_key": "fp|25f4b6ee6d752479a53f6bfdab028feaae915eb60f47fc23cca45d16fbbf311a", "current_version": "5.0.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-syntax-highlighter` is patch version(s) behind (16.1.0 -> 16.1.1)"}, "properties": {"repobilityId": 71094, "scanner": "repobility-dependency-currency", "fingerprint": "7b548e083196ae74bc9fc146c1e25ac145725d99638e1d7487be64e89f6b990f", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-syntax-highlighter", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "16.1.1", "correlation_key": "fp|7b548e083196ae74bc9fc146c1e25ac145725d99638e1d7487be64e89f6b990f", "current_version": "16.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `isbot` is patch version(s) behind (5.1.34 -> 5.1.40)"}, "properties": {"repobilityId": 71092, "scanner": "repobility-dependency-currency", "fingerprint": "1406255812b8a3202e2dfd1d5bd5ea19b09fd074905cbd3d965c3b4091c09e3a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "isbot", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.1.40", "correlation_key": "fp|1406255812b8a3202e2dfd1d5bd5ea19b09fd074905cbd3d965c3b4091c09e3a", "current_version": "5.1.34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `i18next-browser-languagedetector` is patch version(s) behind (8.2.0 -> 8.2.1)"}, "properties": {"repobilityId": 71090, "scanner": "repobility-dependency-currency", "fingerprint": "e871e72816f207f8899f04215a2797a14bc48c838807ea12616ed8e69bdcd1cd", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "i18next-browser-languagedetector", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.2.1", "correlation_key": "fp|e871e72816f207f8899f04215a2797a14bc48c838807ea12616ed8e69bdcd1cd", "current_version": "8.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `sonner` is patch version(s) behind (^2.0.6 -> 2.0.7)"}, "properties": {"repobilityId": 71079, "scanner": "repobility-dependency-currency", "fingerprint": "e85c302508d26044b6b73521d37fdae9a2fb8f49e52258436bce430d369fdaa1", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "sonner", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.0.7", "correlation_key": "fp|e85c302508d26044b6b73521d37fdae9a2fb8f49e52258436bce430d369fdaa1", "current_version": "^2.0.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@floating-ui/react` is patch version(s) behind (^0.27.12 -> 0.27.19)"}, "properties": {"repobilityId": 71077, "scanner": "repobility-dependency-currency", "fingerprint": "6f4c71446b1dc5d723e2517d1a2711bb6c480360e8cf85d46b056fafad73c70c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@floating-ui/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.27.19", "correlation_key": "fp|6f4c71446b1dc5d723e2517d1a2711bb6c480360e8cf85d46b056fafad73c70c", "current_version": "^0.27.12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `distlib` is patch version(s) behind (0.4.0 -> 0.4.1)"}, "properties": {"repobilityId": 71073, "scanner": "repobility-dependency-currency", "fingerprint": "7c79f8f69f115512090be49b7f0a774d9f595fa8907c258d2df5ecffbd96d353", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "distlib", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "0.4.1", "correlation_key": "fp|7c79f8f69f115512090be49b7f0a774d9f595fa8907c258d2df5ecffbd96d353", "current_version": "0.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `debugpy` is patch version(s) behind (1.8.20 -> 1.8.21)"}, "properties": {"repobilityId": 71071, "scanner": "repobility-dependency-currency", "fingerprint": "302163fba48d68f895a841ff65c03b6017b30793bba3e67eb4a1dc349095a3e0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "debugpy", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "1.8.21", "correlation_key": "fp|302163fba48d68f895a841ff65c03b6017b30793bba3e67eb4a1dc349095a3e0", "current_version": "1.8.20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `chardet` is patch version(s) behind (7.4.0.post2 -> 7.4.3)"}, "properties": {"repobilityId": 71067, "scanner": "repobility-dependency-currency", "fingerprint": "c9a2af522f21aebd58810ded358c8ab8dd520b571d1400d5a7bdadf28bcc194e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chardet", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "7.4.3", "correlation_key": "fp|c9a2af522f21aebd58810ded358c8ab8dd520b571d1400d5a7bdadf28bcc194e", "current_version": "7.4.0.post2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-PY", "level": "none", "message": {"text": "Python package `aiohappyeyeballs` is patch version(s) behind (2.6.1 -> 2.6.2)"}, "properties": {"repobilityId": 71055, "scanner": "repobility-dependency-currency", "fingerprint": "5d9b6dab837244fd08055a328a515eaf55fc6ad8a020807cca1bdd19cd0c5166", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "aiohappyeyeballs", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "2.6.2", "correlation_key": "fp|5d9b6dab837244fd08055a328a515eaf55fc6ad8a020807cca1bdd19cd0c5166", "current_version": "2.6.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{sandbox_id}/pause."}, "properties": {"repobilityId": 71343, "scanner": "repobility-access-control", "fingerprint": "400c2710d5f717966e5e2b2217e74185dbe61cb20089262ae8460759f7151d57", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{sandbox_id}/pause", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|84|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/sandbox/sandbox_router.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /{secret_id}."}, "properties": {"repobilityId": 71342, "scanner": "repobility-access-control", "fingerprint": "8e37064edca35eedff4a7b02f6d32589485b69cb59c1728cf9c30a6fa2c28b51", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{secret_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|348|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/secrets/secrets_router.py"}, "region": {"startLine": 348}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /{secret_id}."}, "properties": {"repobilityId": 71341, "scanner": "repobility-access-control", "fingerprint": "130480f8943fec4ab9739a8c1b11384de2fc73de1ee82cd3225199e257a2bcd4", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{secret_id}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|294|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/secrets/secrets_router.py"}, "region": {"startLine": 294}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/download."}, "properties": {"repobilityId": 71340, "scanner": "repobility-access-control", "fingerprint": "9fb0d6a099841d07f3350047b0c96b481fdcbed6e3a59828dd9e6ce9bedfec0a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}/download", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|1437|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/app_conversation_router.py"}, "region": {"startLine": 1437}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/hooks."}, "properties": {"repobilityId": 71339, "scanner": "repobility-access-control", "fingerprint": "768b17f18d4e043854e7ac6ff2c2e1b7a68fb01966490523f6cd8c3e6eeeb5de", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}/hooks", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|1293|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/app_conversation_router.py"}, "region": {"startLine": 1293}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/skills."}, "properties": {"repobilityId": 71338, "scanner": "repobility-access-control", "fingerprint": "3604f772fcccca92b878b706b618da16597ff69a2439d5c6c2deb027e9547797", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}/skills", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|1194|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/app_conversation_router.py"}, "region": {"startLine": 1194}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/git/diff."}, "properties": {"repobilityId": 71337, "scanner": "repobility-access-control", "fingerprint": "fe75fa08f53820cdcee2212b37427584bc1261aa9eb31e81a8eda2bd0d63fdcf", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}/git/diff", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|1167|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/app_conversation_router.py"}, "region": {"startLine": 1167}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/git/changes."}, "properties": {"repobilityId": 71336, "scanner": "repobility-access-control", "fingerprint": "8e51a9d0e0e5a2a29208804002a48761945e270f857ddf52f5af2a20edeeabe5", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}/git/changes", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|1133|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/app_conversation_router.py"}, "region": {"startLine": 1133}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/file."}, "properties": {"repobilityId": 71335, "scanner": "repobility-access-control", "fingerprint": "d165e89a86316d06f260cd7283f08b835a0f2ec12ec286ce70db58ec1e53ac14", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}/file", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|965|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_conversation/app_conversation_router.py"}, "region": {"startLine": 965}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{conversation_id}/{event_id}."}, "properties": {"repobilityId": 71334, "scanner": "repobility-access-control", "fingerprint": "8bad30f1e4c08609424f5707cc18b42df5fd5a462c2d1f65713a77c67c21dfcd", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{conversation_id}/{event_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|188|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/sharing/shared_event_router.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 71331, "scanner": "osv-scanner", "fingerprint": "993c965e051ac08384f28c004ed2828303fa08d6e623c80da1211dbce5cea7ce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["20d0e73bab623b5772bb5ee81b54e26f25bfd7b3f632ca3aec483536eb176c89", "993c965e051ac08384f28c004ed2828303fa08d6e623c80da1211dbce5cea7ce"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 71330, "scanner": "osv-scanner", "fingerprint": "3a8c92a4bc42452ab63c8b780593c12b550761e77665f811c437dd35791069ae", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 71329, "scanner": "osv-scanner", "fingerprint": "529afc49608a001ef35ca72e2e5bf2ab615fb9fdf39e2d3fc621ae3c7274698b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 71328, "scanner": "osv-scanner", "fingerprint": "e4a57bf8d7416024fd079256b08e268bcee4f11f05b7eaee044fc1d8b95a1189", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 71327, "scanner": "osv-scanner", "fingerprint": "5008712fe3bda523fafb9d2d087e037a86c42cd2bee1401e12b9c2d636db62f1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2022-42969", "level": "error", "message": {"text": "py: PYSEC-2022-42969"}, "properties": {"repobilityId": 71326, "scanner": "osv-scanner", "fingerprint": "8fc6084f952943d040b1395c4affba525198270598362a17a80520e9e377e42a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-42969", "GHSA-w596-4wvx-j9j6", "PYSEC-2022-43183"], "package": "py", "rule_id": "PYSEC-2022-42969", "scanner": "osv-scanner", "correlation_key": "vuln|py|CVE-2022-42969|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 71321, "scanner": "osv-scanner", "fingerprint": "fd55ec2ae47dd01ab8a1373884b4c1d940dc45b1d3ddbc9dc702cc8815500bea", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["b9d16898f2391df658b18c71463396760c0b7c9a675313101c1eaa00a7a534b6", "fd55ec2ae47dd01ab8a1373884b4c1d940dc45b1d3ddbc9dc702cc8815500bea"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 71320, "scanner": "osv-scanner", "fingerprint": "7d78497e48bfca2d768916ae959033f23a4d313e18ca37d75c607091be5f1d86", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 71319, "scanner": "osv-scanner", "fingerprint": "6db789242616a37a43e13ef91061fc18f7b6978fa8f2ded3f09b5af4d8ccc521", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 71318, "scanner": "osv-scanner", "fingerprint": "53a387842356d6324ea099c61d5d69886701f9bb9e8937ed50be4e48396a8c09", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 71317, "scanner": "osv-scanner", "fingerprint": "fd6314132834b1571c7c63af24e50e04220b955d29959fc3e42f6c53ac240ba8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2022-42969", "level": "error", "message": {"text": "py: PYSEC-2022-42969"}, "properties": {"repobilityId": 71316, "scanner": "osv-scanner", "fingerprint": "4251f9308d594f40fec36a2bb400b37de682625fda5710529eb4ff88eb33b9cc", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-42969", "GHSA-w596-4wvx-j9j6", "PYSEC-2022-43183"], "package": "py", "rule_id": "PYSEC-2022-42969", "scanner": "osv-scanner", "correlation_key": "vuln|py|CVE-2022-42969|poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p9ff-h696-f583", "level": "error", "message": {"text": "vite: GHSA-p9ff-h696-f583"}, "properties": {"repobilityId": 71309, "scanner": "osv-scanner", "fingerprint": "cd6f9255d27265c498aca73f03eea46eb0eda2e98cc20b7e48fa954e643f2f97", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39363"], "package": "vite", "rule_id": "GHSA-p9ff-h696-f583", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39363|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6q2-hw4h-h46w", "level": "error", "message": {"text": "tar: GHSA-r6q2-hw4h-h46w"}, "properties": {"repobilityId": 71304, "scanner": "osv-scanner", "fingerprint": "44188a7d64e7fb925fee265a9548efee65b339e398dcad9292e0fbeadbbd64db", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23950"], "package": "tar", "rule_id": "GHSA-r6q2-hw4h-h46w", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23950|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qffp-2rhf-9h96", "level": "error", "message": {"text": "tar: GHSA-qffp-2rhf-9h96"}, "properties": {"repobilityId": 71303, "scanner": "osv-scanner", "fingerprint": "fad3578c0a193a38eb95ee738bd8a7f054085fc25abfa335f9d4b3ba0d2d46db", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29786"], "package": "tar", "rule_id": "GHSA-qffp-2rhf-9h96", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-29786|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9ppj-qmqm-q256", "level": "error", "message": {"text": "tar: GHSA-9ppj-qmqm-q256"}, "properties": {"repobilityId": 71302, "scanner": "osv-scanner", "fingerprint": "a766df4e631e1d0037482fb0373b86b87f7df3729cf2870f86d0b7b4680a5993", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-31802"], "package": "tar", "rule_id": "GHSA-9ppj-qmqm-q256", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-31802|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8qq5-rm4j-mr97", "level": "error", "message": {"text": "tar: GHSA-8qq5-rm4j-mr97"}, "properties": {"repobilityId": 71301, "scanner": "osv-scanner", "fingerprint": "060dc8fe5641ba38b3e47a3a14cb4c78036ca52f45f21405a1e584b89464bb96", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-23745"], "package": "tar", "rule_id": "GHSA-8qq5-rm4j-mr97", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-23745|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-83g3-92jg-28cx", "level": "error", "message": {"text": "tar: GHSA-83g3-92jg-28cx"}, "properties": {"repobilityId": 71300, "scanner": "osv-scanner", "fingerprint": "25173a7e8972ef502874780010043944d8ef0c476344c7f32ce5d4b607821f98", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26960"], "package": "tar", "rule_id": "GHSA-83g3-92jg-28cx", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-26960|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-34x7-hfp2-rc4v", "level": "error", "message": {"text": "tar: GHSA-34x7-hfp2-rc4v"}, "properties": {"repobilityId": 71299, "scanner": "osv-scanner", "fingerprint": "240c58e294e94b565c0875f1bd13fb776445e8b875bab7c07b5fd5060af18abf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-24842"], "package": "tar", "rule_id": "GHSA-34x7-hfp2-rc4v", "scanner": "osv-scanner", "correlation_key": "vuln|tar|CVE-2026-24842|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mjf5-7g4m-gx5w", "level": "error", "message": {"text": "storybook: GHSA-mjf5-7g4m-gx5w"}, "properties": {"repobilityId": 71298, "scanner": "osv-scanner", "fingerprint": "eaa83b3e3225c3ff356f57887d8b045fe645614078a9c2cf67142507a3765a09", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27148"], "package": "storybook", "rule_id": "GHSA-mjf5-7g4m-gx5w", "scanner": "osv-scanner", "correlation_key": "vuln|storybook|CVE-2026-27148|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8452-54wp-rmv6", "level": "error", "message": {"text": "storybook: GHSA-8452-54wp-rmv6"}, "properties": {"repobilityId": 71297, "scanner": "osv-scanner", "fingerprint": "622f9e6f16561cc94198a2b0438e83e93618ff9b7f6f71de9ea61f8ed7076d99", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-68429"], "package": "storybook", "rule_id": "GHSA-8452-54wp-rmv6", "scanner": "osv-scanner", "correlation_key": "vuln|storybook|CVE-2025-68429|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mw96-cpmx-2vgc", "level": "error", "message": {"text": "rollup: GHSA-mw96-cpmx-2vgc"}, "properties": {"repobilityId": 71296, "scanner": "osv-scanner", "fingerprint": "5b72e969489427d6fcd589955d158ba6ecb4ec146bbb7a2013ce04dd511cc12d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27606"], "package": "rollup", "rule_id": "GHSA-mw96-cpmx-2vgc", "scanner": "osv-scanner", "correlation_key": "vuln|rollup|CVE-2026-27606|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7mvr-c777-76hp", "level": "error", "message": {"text": "playwright: GHSA-7mvr-c777-76hp"}, "properties": {"repobilityId": 71294, "scanner": "osv-scanner", "fingerprint": "678c7c3aaa5971b9fc5be3cebfe95f581e64aa619dfa993d43b72546724d79cb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-59288"], "package": "playwright", "rule_id": "GHSA-7mvr-c777-76hp", "scanner": "osv-scanner", "correlation_key": "vuln|playwright|CVE-2025-59288|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 71293, "scanner": "osv-scanner", "fingerprint": "52f3d3d5d0444441cf2eb13973060610c3f90b81f0501b80f11f34c22b4a4e2d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 71291, "scanner": "osv-scanner", "fingerprint": "f6dd115c1b4514bebb680c136052e14193bbe60fa84299190f0afbec075d188d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 71290, "scanner": "osv-scanner", "fingerprint": "9f91ac2edf32bcaee46495f50a159e102eac6c6eedc442996d701027d9da2a3e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 71289, "scanner": "osv-scanner", "fingerprint": "70d04783e5f70395bf7f53ade9ca660ef74238f7db875b21a0470b4700f5f936", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 71287, "scanner": "osv-scanner", "fingerprint": "7042b2c13d0f9e61bef6db24ac5a2d10e97d717cd2644a34c8dd9a5f74a209fe", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5j98-mcp5-4vw2", "level": "error", "message": {"text": "glob: GHSA-5j98-mcp5-4vw2"}, "properties": {"repobilityId": 71285, "scanner": "osv-scanner", "fingerprint": "0703f8f9d317e84f7ad8be56875ad37c417d762e90bfe0714e18f83c2ae143f5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-64756"], "package": "glob", "rule_id": "GHSA-5j98-mcp5-4vw2", "scanner": "osv-scanner", "correlation_key": "vuln|glob|CVE-2025-64756|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rxv8-25v2-qmq8", "level": "error", "message": {"text": "react-router: GHSA-rxv8-25v2-qmq8"}, "properties": {"repobilityId": 71280, "scanner": "osv-scanner", "fingerprint": "7368cfc9fea87125be6c2c7d3b59f71bc3655cd4bcf97c044c13eefe570a0dc1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34077"], "package": "react-router", "rule_id": "GHSA-rxv8-25v2-qmq8", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-34077|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8x6r-g9mw-2r78", "level": "error", "message": {"text": "react-router: GHSA-8x6r-g9mw-2r78"}, "properties": {"repobilityId": 71278, "scanner": "osv-scanner", "fingerprint": "1edd986d787a1bcab8dd7f23a4c08c195c999f5dc398a0346b4a4c30399ee943", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42342"], "package": "react-router", "rule_id": "GHSA-8x6r-g9mw-2r78", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-42342|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8646-j5j9-6r62", "level": "error", "message": {"text": "react-router: GHSA-8646-j5j9-6r62"}, "properties": {"repobilityId": 71277, "scanner": "osv-scanner", "fingerprint": "17facd2079be7c680e42b26bf106aa58a719519f36a9882667eea0593c379da5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33245"], "package": "react-router", "rule_id": "GHSA-8646-j5j9-6r62", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-33245|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-49rj-9fvp-4h2h", "level": "error", "message": {"text": "react-router: GHSA-49rj-9fvp-4h2h"}, "properties": {"repobilityId": 71276, "scanner": "osv-scanner", "fingerprint": "818631788f82d3b22a2005d7d3719522e61babdf0f3b0ac943d169e6707a5c72", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42211"], "package": "react-router", "rule_id": "GHSA-49rj-9fvp-4h2h", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-42211|frontend/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 71268, "scanner": "osv-scanner", "fingerprint": "40c586ee54ba9f51743f1a0670ed86843e72f8c296aa57c2d816ceb540b93476", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|enterprise/poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["40c586ee54ba9f51743f1a0670ed86843e72f8c296aa57c2d816ceb540b93476", "48baec3a834b58b583c2150f8e9618a5d00a817f70383c9cbac5bb86b443bf50"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 71267, "scanner": "osv-scanner", "fingerprint": "6ffdcb903aec01c10d124b155cd342457c2e084fb3b0b99d4aecc3118d9e4bb1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|enterprise/poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 71266, "scanner": "osv-scanner", "fingerprint": "e8a471462c3687bfaef3e2ea3761c8886519b1770339b97c143169295d3407b8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|enterprise/poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 71265, "scanner": "osv-scanner", "fingerprint": "910a8a65ad31a8a76657ef56d25280093214705c821cfe370450242d3afd48d8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|enterprise/poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 71264, "scanner": "osv-scanner", "fingerprint": "a6d45e31fcda3b7f345e9eb5860bcd9631627c9e89ca1a3c5bac207094ff025e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|enterprise/poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2022-42969", "level": "error", "message": {"text": "py: PYSEC-2022-42969"}, "properties": {"repobilityId": 71263, "scanner": "osv-scanner", "fingerprint": "777b862fb9b0f8a56a116315eb397d2233bb582321e6619356dfedab8e4c6a95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2022-42969", "GHSA-w596-4wvx-j9j6", "PYSEC-2022-43183"], "package": "py", "rule_id": "PYSEC-2022-42969", "scanner": "osv-scanner", "correlation_key": "vuln|py|CVE-2022-42969|enterprise/poetry.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-25", "level": "error", "message": {"text": "authlib: PYSEC-2026-25"}, "properties": {"repobilityId": 71261, "scanner": "osv-scanner", "fingerprint": "957e713f2bb4c6b0c096ded0de062f7c3eb61a7520dd253cfcf118e04d7b37d3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41425", "GHSA-jj8c-mmj3-mmgv"], "package": "authlib", "rule_id": "PYSEC-2026-25", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2026-41425|enterprise/poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-jj8c-mmj3-mmgv", "PYSEC-2026-25"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["29a13a65d7cfd6faea48b0595a3a8b0178bb370613307d298ac43f05afb0ee79", "957e713f2bb4c6b0c096ded0de062f7c3eb61a7520dd253cfcf118e04d7b37d3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-188", "level": "error", "message": {"text": "authlib: PYSEC-2026-188"}, "properties": {"repobilityId": 71260, "scanner": "osv-scanner", "fingerprint": "b0b2fcc0ea039fdc4ec0a5f41079c40d4117473f6e5589e63774d583cfab0126", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44681", "GHSA-r95x-qfjj-fjj2"], "package": "authlib", "rule_id": "PYSEC-2026-188", "scanner": "osv-scanner", "correlation_key": "vuln|authlib|CVE-2026-44681|enterprise/poetry.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r95x-qfjj-fjj2", "PYSEC-2026-188"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0cdc9c637bf4a9ce8d33740bae13dd4e3d234f593629a2fddeffac1cd7a5bd19", "b0b2fcc0ea039fdc4ec0a5f41079c40d4117473f6e5589e63774d583cfab0126"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/poetry.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 71225, "scanner": "repobility-docker", "fingerprint": "c53f79b7b22705faa046c0798d867666d3b6e6711853596e8e68056a1c2fa1d5", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c53f79b7b22705faa046c0798d867666d3b6e6711853596e8e68056a1c2fa1d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 71220, "scanner": "repobility-docker", "fingerprint": "32252508b9c50ff9510be12ffe87235925356ebaba840f76dc51d92fbd44205d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|32252508b9c50ff9510be12ffe87235925356ebaba840f76dc51d92fbd44205d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 71211, "scanner": "repobility-docker", "fingerprint": "ea8c1a8b2fa18c068c7c4c02c233e5cb1217ab7dd9422450d0e3243390b6bfc9", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ea8c1a8b2fa18c068c7c4c02c233e5cb1217ab7dd9422450d0e3243390b6bfc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/app/Dockerfile"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 71205, "scanner": "repobility-threat-engine", "fingerprint": "f01740bfdefba8e25d43882359a71d95787b76ec81f9ea068209acbd35dad0f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post('')\nasync def start_sandbox(\n    sandbox_spec_id: str | None = None,\n    sandbox_servic", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f01740bfdefba8e25d43882359a71d95787b76ec81f9ea068209acbd35dad0f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/sandbox/sandbox_router.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 71204, "scanner": "repobility-threat-engine", "fingerprint": "bc6a43de2e064777f53f7bd5d0cc6db2a2cbcf50ffae0775c6201659bc51d433", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\n    '', response_model=PendingMessageResponse, status_code=status.HTTP_201_CREATED\n)\na", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bc6a43de2e064777f53f7bd5d0cc6db2a2cbcf50ffae0775c6201659bc51d433"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/pending_messages/pending_message_router.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 71199, "scanner": "repobility-threat-engine", "fingerprint": "2437310ea257b2cbc921da3a8b0098e4406643a2df27d82aad6f69a142eaf7d3", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'[?&]page=(\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|174|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/integrations/bitbucket/service/repos.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 71171, "scanner": "repobility-threat-engine", "fingerprint": "aa622abb80362cc35b3e76a023a7bd3ff190edef93b77fae1c92473b223e1ced", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa622abb80362cc35b3e76a023a7bd3ff190edef93b77fae1c92473b223e1ced"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/v1/chat/event-content-helpers/get-skill-ready-content.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 71170, "scanner": "repobility-threat-engine", "fingerprint": "cf88fba7a73dac552e3737cf18aa58e37e91e7619b029a0d76221f42da8fc975", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(className", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf88fba7a73dac552e3737cf18aa58e37e91e7619b029a0d76221f42da8fc975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/markdown/code.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 71169, "scanner": "repobility-threat-engine", "fingerprint": "598e0a92d6e5a4a10e6da2a825c6a44f7a48d44d9e6b5b7de607af841937f2d0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(i18nIndexContent", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|598e0a92d6e5a4a10e6da2a825c6a44f7a48d44d9e6b5b7de607af841937f2d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/check-translation-completeness.cjs"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 71157, "scanner": "repobility-threat-engine", "fingerprint": "19e019719b114e2dd77d88de8667d2e22fd318339c9334eb5261c07e2639d500", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "newResults.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|19e019719b114e2dd77d88de8667d2e22fd318339c9334eb5261c07e2639d500"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/features/settings/git-settings/gitlab-webhook-manager.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 71156, "scanner": "repobility-threat-engine", "fingerprint": "a23f416802c6f0635fc51165a1c4e710a7d8518c76673865acd116493f125763", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "activeClientIds.delete(clientId)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a23f416802c6f0635fc51165a1c4e710a7d8518c76673865acd116493f125763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/public/mockServiceWorker.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 71155, "scanner": "repobility-threat-engine", "fingerprint": "48cf4420d8e08f6c49e61941f9d579fe8d0df90a3d22942cd9965b804f68d32b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "user_info_data.update(org_info)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48cf4420d8e08f6c49e61941f9d579fe8d0df90a3d22942cd9965b804f68d32b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/users_v1.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 71153, "scanner": "repobility-threat-engine", "fingerprint": "815e0725fca4543820286491fd4ea341747e71f95dc0aa888583884b560937e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|815e0725fca4543820286491fd4ea341747e71f95dc0aa888583884b560937e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/config.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 71135, "scanner": "repobility-threat-engine", "fingerprint": "62c0c935fead7611a3615823246e7ded01ce8111150b9390e31ba367485fb54f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62c0c935fead7611a3615823246e7ded01ce8111150b9390e31ba367485fb54f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/email.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 71134, "scanner": "repobility-threat-engine", "fingerprint": "ef61995ebe79264f9b34faaa2331497d295b55c4b446b5fa9937f0d141ee8e9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef61995ebe79264f9b34faaa2331497d295b55c4b446b5fa9937f0d141ee8e9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira_dc/jira_dc_v1_callback_processor.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 71133, "scanner": "repobility-threat-engine", "fingerprint": "13467620ff0aeaeaeeb7185a4824e15d73d0a70c22151757e35a91a861660b7c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13467620ff0aeaeaeeb7185a4824e15d73d0a70c22151757e35a91a861660b7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira/jira_v1_callback_processor.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 71127, "scanner": "repobility-threat-engine", "fingerprint": "b80a0ee19fba58442bc4d0e72baa79536358ab3114ed7b605fa46b6aa235d2fc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b80a0ee19fba58442bc4d0e72baa79536358ab3114ed7b605fa46b6aa235d2fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/email.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 71126, "scanner": "repobility-threat-engine", "fingerprint": "af744dd70b8e55fec7886f8d66fec1a9a6c7d1e1868e77ab5ed82f25af34f27b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n        s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af744dd70b8e55fec7886f8d66fec1a9a6c7d1e1868e77ab5ed82f25af34f27b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/resolver_context.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 71125, "scanner": "repobility-threat-engine", "fingerprint": "96a500b65a1d3adf4cad0967e80b906520c6c8a3f41d33aa5b2ded744f32a067", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n            i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|96a500b65a1d3adf4cad0967e80b906520c6c8a3f41d33aa5b2ded744f32a067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/jira/jira_payload.py"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 71120, "scanner": "repobility-threat-engine", "fingerprint": "03cee53cdd6380944961513e3cda862dbbc68a94fbd157bca2e5119e5d50d33b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03cee53cdd6380944961513e3cda862dbbc68a94fbd157bca2e5119e5d50d33b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/github/github_service.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 71119, "scanner": "repobility-threat-engine", "fingerprint": "5679731ad8aec2f8ef5ad6cb460a69b755408fcf9a522741a0481934eabcd66b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5679731ad8aec2f8ef5ad6cb460a69b755408fcf9a522741a0481934eabcd66b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED020", "level": "error", "message": {"text": "[MINED020] Logging Credential Via Fstring: logger.error(f\"failed for {api_key}\") \u2014 secrets end up in log aggregators / sentry."}, "properties": {"repobilityId": 71118, "scanner": "repobility-threat-engine", "fingerprint": "d2fbeb1b74ea85498e7b16b7e4ceda2d2ffecdcfd7ef52adf76d6187efc789ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "logging-credential-via-fstring", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347945+00:00", "triaged_in_corpus": 15, "observations_count": 46100, "ai_coder_pattern_id": 38}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2fbeb1b74ea85498e7b16b7e4ceda2d2ffecdcfd7ef52adf76d6187efc789ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/integrations/bitbucket/bitbucket_service.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 71103, "scanner": "repobility-threat-engine", "fingerprint": "840dbf6eb00dc1f69f75b663bff721c73d5016c1eff46a1d166c5a5e2cb60e5f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|840dbf6eb00dc1f69f75b663bff721c73d5016c1eff46a1d166c5a5e2cb60e5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/find_prs_between_commits.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `ghcr.io/openhands/enterprise-server` unpinned"}, "properties": {"repobilityId": 71050, "scanner": "repobility-supply-chain", "fingerprint": "aa2ce59c37384dac25d848e139302eea16e4da6479b797043c8321ead2f203e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa2ce59c37384dac25d848e139302eea16e4da6479b797043c8321ead2f203e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ghcr-build.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `ghcr.io/openhands/openhands` unpinned"}, "properties": {"repobilityId": 71049, "scanner": "repobility-supply-chain", "fingerprint": "ea6987b38f2c2321d2dff7a804d6602fd7826f06ec8568bb6b888d525f4567c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea6987b38f2c2321d2dff7a804d6602fd7826f06ec8568bb6b888d525f4567c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ghcr-build.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71048, "scanner": "repobility-supply-chain", "fingerprint": "59bb3d2ab240bdeb80a861e02c2d40e004cade89113f28407c5f1cbd822a5c64", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59bb3d2ab240bdeb80a861e02c2d40e004cade89113f28407c5f1cbd822a5c64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71047, "scanner": "repobility-supply-chain", "fingerprint": "acf528873d0f635d488884322a8e6280fde6e647474739673545978b1e826f2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acf528873d0f635d488884322a8e6280fde6e647474739673545978b1e826f2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71046, "scanner": "repobility-supply-chain", "fingerprint": "ac64cb70004418496daae490c6c6bdd6dcf3d3f5a8307ca28bceb52f996e8a42", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac64cb70004418496daae490c6c6bdd6dcf3d3f5a8307ca28bceb52f996e8a42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71045, "scanner": "repobility-supply-chain", "fingerprint": "b11847721503dd9d22facd5f10188f880b668c6bd26406f915031f4fb8ed77ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b11847721503dd9d22facd5f10188f880b668c6bd26406f915031f4fb8ed77ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71044, "scanner": "repobility-supply-chain", "fingerprint": "cf40183fa5548cc7d662fc1c260840cd178c7a7b8a855817903933a86da0aa14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf40183fa5548cc7d662fc1c260840cd178c7a7b8a855817903933a86da0aa14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71043, "scanner": "repobility-supply-chain", "fingerprint": "cb708451cd8d190675c3eae0c00f173e91b95cf8fcab7958ea7ba23c85b6a24c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb708451cd8d190675c3eae0c00f173e91b95cf8fcab7958ea7ba23c85b6a24c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8`"}, "properties": {"repobilityId": 71042, "scanner": "repobility-supply-chain", "fingerprint": "f1f01b2172e6d7b70e8de92ef1c3cf47c5763236146c1f89cad9fa78ac60992f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1f01b2172e6d7b70e8de92ef1c3cf47c5763236146c1f89cad9fa78ac60992f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71041, "scanner": "repobility-supply-chain", "fingerprint": "0dae0915c86adfa61ac970ee4ac1583c81d427c5d977d621a38db3f1390ea35a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0dae0915c86adfa61ac970ee4ac1583c81d427c5d977d621a38db3f1390ea35a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 71040, "scanner": "repobility-supply-chain", "fingerprint": "3620ab22b941848b7399e7d5eefeda1a8da19a109cbd4f098e381a1f0c60dd85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3620ab22b941848b7399e7d5eefeda1a8da19a109cbd4f098e381a1f0c60dd85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71039, "scanner": "repobility-supply-chain", "fingerprint": "04aafaca8365bd5761b3c4fcbecfc5d32f12e3d899dfc3dba9497876b870f425", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04aafaca8365bd5761b3c4fcbecfc5d32f12e3d899dfc3dba9497876b870f425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71038, "scanner": "repobility-supply-chain", "fingerprint": "0775b6dfaff4515eb4f9855be5c27837c69ff79f4558bdcdb708f5df1e41f9f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0775b6dfaff4515eb4f9855be5c27837c69ff79f4558bdcdb708f5df1e41f9f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 71037, "scanner": "repobility-supply-chain", "fingerprint": "62ab892dcfa500d3cb7003d3a60c9aa4258587e5daa5b2164a6b63ba2a73fca1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62ab892dcfa500d3cb7003d3a60c9aa4258587e5daa5b2164a6b63ba2a73fca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71036, "scanner": "repobility-supply-chain", "fingerprint": "798ff3305e0708dc6799aa6e7a11d34c747f835ae0c36dcd5fb80070017e0c74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|798ff3305e0708dc6799aa6e7a11d34c747f835ae0c36dcd5fb80070017e0c74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71035, "scanner": "repobility-supply-chain", "fingerprint": "100595d43b6d9dd5ffee8634aa3a463451b9c4bd58d8047003a364a7ed3dc9ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|100595d43b6d9dd5ffee8634aa3a463451b9c4bd58d8047003a364a7ed3dc9ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71034, "scanner": "repobility-supply-chain", "fingerprint": "b112abc68ad02876a4c1c4c3788c7134b8d407db9212d56d5b1cb9d7bdf1854f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b112abc68ad02876a4c1c4c3788c7134b8d407db9212d56d5b1cb9d7bdf1854f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/py-tests.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 71033, "scanner": "repobility-supply-chain", "fingerprint": "caff6dbd400741b7573f26c90486e6fb1a3df720d869b379d1fbe36c3584675b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|caff6dbd400741b7573f26c90486e6fb1a3df720d869b379d1fbe36c3584675b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-readiness-confirm.yml"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 71032, "scanner": "repobility-supply-chain", "fingerprint": "af2a8d8982cdcc8d98efa8864bf0645f7b8c63cf69b09c4ebbb0b9c2bdaf9cf1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af2a8d8982cdcc8d98efa8864bf0645f7b8c63cf69b09c4ebbb0b9c2bdaf9cf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-readiness-confirm.yml"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 71031, "scanner": "repobility-supply-chain", "fingerprint": "d215b3414f5fd7212ef24f46c080ff139272dceb1cdb3430ff1d0bf562f64fb9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d215b3414f5fd7212ef24f46c080ff139272dceb1cdb3430ff1d0bf562f64fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-readiness-confirm.yml"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 71030, "scanner": "repobility-supply-chain", "fingerprint": "772a4e938e181c91727684d8912a5e89d27e328e3540c2a7d341dd589daffc7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|772a4e938e181c91727684d8912a5e89d27e328e3540c2a7d341dd589daffc7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-readiness-confirm.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71029, "scanner": "repobility-supply-chain", "fingerprint": "ab571686a1100bde62fedb8c61a9df6a2706780e6b55bc2449d1fbd9a3f852e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab571686a1100bde62fedb8c61a9df6a2706780e6b55bc2449d1fbd9a3f852e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ui-build.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71028, "scanner": "repobility-supply-chain", "fingerprint": "ea38c3637474bdaf2f50edd251928b3ddbd0c2ab67245357386b7474ba92c61e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea38c3637474bdaf2f50edd251928b3ddbd0c2ab67245357386b7474ba92c61e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish-ui.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71027, "scanner": "repobility-supply-chain", "fingerprint": "0d5172a8068c06d8a26f9d340e4b16c9f55e1817de00304926eb2b4f3e1c5f89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d5172a8068c06d8a26f9d340e4b16c9f55e1817de00304926eb2b4f3e1c5f89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish-ui.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71026, "scanner": "repobility-supply-chain", "fingerprint": "bb047353edd49ca4cbbfde082581e2da3412e09e768ccb5e745b1bc33042e68e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb047353edd49ca4cbbfde082581e2da3412e09e768ccb5e745b1bc33042e68e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pypi-release.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 71025, "scanner": "repobility-supply-chain", "fingerprint": "367505ceff4ce081f1be767e30ec9bd80b03f38b2711ad401b3534ee1c343075", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|367505ceff4ce081f1be767e30ec9bd80b03f38b2711ad401b3534ee1c343075"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pypi-release.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 71024, "scanner": "repobility-supply-chain", "fingerprint": "2b00e484453f8aba5b262f3dc0cf34e5ace32fe67e48a5ac243584b71ccd8f98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b00e484453f8aba5b262f3dc0cf34e5ace32fe67e48a5ac243584b71ccd8f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove-duplicate-candidate-label.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.13.7-slim-trixie` not pinned by digest"}, "properties": {"repobilityId": 71023, "scanner": "repobility-supply-chain", "fingerprint": "d4b7a8b6ea6229a6bec65446964ab74138542ca93de8ab2675735cc30df7336c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4b7a8b6ea6229a6bec65446964ab74138542ca93de8ab2675735cc30df7336c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/app/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:25.9-trixie-slim` not pinned by digest"}, "properties": {"repobilityId": 71022, "scanner": "repobility-supply-chain", "fingerprint": "a1fe1957b9cd7c43bad16fa96dd7486a9bfbc2f75077cbb1599213a1ac65d832", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1fe1957b9cd7c43bad16fa96dd7486a9bfbc2f75077cbb1599213a1ac65d832"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/app/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ubuntu:26.04` not pinned by digest"}, "properties": {"repobilityId": 71021, "scanner": "repobility-supply-chain", "fingerprint": "8b53e7c219a05b8e7638c7d64b6b66388c719ca8015b8c60e6c307f7b7887494", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b53e7c219a05b8e7638c7d64b6b66388c719ca8015b8c60e6c307f7b7887494"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.9.0`"}, "properties": {"repobilityId": 71020, "scanner": "repobility-supply-chain", "fingerprint": "c7852e7f6dba1c7db0d375e777d93332b78bd6e09e40b39bf0aea93f339ba2d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7852e7f6dba1c7db0d375e777d93332b78bd6e09e40b39bf0aea93f339ba2d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/dev_config/python/.pre-commit-config.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/abravalheri/validate-pyproject` pinned to mutable rev `v0.16`"}, "properties": {"repobilityId": 71019, "scanner": "repobility-supply-chain", "fingerprint": "9d16a162e6ecf401bc492a8090ecaed61db091223d26ba1ea8d9daa21f7286ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d16a162e6ecf401bc492a8090ecaed61db091223d26ba1ea8d9daa21f7286ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/dev_config/python/.pre-commit-config.yaml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.5.0`"}, "properties": {"repobilityId": 71018, "scanner": "repobility-supply-chain", "fingerprint": "bfdd3f1fb02e3d737e6367904f7cc0935ceb7f0629db180840048412d56f32ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfdd3f1fb02e3d737e6367904f7cc0935ceb7f0629db180840048412d56f32ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/dev_config/python/.pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/mirrors-mypy` pinned to mutable rev `v1.15.0`"}, "properties": {"repobilityId": 71017, "scanner": "repobility-supply-chain", "fingerprint": "d89340cf7251fb0ea79feb0c3aa5ea36339a9500dbff60f205e7f7302e072bbe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d89340cf7251fb0ea79feb0c3aa5ea36339a9500dbff60f205e7f7302e072bbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev_config/python/.pre-commit-config.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/abravalheri/validate-pyproject` pinned to mutable rev `v0.24.1`"}, "properties": {"repobilityId": 71016, "scanner": "repobility-supply-chain", "fingerprint": "358e672dcc4823f4fac038e8c9ec8c7457d8e4215cecab93f233ee995bea2358", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|358e672dcc4823f4fac038e8c9ec8c7457d8e4215cecab93f233ee995bea2358"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev_config/python/.pre-commit-config.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/tox-dev/pyproject-fmt` pinned to mutable rev `v2.5.1`"}, "properties": {"repobilityId": 71015, "scanner": "repobility-supply-chain", "fingerprint": "261a42e6b0fc579456915519de17fee5aa9dda7d0779122eb3f2b4a37a98364e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|261a42e6b0fc579456915519de17fee5aa9dda7d0779122eb3f2b4a37a98364e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev_config/python/.pre-commit-config.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v5.0.0`"}, "properties": {"repobilityId": 71014, "scanner": "repobility-supply-chain", "fingerprint": "96d77ded07fabe2312d028a7e5f32234e4d258a7a0a9707cbd2ab4dfd9af069a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96d77ded07fabe2312d028a7e5f32234e4d258a7a0a9707cbd2ab4dfd9af069a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev_config/python/.pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /workspaces/unlink has no auth"}, "properties": {"repobilityId": 71013, "scanner": "repobility-route-auth", "fingerprint": "673b474218818808666f7461867f04fd72d546bbe02f76bf4e9993afa99d2a39", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|673b474218818808666f7461867f04fd72d546bbe02f76bf4e9993afa99d2a39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira.py"}, "region": {"startLine": 662}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /workspaces/link has no auth"}, "properties": {"repobilityId": 71012, "scanner": "repobility-route-auth", "fingerprint": "dde576a502722ebb49cd7d8d4c631635e91a33d20d8f7ec0147474a411a114d7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|dde576a502722ebb49cd7d8d4c631635e91a33d20d8f7ec0147474a411a114d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira.py"}, "region": {"startLine": 402}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /workspaces has no auth"}, "properties": {"repobilityId": 71011, "scanner": "repobility-route-auth", "fingerprint": "db8d34ba294ad5a6853d53512d10717eab2b3940f13c718ab4f9393562ddaa53", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|db8d34ba294ad5a6853d53512d10717eab2b3940f13c718ab4f9393562ddaa53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira.py"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /events has no auth"}, "properties": {"repobilityId": 71010, "scanner": "repobility-route-auth", "fingerprint": "c96f5641735150a76069185b707ebc3806fb73f4d7945da75265474ef8a94d7f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c96f5641735150a76069185b707ebc3806fb73f4d7945da75265474ef8a94d7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira.py"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /workspaces/unlink has no auth"}, "properties": {"repobilityId": 71009, "scanner": "repobility-route-auth", "fingerprint": "01052de49f8b6a122d698c12ea5be23ea9c8c572c3e1c1cc6559085c3bce4fc3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|01052de49f8b6a122d698c12ea5be23ea9c8c572c3e1c1cc6559085c3bce4fc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira_dc.py"}, "region": {"startLine": 1010}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /workspaces/link has no auth"}, "properties": {"repobilityId": 71008, "scanner": "repobility-route-auth", "fingerprint": "92254455755f25c52c307671d7d31edf4f1721fc4fe724c5f07ea34e86c7c287", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|92254455755f25c52c307671d7d31edf4f1721fc4fe724c5f07ea34e86c7c287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira_dc.py"}, "region": {"startLine": 713}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /workspaces/status has no auth"}, "properties": {"repobilityId": 71007, "scanner": "repobility-route-auth", "fingerprint": "06b6b17484a17f1e7582878776cfb46e13766fd9a0745fd18938b887234fc6a5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|06b6b17484a17f1e7582878776cfb46e13766fd9a0745fd18938b887234fc6a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira_dc.py"}, "region": {"startLine": 677}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /workspaces has no auth"}, "properties": {"repobilityId": 71006, "scanner": "repobility-route-auth", "fingerprint": "fc33faed7c8cf6623836212dff8f8e0c7ae28d0eedef1d0487fb5956aace637e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|fc33faed7c8cf6623836212dff8f8e0c7ae28d0eedef1d0487fb5956aace637e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira_dc.py"}, "region": {"startLine": 466}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /connections/{workspace_id}/events has no auth"}, "properties": {"repobilityId": 71005, "scanner": "repobility-route-auth", "fingerprint": "76dbe336f8d06fe8a8bfbdd9efa34a83612bb18b2a9cfe65f5762d97b8df8c15", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|76dbe336f8d06fe8a8bfbdd9efa34a83612bb18b2a9cfe65f5762d97b8df8c15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira_dc.py"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /gitlab/events has no auth"}, "properties": {"repobilityId": 71004, "scanner": "repobility-route-auth", "fingerprint": "86d6976efd8216fe683c8328704f18c85e69ce226bceddd03ec785d9b79582c5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|86d6976efd8216fe683c8328704f18c85e69ce226bceddd03ec785d9b79582c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/gitlab.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /users/{user_id}/orgs/{org_id}/api-keys/{key_name} has no auth"}, "properties": {"repobilityId": 71003, "scanner": "repobility-route-auth", "fingerprint": "7840b6c2bba96f712e4e3cd06465e9717a626d1ac5fedf8a26386071233b01e7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7840b6c2bba96f712e4e3cd06465e9717a626d1ac5fedf8a26386071233b01e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/service.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /users/{user_id}/orgs/{org_id}/api-keys has no auth"}, "properties": {"repobilityId": 71002, "scanner": "repobility-route-auth", "fingerprint": "fe87c0e6478225e06eb190314179a64329aa387c3bdde28e0a0086300169406e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|fe87c0e6478225e06eb190314179a64329aa387c3bdde28e0a0086300169406e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/service.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PUT /resend has no auth"}, "properties": {"repobilityId": 71001, "scanner": "repobility-route-auth", "fingerprint": "8baa998ea04a72201111ebcc49ecb2b35fc02c40194cffb4ca878f1a5a7ef9ee", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|8baa998ea04a72201111ebcc49ecb2b35fc02c40194cffb4ca878f1a5a7ef9ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/email.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /token has no auth"}, "properties": {"repobilityId": 71000, "scanner": "repobility-route-auth", "fingerprint": "36cf3d7c404f54b586464ce177e4e2c66dc093685ff46a2396125c14bcdd95f8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|36cf3d7c404f54b586464ce177e4e2c66dc093685ff46a2396125c14bcdd95f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/oauth_device.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /authorize has no auth"}, "properties": {"repobilityId": 70999, "scanner": "repobility-route-auth", "fingerprint": "82b540142e055ea0753d76a2c310ea45e701ce1dea0fd630a75da56da11b9bd4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|82b540142e055ea0753d76a2c310ea45e701ce1dea0fd630a75da56da11b9bd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/oauth_device.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /github-proxy/{subdomain}/{path:path} has no auth"}, "properties": {"repobilityId": 70998, "scanner": "repobility-route-auth", "fingerprint": "711dbd545000067c1cd32f238c5b1cda7aa07d7863ad43ebac32c8e8366a37a3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|711dbd545000067c1cd32f238c5b1cda7aa07d7863ad43ebac32c8e8366a37a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/github_proxy.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /github-proxy/{subdomain}/login/oauth/access_token has no auth"}, "properties": {"repobilityId": 70997, "scanner": "repobility-route-auth", "fingerprint": "183aa32344467b2b405dd660074eeb18dbb7935e12f28c737b37ee9ca7feda42", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|183aa32344467b2b405dd660074eeb18dbb7935e12f28c737b37ee9ca7feda42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/github_proxy.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /app has no auth"}, "properties": {"repobilityId": 70996, "scanner": "repobility-route-auth", "fingerprint": "13df06204126d0dfa9178c118f806b6b2dfe45a96e7cb9866b70e82f7339b842", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|13df06204126d0dfa9178c118f806b6b2dfe45a96e7cb9866b70e82f7339b842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/orgs.py"}, "region": {"startLine": 440}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /logout has no auth"}, "properties": {"repobilityId": 70995, "scanner": "repobility-route-auth", "fingerprint": "3a5052062733dfcf737a32383d2936e3e25e28e845f905b8f154c58808e449d4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|3a5052062733dfcf737a32383d2936e3e25e28e845f905b8f154c58808e449d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/auth.py"}, "region": {"startLine": 1063}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /complete_onboarding has no auth"}, "properties": {"repobilityId": 70994, "scanner": "repobility-route-auth", "fingerprint": "ddbbfea57978852b7768a9a61d8acf6f8f20b06837d8e8b8ce5caac46d0b1bdc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ddbbfea57978852b7768a9a61d8acf6f8f20b06837d8e8b8ce5caac46d0b1bdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/auth.py"}, "region": {"startLine": 1000}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /accept_tos has no auth"}, "properties": {"repobilityId": 70993, "scanner": "repobility-route-auth", "fingerprint": "c1c23bd517bed0485f17f361ca87d1dcc9c7ffb5b9edecf3f37c583bf168cfe0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c1c23bd517bed0485f17f361ca87d1dcc9c7ffb5b9edecf3f37c583bf168cfe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/auth.py"}, "region": {"startLine": 859}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /authenticate has no auth"}, "properties": {"repobilityId": 70992, "scanner": "repobility-route-auth", "fingerprint": "72f81ac45692cde50945c82bbaa9b274d3bf0868712ced768e244d6d4c456a1d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|72f81ac45692cde50945c82bbaa9b274d3bf0868712ced768e244d6d4c456a1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/auth.py"}, "region": {"startLine": 675}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /app has no auth"}, "properties": {"repobilityId": 70991, "scanner": "repobility-route-auth", "fingerprint": "42b0d6d6b43a8d28e21d902b89c97dbb631ef33e98b5f1358a22bd662e6a936d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|42b0d6d6b43a8d28e21d902b89c97dbb631ef33e98b5f1358a22bd662e6a936d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/user_app_settings.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /oauth/device/authorize has no auth"}, "properties": {"repobilityId": 70990, "scanner": "repobility-route-auth", "fingerprint": "3902493296308789606141bc26c30f7a8acb00868058b791d8cfd6abb6db7802", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|3902493296308789606141bc26c30f7a8acb00868058b791d8cfd6abb6db7802"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_api_key_aware_cors_middleware.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PATCH integrations.github.github_view.INLINE_OH_LABEL has no auth"}, "properties": {"repobilityId": 70989, "scanner": "repobility-route-auth", "fingerprint": "72011846f936ab8beef7e671be4ee24e9fbb0c04112ced277c456cb73965aba3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|72011846f936ab8beef7e671be4ee24e9fbb0c04112ced277c456cb73965aba3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_github_view.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_timestamp_filter_with_desc_sort`"}, "properties": {"repobilityId": 70979, "scanner": "repobility-ast-engine", "fingerprint": "fa5c867387e1609de2d5182e0028cf9b5a77e429330eccbb7b61cecda0822005", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa5c867387e1609de2d5182e0028cf9b5a77e429330eccbb7b61cecda0822005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_timestamp_filter_with_desc_sort`"}, "properties": {"repobilityId": 70978, "scanner": "repobility-ast-engine", "fingerprint": "cd192d7602ed4e6e459f51746b0059a6ef7ce6a617cfe58c4d39c2635242c1da", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd192d7602ed4e6e459f51746b0059a6ef7ce6a617cfe58c4d39c2635242c1da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 371}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_timestamp_filter_with_desc_sort`"}, "properties": {"repobilityId": 70977, "scanner": "repobility-ast-engine", "fingerprint": "002d2421853e8721b2d0b36e10527a3ef9c8feb20d330d3d4316a00707b37384", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|002d2421853e8721b2d0b36e10527a3ef9c8feb20d330d3d4316a00707b37384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 368}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_filter_by_timestamp_range`"}, "properties": {"repobilityId": 70976, "scanner": "repobility-ast-engine", "fingerprint": "ba97ed31683d51d53e911d2fb071b70505fb63f3799d91ad53838cbe75579cfc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ba97ed31683d51d53e911d2fb071b70505fb63f3799d91ad53838cbe75579cfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 345}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_filter_by_timestamp_range`"}, "properties": {"repobilityId": 70975, "scanner": "repobility-ast-engine", "fingerprint": "8d1be1e3c88db90291afc3904a4d4610331406ed08ccbfd10b283384ad8c0839", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8d1be1e3c88db90291afc3904a4d4610331406ed08ccbfd10b283384ad8c0839"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_filter_by_timestamp_range`"}, "properties": {"repobilityId": 70974, "scanner": "repobility-ast-engine", "fingerprint": "c8feaff06ef350bfb97f87f6008101347033720b6ce80212cf78d3e83586ca3a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8feaff06ef350bfb97f87f6008101347033720b6ce80212cf78d3e83586ca3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_filter_by_timestamp_range`"}, "properties": {"repobilityId": 70973, "scanner": "repobility-ast-engine", "fingerprint": "003c7265b28c2c55bb9eae85838ff75406b9328063d349aa6c65297006b0ad2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|003c7265b28c2c55bb9eae85838ff75406b9328063d349aa6c65297006b0ad2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 335}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_filter_by_timestamp_lt`"}, "properties": {"repobilityId": 70972, "scanner": "repobility-ast-engine", "fingerprint": "fbb93700a76bfb0a92db58ca5920818831ae4a40d568c64c3f5cf1dd56d819ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fbb93700a76bfb0a92db58ca5920818831ae4a40d568c64c3f5cf1dd56d819ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_filter_by_timestamp_lt`"}, "properties": {"repobilityId": 70971, "scanner": "repobility-ast-engine", "fingerprint": "0cdb436a3047521d9113f09a8a642d7516ab4d6ce0839b61605c90ea7c3f71d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0cdb436a3047521d9113f09a8a642d7516ab4d6ce0839b61605c90ea7c3f71d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 313}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_filter_by_timestamp_gte`"}, "properties": {"repobilityId": 70970, "scanner": "repobility-ast-engine", "fingerprint": "5bd2628243c2f0d9cf63096d96de9b5670f2241415fa5f9894fb5b76e6632c9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5bd2628243c2f0d9cf63096d96de9b5670f2241415fa5f9894fb5b76e6632c9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 290}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_search_events_filter_by_timestamp_gte`"}, "properties": {"repobilityId": 70969, "scanner": "repobility-ast-engine", "fingerprint": "c4d1a69d8bb10c31417c81fa819fb475ad6f4877fa8ace89e370e70d1239ddcc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4d1a69d8bb10c31417c81fa819fb475ad6f4877fa8ace89e370e70d1239ddcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_filesystem_event_service.py"}, "region": {"startLine": 287}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.get` inside async function `jira_callback`"}, "properties": {"repobilityId": 70968, "scanner": "repobility-ast-engine", "fingerprint": "0e192517b0b02250afc8b08f3f8f8ed254c5aaf6710593101986ba115d9062e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e192517b0b02250afc8b08f3f8f8ed254c5aaf6710593101986ba115d9062e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira.py"}, "region": {"startLine": 523}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.get` inside async function `jira_callback`"}, "properties": {"repobilityId": 70967, "scanner": "repobility-ast-engine", "fingerprint": "74944f268da712ed8d459b11b55b3494e2cb6de201e04cae26db3cfd21ff781b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|74944f268da712ed8d459b11b55b3494e2cb6de201e04cae26db3cfd21ff781b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira.py"}, "region": {"startLine": 493}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.post` inside async function `jira_callback`"}, "properties": {"repobilityId": 70966, "scanner": "repobility-ast-engine", "fingerprint": "fbf82a443f7a25665baaf90299976fc2b5e5b7e0cb8b28736887076a34cb7134", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fbf82a443f7a25665baaf90299976fc2b5e5b7e0cb8b28736887076a34cb7134"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira.py"}, "region": {"startLine": 483}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.get` inside async function `jira_dc_callback`"}, "properties": {"repobilityId": 70964, "scanner": "repobility-ast-engine", "fingerprint": "21d71b89f3f53a75e49c1f63e985ae6f9f7d450c0c3f54e11fb85cc72e471751", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21d71b89f3f53a75e49c1f63e985ae6f9f7d450c0c3f54e11fb85cc72e471751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira_dc.py"}, "region": {"startLine": 828}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `requests.post` inside async function `jira_dc_callback`"}, "properties": {"repobilityId": 70963, "scanner": "repobility-ast-engine", "fingerprint": "a1288608395cc878e31c4ee393b0b36cc0507da4af5e9b7fe3f6b67b60434caf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a1288608395cc878e31c4ee393b0b36cc0507da4af5e9b7fe3f6b67b60434caf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/jira_dc.py"}, "region": {"startLine": 814}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_delete_key_by_alias_not_found"}, "properties": {"repobilityId": 70952, "scanner": "repobility-ast-engine", "fingerprint": "c17dc169340356fa7fe7060260384542992ded307be419574fd4e044a8d08247", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c17dc169340356fa7fe7060260384542992ded307be419574fd4e044a8d08247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 1673}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_delete_key_not_found"}, "properties": {"repobilityId": 70951, "scanner": "repobility-ast-engine", "fingerprint": "c06206493c4eb7dd2b393413138b4914bd002c7c74b15fb1de952974672c9510", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c06206493c4eb7dd2b393413138b4914bd002c7c74b15fb1de952974672c9510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 1587}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_update_key_other_error_raises_exception"}, "properties": {"repobilityId": 70950, "scanner": "repobility-ast-engine", "fingerprint": "e58629bccdd11334275a9ea773b994e163c6e90e842b850231650b78caf8054e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e58629bccdd11334275a9ea773b994e163c6e90e842b850231650b78caf8054e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 1365}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_update_key_invalid_key_returns_gracefully"}, "properties": {"repobilityId": 70949, "scanner": "repobility-ast-engine", "fingerprint": "a1a795992119e8f84bd3a2ae93d81f89f64435f092e95414b5ecd16cc57a103f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a1a795992119e8f84bd3a2ae93d81f89f64435f092e95414b5ecd16cc57a103f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 1340}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_add_user_to_team_other_error_raises_exception"}, "properties": {"repobilityId": 70948, "scanner": "repobility-ast-engine", "fingerprint": "35477a57bad9b3bb3f2c8e2a72328feaa0e73eedeb47b281aeff07674f593edf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35477a57bad9b3bb3f2c8e2a72328feaa0e73eedeb47b281aeff07674f593edf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 1296}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_add_user_to_team_already_in_team"}, "properties": {"repobilityId": 70947, "scanner": "repobility-ast-engine", "fingerprint": "f1f44fb80332f94c2cd3c498f6ecb2e740a9391aa500e1fef3bb438e72177046", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1f44fb80332f94c2cd3c498f6ecb2e740a9391aa500e1fef3bb438e72177046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 1265}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_create_team_error"}, "properties": {"repobilityId": 70946, "scanner": "repobility-ast-engine", "fingerprint": "ab96829db1ca6dc3825f2c1e7471443fb9243c8e98d1b5693c3b8648a3efa19f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab96829db1ca6dc3825f2c1e7471443fb9243c8e98d1b5693c3b8648a3efa19f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 904}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_create_team_already_exists"}, "properties": {"repobilityId": 70945, "scanner": "repobility-ast-engine", "fingerprint": "15fb589db763466de6db281f07dcc6f4ceb897ed350b39396a7c1ce15370da38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|15fb589db763466de6db281f07dcc6f4ceb897ed350b39396a7c1ce15370da38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 882}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_update_team_and_users_budget_missing_config"}, "properties": {"repobilityId": 70944, "scanner": "repobility-ast-engine", "fingerprint": "8093ea989e0de4bfc334f57d13e69dd07d9591026762636643cde85210d47792", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8093ea989e0de4bfc334f57d13e69dd07d9591026762636643cde85210d47792"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_lite_llm_manager.py"}, "region": {"startLine": 834}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_middleware_does_not_block_request"}, "properties": {"repobilityId": 70943, "scanner": "repobility-ast-engine", "fingerprint": "6753a2c7fc5473187d661e6cfa40c4c4575b2d63b8763b13fd07284956bf0fcc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6753a2c7fc5473187d661e6cfa40c4c4575b2d63b8763b13fd07284956bf0fcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_posthog_session_middleware.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_openhands_api_key_raises_for_user_without_org"}, "properties": {"repobilityId": 70942, "scanner": "repobility-ast-engine", "fingerprint": "41a629863f41952a6f97d87004af480329d1c2604731529f4c87e8792ad61976", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|41a629863f41952a6f97d87004af480329d1c2604731529f4c87e8792ad61976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 1002}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_openhands_api_key_raises_for_missing_user"}, "properties": {"repobilityId": 70941, "scanner": "repobility-ast-engine", "fingerprint": "d6157f49b4658b9fb3ccb5268e0e61f8eeff1ad8f1b68d748f328e040f0a40cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d6157f49b4658b9fb3ccb5268e0e61f8eeff1ad8f1b68d748f328e040f0a40cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 977}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_saas_user_auth_from_cookie_exception"}, "properties": {"repobilityId": 70940, "scanner": "repobility-ast-engine", "fingerprint": "3daaea05baa31e8738479fce83af804eef9c054633b6bf18b00b4c67583c6040", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3daaea05baa31e8738479fce83af804eef9c054633b6bf18b00b4c67583c6040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 600}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_saas_user_auth_from_bearer_exception"}, "properties": {"repobilityId": 70939, "scanner": "repobility-ast-engine", "fingerprint": "d7c747bbd42a9d383cc7a709ad917c25de5a6ab31aff181519cfb51d9508a0ac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7c747bbd42a9d383cc7a709ad917c25de5a6ab31aff181519cfb51d9508a0ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 551}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_instance_no_auth"}, "properties": {"repobilityId": 70938, "scanner": "repobility-ast-engine", "fingerprint": "1f6013a35f8d4f04dfd2a7d995f8d81413a73e0d1dd02c000b593e362a2ea16b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f6013a35f8d4f04dfd2a7d995f8d81413a73e0d1dd02c000b593e362a2ea16b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_provider_tokens"}, "properties": {"repobilityId": 70937, "scanner": "repobility-ast-engine", "fingerprint": "86f99bdab24df6dc817545d85fddc2cf6f2b8c39dd6cde13cb4ee58af79d04a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86f99bdab24df6dc817545d85fddc2cf6f2b8c39dd6cde13cb4ee58af79d04a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_create_new_conversation_routes_to_v1"}, "properties": {"repobilityId": 70936, "scanner": "repobility-ast-engine", "fingerprint": "432adad49505552d20df25ec39e6ec5e0e096c140cb8ee9b74c1ab06071740a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|432adad49505552d20df25ec39e6ec5e0e096c140cb8ee9b74c1ab06071740a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_github_view.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_handle_slack_error_no_view"}, "properties": {"repobilityId": 70935, "scanner": "repobility-ast-engine", "fingerprint": "d414503014f2cc98e6b07b35e93ff796be7b2c446fed8267f3e4804e14d8be7f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d414503014f2cc98e6b07b35e93ff796be7b2c446fed8267f3e4804e14d8be7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_slack_integration.py"}, "region": {"startLine": 1156}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_store_user_msg_for_form"}, "properties": {"repobilityId": 70934, "scanner": "repobility-ast-engine", "fingerprint": "9bf505f86bed7b72415875a930da22d4e3fa55a101cd970bc064bfeb21372dfa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9bf505f86bed7b72415875a930da22d4e3fa55a101cd970bc064bfeb21372dfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_slack_integration.py"}, "region": {"startLine": 536}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_delete_org_with_cleanup_org_not_found"}, "properties": {"repobilityId": 70933, "scanner": "repobility-ast-engine", "fingerprint": "7a72b2471aef18e77d7103e0bf6b32951b993e8f5ffd67700c52749e0f1aeeb5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a72b2471aef18e77d7103e0bf6b32951b993e8f5ffd67700c52749e0f1aeeb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_org_service.py"}, "region": {"startLine": 1028}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_delete_org_with_cleanup_authorization_failure"}, "properties": {"repobilityId": 70932, "scanner": "repobility-ast-engine", "fingerprint": "f1d8081fd61e5816b6508b62131fefab95b1d407bed0d6d28ab60979dc50f259", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1d8081fd61e5816b6508b62131fefab95b1d407bed0d6d28ab60979dc50f259"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_org_service.py"}, "region": {"startLine": 1008}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_verify_owner_authorization_success"}, "properties": {"repobilityId": 70931, "scanner": "repobility-ast-engine", "fingerprint": "2326bbb7775db1614cf5a0795cb2727dfd499c7b19ea2a4df3a89e5f9985bbd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2326bbb7775db1614cf5a0795cb2727dfd499c7b19ea2a4df3a89e5f9985bbd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_org_service.py"}, "region": {"startLine": 813}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_user_orgs_paginated_invalid_user_id_format"}, "properties": {"repobilityId": 70930, "scanner": "repobility-ast-engine", "fingerprint": "47d6ee5d0712c0d8bc43f77fbf6edbc1cd97d98f00835aedb646ba2834267ca9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|47d6ee5d0712c0d8bc43f77fbf6edbc1cd97d98f00835aedb646ba2834267ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_org_service.py"}, "region": {"startLine": 796}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_create_org_with_owner_duplicate_name"}, "properties": {"repobilityId": 70929, "scanner": "repobility-ast-engine", "fingerprint": "108cb5a6ca872f576b08df5738f638930cb7b0ffb2320f1502783a6a173c530f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|108cb5a6ca872f576b08df5738f638930cb7b0ffb2320f1502783a6a173c530f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_org_service.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_name_uniqueness_with_unique_name"}, "properties": {"repobilityId": 70928, "scanner": "repobility-ast-engine", "fingerprint": "5d64f344f46929497d15b762cecfbe36bdd0e409a167347072d2c7fd836cbc09", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d64f344f46929497d15b762cecfbe36bdd0e409a167347072d2c7fd836cbc09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_org_service.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._ensure_api_key` used but never assigned in __init__"}, "properties": {"repobilityId": 70919, "scanner": "repobility-ast-engine", "fingerprint": "743b5467a94866f3434ed356fdd66bfcfe444a7cd983ae183fbeede4196d0348", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|743b5467a94866f3434ed356fdd66bfcfe444a7cd983ae183fbeede4196d0348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/saas_settings_store.py"}, "region": {"startLine": 354}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_persisted_agent_settings` used but never assigned in __init__"}, "properties": {"repobilityId": 70918, "scanner": "repobility-ast-engine", "fingerprint": "cbfffac117e9414c2fd047a62be0e85f62b45dc48d992887610df0e1121461df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cbfffac117e9414c2fd047a62be0e85f62b45dc48d992887610df0e1121461df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/saas_settings_store.py"}, "region": {"startLine": 358}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resolve_org_id` used but never assigned in __init__"}, "properties": {"repobilityId": 70917, "scanner": "repobility-ast-engine", "fingerprint": "b6182088d473e9e30c70fbf632dad3d1dfe41f68528826068e3089aa651c3500", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b6182088d473e9e30c70fbf632dad3d1dfe41f68528826068e3089aa651c3500"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/saas_settings_store.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._persist_seeded_default_profile` used but never assigned in __init__"}, "properties": {"repobilityId": 70916, "scanner": "repobility-ast-engine", "fingerprint": "6668bb27aeb5af774d24efb421ecf40f4dd45246a295237e931eeee3837e5997", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6668bb27aeb5af774d24efb421ecf40f4dd45246a295237e931eeee3837e5997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/saas_settings_store.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_effective_llm_api_key` used but never assigned in __init__"}, "properties": {"repobilityId": 70915, "scanner": "repobility-ast-engine", "fingerprint": "c12f85ce5921dab0c082cac5710b651da18547bfb9dfad312f9501b045e4b412", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c12f85ce5921dab0c082cac5710b651da18547bfb9dfad312f9501b045e4b412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/saas_settings_store.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._resolve_org_id` used but never assigned in __init__"}, "properties": {"repobilityId": 70914, "scanner": "repobility-ast-engine", "fingerprint": "a5c0646356d85efe7a299315360ebb95fc17ccbbd0b946d368ad207001bd9c0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a5c0646356d85efe7a299315360ebb95fc17ccbbd0b946d368ad207001bd9c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/saas_settings_store.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.update_webhook` used but never assigned in __init__"}, "properties": {"repobilityId": 70911, "scanner": "repobility-ast-engine", "fingerprint": "e4e08ed8753e19c33d90a897dd57552e52faa4b5a29cf74c69006eaf61dcdea3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4e08ed8753e19c33d90a897dd57552e52faa4b5a29cf74c69006eaf61dcdea3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/gitlab_webhook_store.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.is_expired` used but never assigned in __init__"}, "properties": {"repobilityId": 70909, "scanner": "repobility-ast-engine", "fingerprint": "b0a61118fab65a8167af14c5e0d85e010b55d4cd7aa8d2f8fc5695194ae88206", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0a61118fab65a8167af14c5e0d85e010b55d4cd7aa8d2f8fc5695194ae88206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/device_code.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_repo_id` used but never assigned in __init__"}, "properties": {"repobilityId": 70908, "scanner": "repobility-ast-engine", "fingerprint": "95239d5ebe882ba8eeda5699c6f52250d0f64c00ca3ed6872e95e4046df55023", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95239d5ebe882ba8eeda5699c6f52250d0f64c00ca3ed6872e95e4046df55023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/proactive_conversation_store.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._validate_org_version` used but never assigned in __init__"}, "properties": {"repobilityId": 70906, "scanner": "repobility-ast-engine", "fingerprint": "c7dd5ad4b1971d4d75c3dee9b9322f56585c97c3739e989c5bc26e9639bd487b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c7dd5ad4b1971d4d75c3dee9b9322f56585c97c3739e989c5bc26e9639bd487b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/org_app_settings_store.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_org_by_id` used but never assigned in __init__"}, "properties": {"repobilityId": 70905, "scanner": "repobility-ast-engine", "fingerprint": "4f08e6aed6698565b123c39e02b1812f98cbcb901322cad7762903bc15d34ef5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f08e6aed6698565b123c39e02b1812f98cbcb901322cad7762903bc15d34ef5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/org_app_settings_store.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.load_tokens` used but never assigned in __init__"}, "properties": {"repobilityId": 70904, "scanner": "repobility-ast-engine", "fingerprint": "dc86e011404ad942bebd4892b2646d29743208d345b6ac70234b649523108d3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc86e011404ad942bebd4892b2646d29743208d345b6ac70234b649523108d3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/auth_token_store.py"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.load_tokens` used but never assigned in __init__"}, "properties": {"repobilityId": 70903, "scanner": "repobility-ast-engine", "fingerprint": "d3634c1a238d56be46be6c63c2a27acf8513873b4da03fce41ef5d80393f36e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3634c1a238d56be46be6c63c2a27acf8513873b4da03fce41ef5d80393f36e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/auth_token_store.py"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.identity_provider_value` used but never assigned in __init__"}, "properties": {"repobilityId": 70902, "scanner": "repobility-ast-engine", "fingerprint": "77c4a2ea09866bc2dfaf5a1751eb0e299fb20afa099b2df60a8c8305088ce5ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|77c4a2ea09866bc2dfaf5a1751eb0e299fb20afa099b2df60a8c8305088ce5ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/auth_token_store.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.identity_provider_value` used but never assigned in __init__"}, "properties": {"repobilityId": 70901, "scanner": "repobility-ast-engine", "fingerprint": "4527b93c38dbb45374b2fadaa3905685f33e19b1592414ee6ce14b1682d4e5ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4527b93c38dbb45374b2fadaa3905685f33e19b1592414ee6ce14b1682d4e5ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/auth_token_store.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_token_expired` used but never assigned in __init__"}, "properties": {"repobilityId": 70900, "scanner": "repobility-ast-engine", "fingerprint": "13e98c30d7d24a2b6e980bd347ac0465b9e36eccd42cb313c285c10d4ea5c227", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13e98c30d7d24a2b6e980bd347ac0465b9e36eccd42cb313c285c10d4ea5c227"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/auth_token_store.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._is_token_expired` used but never assigned in __init__"}, "properties": {"repobilityId": 70899, "scanner": "repobility-ast-engine", "fingerprint": "6f915888ed9682566dc05d98112992f37c08cccffe63a9093a7e37d4891e3dfa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f915888ed9682566dc05d98112992f37c08cccffe63a9093a7e37d4891e3dfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/auth_token_store.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.identity_provider_value` used but never assigned in __init__"}, "properties": {"repobilityId": 70898, "scanner": "repobility-ast-engine", "fingerprint": "6fe338fa7334603f1a938cffe6752a8d6bddc473b2df8be62b67adcb4d431337", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fe338fa7334603f1a938cffe6752a8d6bddc473b2df8be62b67adcb4d431337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/auth_token_store.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.identity_provider_value` used but never assigned in __init__"}, "properties": {"repobilityId": 70897, "scanner": "repobility-ast-engine", "fingerprint": "eb48dd2bb232a4dc64bce32d4ad505caaf0fc6a83083050be57174bac1fccfc9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb48dd2bb232a4dc64bce32d4ad505caaf0fc6a83083050be57174bac1fccfc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/auth_token_store.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.is_system_key_name` used but never assigned in __init__"}, "properties": {"repobilityId": 70896, "scanner": "repobility-ast-engine", "fingerprint": "dc77f004f1b8911f7abc9b27984334ab2332664a075d6ad6e20e4703ff621af6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc77f004f1b8911f7abc9b27984334ab2332664a075d6ad6e20e4703ff621af6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/api_key_store.py"}, "region": {"startLine": 391}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.is_system_key_name` used but never assigned in __init__"}, "properties": {"repobilityId": 70895, "scanner": "repobility-ast-engine", "fingerprint": "0c27beac3c67a36f6b2764fad4e2cfa6fab13f2baa0a93634daa130d9d1efe2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c27beac3c67a36f6b2764fad4e2cfa6fab13f2baa0a93634daa130d9d1efe2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/api_key_store.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.is_system_key_name` used but never assigned in __init__"}, "properties": {"repobilityId": 70894, "scanner": "repobility-ast-engine", "fingerprint": "a0b707b011e621f343388e69ea50d4172be34e289c1aa1787b0b55b66ad96bac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0b707b011e621f343388e69ea50d4172be34e289c1aa1787b0b55b66ad96bac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/api_key_store.py"}, "region": {"startLine": 281}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.generate_api_key` used but never assigned in __init__"}, "properties": {"repobilityId": 70893, "scanner": "repobility-ast-engine", "fingerprint": "d514f83bad76e6cdbf83bd05edafff6e48f0fed752f7a661a9df139dd9668865", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d514f83bad76e6cdbf83bd05edafff6e48f0fed752f7a661a9df139dd9668865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/api_key_store.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.make_system_key_name` used but never assigned in __init__"}, "properties": {"repobilityId": 70892, "scanner": "repobility-ast-engine", "fingerprint": "990a9c6603b02fc494a0b31ba716e1a6fd0d95b8a68fade367112372d8736d0a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|990a9c6603b02fc494a0b31ba716e1a6fd0d95b8a68fade367112372d8736d0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/api_key_store.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.generate_api_key` used but never assigned in __init__"}, "properties": {"repobilityId": 70891, "scanner": "repobility-ast-engine", "fingerprint": "62dea103f17386f16a9097336ec5339f8584567fe3198c08cb3dbcdc30c4b6f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62dea103f17386f16a9097336ec5339f8584567fe3198c08cb3dbcdc30c4b6f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/api_key_store.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "GHSA-5xrq-8626-4rwp", "level": "error", "message": {"text": "vitest: GHSA-5xrq-8626-4rwp"}, "properties": {"repobilityId": 71310, "scanner": "osv-scanner", "fingerprint": "9c62df8cf0ef73d8c45a4d0a83cbfa62e458da2e25696e4124c1342ac057d925", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47429"], "package": "vitest", "rule_id": "GHSA-5xrq-8626-4rwp", "scanner": "osv-scanner", "correlation_key": "vuln|vitest|CVE-2026-47429|openhands-ui/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands-ui/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71257, "scanner": "gitleaks", "fingerprint": "63ae2a08bfad048283ffbc60a97874e8ed0754ef05baa3011563cc234bbb16bc", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "session_api_key=<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|29|session_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/utils/logger/test_logger.py"}, "region": {"startLine": 298}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71256, "scanner": "gitleaks", "fingerprint": "1e1a535965b8779314958a03e9f30af110d5457cf91b56ce8eac52628febb4b8", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "api_key = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|5|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/utils/logger/test_logging.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71255, "scanner": "gitleaks", "fingerprint": "38a6eccd2b675d4e2f11816913a7ceb24734e4b01457e529b2f1b0282ec78336", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "api_key = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|4|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/utils/logger/test_logging.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71254, "scanner": "gitleaks", "fingerprint": "fa90d4bd8e5937c3d7122a90172862385623d78d905dd3f723931ecadda2f2b2", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "api_key = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|3|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/utils/logger/test_logging.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71253, "scanner": "gitleaks", "fingerprint": "60ea9cbbc0e99f01a98509d92e9c508b71469a1f6ea34c6da5d64e70e8fbc007", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "session_api_key = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|7|session_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_webhook_router_auth.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71252, "scanner": "gitleaks", "fingerprint": "c2bbaea2471e188a29abc9b0ec79865113e98b10bc861c661a91c4aabdb47faa", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "OSS_DEFAULT_KEY = 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|oss_default_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/app_server/test_default_web_client_config_injector.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71251, "scanner": "gitleaks", "fingerprint": "4d3b743e116fc9fb40b00fcb7b4e4b6f59700d1f8e1d94d2bd7cd24621ee7d10", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "_OSS_POSTHOG_KEY = 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|2|_oss_posthog_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/web_client/default_web_client_config_injector.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71250, "scanner": "gitleaks", "fingerprint": "8d9a6700af370e2ca00f90e9f03564d28cd55f9cb2492465c61a743096eac33c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "posthog_client_key = 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|posthog_client_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/server_config/server_config.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71249, "scanner": "gitleaks", "fingerprint": "1c4ea9e5b9bd4d9607a16e1a709b42698a6fd99c434212560b474a1f6a6a84b3", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "expected_api_key = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|113|expected_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 1137}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71248, "scanner": "gitleaks", "fingerprint": "fe90aaeb4611af3c5db5d4fe8f58e7db060e5271e8b759f879fbeb3eb0719b6b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "expected_api_key = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|109|expected_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 1091}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71247, "scanner": "gitleaks", "fingerprint": "b70ff032ad9d1ac2eb0e39784b7553e6d82aaa2f6019e748ab2e26c5bc43937e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "expected_api_key = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|102|expected_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 1027}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71246, "scanner": "gitleaks", "fingerprint": "ccfa907c6299a8e27891dac0722630cf1ef0f7288a15502ac4471ab2a8fc174f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "expected_api_key = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|94|expected_api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_user_auth.py"}, "region": {"startLine": 941}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71245, "scanner": "gitleaks", "fingerprint": "d8da3187bfdcdc83a33046d8b87d64572ef620064d581d48aaf176d038817f7a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key='REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|29|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/storage/test_api_key_store.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71244, "scanner": "gitleaks", "fingerprint": "195c3162adf65d9d9fa645a529d4d4985137740f3e22c16db04efcaaf88fc6f3", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key='REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|19|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/storage/test_api_key_store.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71243, "scanner": "gitleaks", "fingerprint": "71950d0ec29235c668c72d94d30179e02d9743cefddc00df21962a5d39d94b06", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "UserSettings.keycloak_user_id == 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|29|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_saas_settings_store.py"}, "region": {"startLine": 299}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71242, "scanner": "gitleaks", "fingerprint": "91866f3ac7bbb0a7cd467c7fae0d3d66740fa1d767286a27c2c22e035317d040", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "byor_key = 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|8|byor_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/server/routes/test_api_keys.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71241, "scanner": "gitleaks", "fingerprint": "23a401bcccabe20a21d9498e43381fc2e9f2deb63ea85eeb37dc06d34f4c7988", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "byor_key = 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|6|byor_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/server/routes/test_api_keys.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71240, "scanner": "gitleaks", "fingerprint": "9690ca0865eaff739ca88b657dffc378f414762a0c5f3925226171d679794bba", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "byor_key = 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|3|byor_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/server/routes/test_api_keys.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71239, "scanner": "gitleaks", "fingerprint": "c299ebcfc47153a8636a0446b5269bd054c54902930eb54bc319df77e4faf4e4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "response.key == 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|18|response.key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/routes/test_service.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71238, "scanner": "gitleaks", "fingerprint": "95788978fe6519812651755567d9be0e8fb481d93a9d8bdf2c7de2e1607db6d8", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|29|token : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/integration/slack.py"}, "region": {"startLine": 300}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 71237, "scanner": "gitleaks", "fingerprint": "5c930028e15c106b7541727b51bb57f714b7c9a0bae11e17091afcddcf09ed94", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key=\"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|28|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md"}, "region": {"startLine": 288}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 71235, "scanner": "repobility-docker", "fingerprint": "f528da75a5b9f81fbc23bb38b8f1f5abd0e5791b9cbf25e55bb3df60d207d1e9", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "openhands", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f528da75a5b9f81fbc23bb38b8f1f5abd0e5791b9cbf25e55bb3df60d207d1e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 71231, "scanner": "repobility-docker", "fingerprint": "ab2c7169475f720127b15eebe53f9a33c5c7949acad6950fe2470d4fc05679f7", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ab2c7169475f720127b15eebe53f9a33c5c7949acad6950fe2470d4fc05679f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC001", "level": "error", "message": {"text": "Compose service runs privileged"}, "properties": {"repobilityId": 71229, "scanner": "repobility-docker", "fingerprint": "ba02d556808e56baf107331ea22da32aa93c303f9cc9b1ca17030d082363edf2", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "privileged: true was set on the service.", "evidence": {"rule_id": "DKC001", "scanner": "repobility-docker", "service": "dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ba02d556808e56baf107331ea22da32aa93c303f9cc9b1ca17030d082363edf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "containers/dev/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 71197, "scanner": "repobility-threat-engine", "fingerprint": "14d4f188ee6977d657e41cb96e1c80b8caecc651a73738a3dfe0cca9df830de7", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: migration script (typical placeholder values)]", "evidence": {"match": "postgresql://{db_session.user}:{password_value}@", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: migration script (typical placeholder values)]", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "secret|token|7|postgresql:// db_session.user : password_value"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/app_lifespan/alembic/env.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 71168, "scanner": "repobility-threat-engine", "fingerprint": "4b6928a6c0f614c02611dc5b641c49ff72371baa7dc41762ed0a64ebb8ec253a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(self", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b6928a6c0f614c02611dc5b641c49ff72371baa7dc41762ed0a64ebb8ec253a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "openhands/app_server/settings/llm_profiles.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 71167, "scanner": "repobility-threat-engine", "fingerprint": "cfcbe56b7ed4a5a9d8f8d43864898ec540c20016016529249f602200c1bc41e5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(translationJsonPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cfcbe56b7ed4a5a9d8f8d43864898ec540c20016016529249f602200c1bc41e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/check-translation-completeness.cjs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC` on a `pull_request` trigger"}, "properties": {"repobilityId": 71051, "scanner": "repobility-supply-chain", "fingerprint": "67f20f549f0f640fb10b40615907a67ad281db6b9a2012bd8c5b320c6d11913f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67f20f549f0f640fb10b40615907a67ad281db6b9a2012bd8c5b320c6d11913f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-artifacts.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70962, "scanner": "repobility-ast-engine", "fingerprint": "b1a9e3048086ee093bfcdccd91051628af09a8df8f8cdd2aeb176e4f3f941f4f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b1a9e3048086ee093bfcdccd91051628af09a8df8f8cdd2aeb176e4f3f941f4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/auth/email_validation.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70961, "scanner": "repobility-ast-engine", "fingerprint": "f20504e09b909895d2af270d4a5d66948fc6e1f262ecfa3587b2f13c779e7b9a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f20504e09b909895d2af270d4a5d66948fc6e1f262ecfa3587b2f13c779e7b9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/auth/recaptcha_service.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70958, "scanner": "repobility-ast-engine", "fingerprint": "4df35230ecb73c491b13f9733ecbe0d87e9d3c03af5c32448c015b27c2ff095d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4df35230ecb73c491b13f9733ecbe0d87e9d3c03af5c32448c015b27c2ff095d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/routes/auth.py"}, "region": {"startLine": 917}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70957, "scanner": "repobility-ast-engine", "fingerprint": "08374cf9a6c6760932c1fbea1e34676d6c82005585ad416d82388e7cc540db29", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08374cf9a6c6760932c1fbea1e34676d6c82005585ad416d82388e7cc540db29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/server/services/org_invitation_service.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70956, "scanner": "repobility-ast-engine", "fingerprint": "7e3a57830d0d1a618ecc689a1a073c83c6fae12d527581d4ad701d5997f89e07", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e3a57830d0d1a618ecc689a1a073c83c6fae12d527581d4ad701d5997f89e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/tests/unit/test_recaptcha_service.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70923, "scanner": "repobility-ast-engine", "fingerprint": "81bba8a899b138152c5d9da334b98957d84549e42f0fdb17301323b2b3c8f9cb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81bba8a899b138152c5d9da334b98957d84549e42f0fdb17301323b2b3c8f9cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/sync/resend_keycloak.py"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70920, "scanner": "repobility-ast-engine", "fingerprint": "95e88acc96834386aa7f112d0834186e80870ef2fa813af89a89f71fb702d9fa", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95e88acc96834386aa7f112d0834186e80870ef2fa813af89a89f71fb702d9fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/org_invitation_store.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70912, "scanner": "repobility-ast-engine", "fingerprint": "c538693faae00e03c74f5856d39d36f2b3746c4f83e4dab9d7a68a4a4bbc67e2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c538693faae00e03c74f5856d39d36f2b3746c4f83e4dab9d7a68a4a4bbc67e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/user_store.py"}, "region": {"startLine": 734}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 70910, "scanner": "repobility-ast-engine", "fingerprint": "dfe14ef5e7dc7d734bc897e2422c6c8aa960f446e6a41c42f55b5cf7a19fdf4d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dfe14ef5e7dc7d734bc897e2422c6c8aa960f446e6a41c42f55b5cf7a19fdf4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "enterprise/storage/resend_synced_user_store.py"}, "region": {"startLine": 31}}}]}]}]}