{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB014", "name": "security.txt is missing an Expires field", "shortDescription": {"text": "security.txt is missing an Expires field"}, "fullDescription": {"text": "Expires helps readers know whether the disclosure instructions are still current."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/440"}, "properties": {"repository": "OWASP/wstg", "repoUrl": "https://github.com/OWASP/wstg.git", "branch": "master"}, "results": [{"ruleId": "WEB014", "level": "note", "message": {"text": "security.txt is missing an Expires field"}, "properties": {"repobilityId": 22482, "scanner": "repobility-web-presence", "fingerprint": "9fdc17abe5e61f48e043bb6035844dab3657f8001524187fb52aa85c00241bb0", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered security.txt file or route lacks Expires.", "evidence": {"rule_id": "WEB014", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116"], "correlation_key": "fp|9fdc17abe5e61f48e043bb6035844dab3657f8001524187fb52aa85c00241bb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "document/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 22463, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 22481, "scanner": "repobility-threat-engine", "fingerprint": "e37a0c007c7fa9aa2f5c1bab455a378269d91396e43bae60b8cdf4189d2760a1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e37a0c007c7fa9aa2f5c1bab455a378269d91396e43bae60b8cdf4189d2760a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/json/scripts/generate_checklist_json.py"}, "region": {"startLine": 532}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 22480, "scanner": "repobility-threat-engine", "fingerprint": "8d67f927c6de6e5f2d9b28022bb10b4ac23cd256771483836c311cefb34d62ba", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(req, timeout=REQUEST", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|. token|110|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/json/scripts/generate_checklist_json.py"}, "region": {"startLine": 110}}}]}]}]}