{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /{settings.api_prefix"}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC119", "name": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbo", "shortDescription": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "fullDescription": {"text": "Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only)."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC006", "name": "Archive or legacy directory is mixed into the active repository root", "shortDescription": {"text": "Archive or legacy directory is mixed into the active repository root"}, "fullDescription": {"text": "Move archived code out of the active repository, mark it with .repobilityignore, or document exactly why it must stay and how scanners should treat it."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_validate_startup_requirements` has cognitive complexity 8 (SonarSource s", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_validate_startup_requirements` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chain"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `espressif/idf:v5.4` unpinned: `container/services image: espressif/idf:v5.", "shortDescription": {"text": "[MINED126] Workflow container/services image `espressif/idf:v5.4` unpinned: `container/services image: espressif/idf:v5.4` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same sup"}, "fullDescription": {"text": "Replace with `espressif/idf:v5.4@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workfl", "shortDescription": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise ("}, "fullDescription": {"text": "Replace with: `uses: actions/setup-python@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /logout has no auth: Handler `logout` is registered with router/app.post(...) but no Depends/Sec", "shortDescription": {"text": "[MINED112] FastAPI POST /logout has no auth: Handler `logout` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `run_test`: `time.sleep` is a synchronous (blocking) call. W", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `run_test`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making "}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_execute_command_requires_connection: Test function `test_execute_command_requires", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_execute_command_requires_connection: Test function `test_execute_command_requires_connection` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line cove"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.test_authentication_headers` used but never assigned in __init__: Method `run_all_tests` of class `Auth", "shortDescription": {"text": "[MINED108] `self.test_authentication_headers` used but never assigned in __init__: Method `run_all_tests` of class `AuthRateLimitTester` reads `self.test_authentication_headers`, but no assignment to it exists in __init__ (and no class-leve"}, "fullDescription": {"text": "Initialize `self.test_authentication_headers = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC036", "name": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF ", "shortDescription": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-20"}, "fullDescription": {"text": "Strip `\\r\\n` before setting headers:\n  safe = value.replace('\\r','').replace('\\n','')\n  response.headers['X-Custom'] = safe\nMost modern frameworks (Django 3+, Express 4.10+) already do this \u2014 but custom header-setting code often doesn't. Prefer framework methods (`response.set_cookie`) over manual header dict assignment."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. T", "shortDescription": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import stat` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/609"}, "properties": {"repository": "cjrichardson3r-cmyk/bview", "repoUrl": "https://github.com/cjrichardson3r-cmyk/bview.git", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43640, "scanner": "repobility-ast-engine", "fingerprint": "ceec22e2144cac29a8da36aa34b6c126cefc1b90af572185ef58217d05b396b4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ceec22e2144cac29a8da36aa34b6c126cefc1b90af572185ef58217d05b396b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_websocket_streaming.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43636, "scanner": "repobility-ast-engine", "fingerprint": "a7c9652cd92a16b5150d06ce8b27d43cbc92cf3e67b287e6adb6fd12dd505073", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7c9652cd92a16b5150d06ce8b27d43cbc92cf3e67b287e6adb6fd12dd505073"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_monitoring.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43635, "scanner": "repobility-ast-engine", "fingerprint": "4c5e8bf1ecea1f637769e495e248af360aae5fada25d07e83fbca45b7442723a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c5e8bf1ecea1f637769e495e248af360aae5fada25d07e83fbca45b7442723a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_monitoring.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43634, "scanner": "repobility-ast-engine", "fingerprint": "fa062d68838d758816c41338c755dd2787db3ee6093f8a73875c1e395111eb32", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa062d68838d758816c41338c755dd2787db3ee6093f8a73875c1e395111eb32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_monitoring.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43633, "scanner": "repobility-ast-engine", "fingerprint": "112003ee5bc4bc22ea056da03b186ba88c2e41e5622636023f1565f9a6cce794", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|112003ee5bc4bc22ea056da03b186ba88c2e41e5622636023f1565f9a6cce794"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_monitoring.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43632, "scanner": "repobility-ast-engine", "fingerprint": "8893b9f8c3455a78aa97bb40214193f309a2de6366fc1a035ae6886f4005f9b9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8893b9f8c3455a78aa97bb40214193f309a2de6366fc1a035ae6886f4005f9b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_monitoring.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43631, "scanner": "repobility-ast-engine", "fingerprint": "fd2e6e6cc1c505677dfaaf5af0c80963c4c2d89052c3ce64a7def52b22e8dd84", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd2e6e6cc1c505677dfaaf5af0c80963c4c2d89052c3ce64a7def52b22e8dd84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_monitoring.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43630, "scanner": "repobility-ast-engine", "fingerprint": "2953af1dbf7117e26e9f5e5f808824839bb4e9c49e606453d7a18e866abb2443", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2953af1dbf7117e26e9f5e5f808824839bb4e9c49e606453d7a18e866abb2443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_monitoring.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43628, "scanner": "repobility-ast-engine", "fingerprint": "c21586666e2a7122dda6465ce52495564d27fdbc2628bcb818d664135e193713", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c21586666e2a7122dda6465ce52495564d27fdbc2628bcb818d664135e193713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_api_endpoints.py"}, "region": {"startLine": 359}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43625, "scanner": "repobility-ast-engine", "fingerprint": "803e7c0e48ef7470397a7f798727086e82f6c106fe1c3fc2162865fd5155ea95", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|803e7c0e48ef7470397a7f798727086e82f6c106fe1c3fc2162865fd5155ea95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/cli.py"}, "region": {"startLine": 489}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43624, "scanner": "repobility-ast-engine", "fingerprint": "fa591199d06835bc30345a23be8f805e1e0a6e4c1625342f0d03ea08f264891b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa591199d06835bc30345a23be8f805e1e0a6e4c1625342f0d03ea08f264891b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/cli.py"}, "region": {"startLine": 466}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43623, "scanner": "repobility-ast-engine", "fingerprint": "79fca70d542b125d0eb27a2ab4ff0cf6c083b99e3c9f948db42ef81e626de2f7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|79fca70d542b125d0eb27a2ab4ff0cf6c083b99e3c9f948db42ef81e626de2f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/cli.py"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43622, "scanner": "repobility-ast-engine", "fingerprint": "d7853154c4d07278b117923cbccfe71a9e9157b52c7d90a40b329a698fae9976", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7853154c4d07278b117923cbccfe71a9e9157b52c7d90a40b329a698fae9976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/config.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43621, "scanner": "repobility-ast-engine", "fingerprint": "0b3726af23aed117427d63db1abc3baf78bc684e02c61ce2feedc2dbe3158e6a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b3726af23aed117427d63db1abc3baf78bc684e02c61ce2feedc2dbe3158e6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/config.py"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43620, "scanner": "repobility-ast-engine", "fingerprint": "8c5d636781d2558b4263cd6e38b8a0820df88710c5eb45a6d572b9e237991371", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c5d636781d2558b4263cd6e38b8a0820df88710c5eb45a6d572b9e237991371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/config.py"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43619, "scanner": "repobility-ast-engine", "fingerprint": "b5e5e86019e639261c44b1e0a9ab0be3cc560aaee75094c8495aee1b08eb2d81", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b5e5e86019e639261c44b1e0a9ab0be3cc560aaee75094c8495aee1b08eb2d81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/config.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43618, "scanner": "repobility-ast-engine", "fingerprint": "e6481515e02ea3a67a483d74573f5f3a63f0e058981858ecd23a1c86f0a549d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6481515e02ea3a67a483d74573f5f3a63f0e058981858ecd23a1c86f0a549d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/config.py"}, "region": {"startLine": 260}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43617, "scanner": "repobility-ast-engine", "fingerprint": "20f8792d4528567356b0a53b790d13d56c461dbeecec7e2ad68ab7dd7c18acc9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20f8792d4528567356b0a53b790d13d56c461dbeecec7e2ad68ab7dd7c18acc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_application.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43616, "scanner": "repobility-ast-engine", "fingerprint": "4174758f2216a0166fd0b75ce2e0a0c180817e7e6e60c9cee8075e6455135746", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4174758f2216a0166fd0b75ce2e0a0c180817e7e6e60c9cee8075e6455135746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_application.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43609, "scanner": "repobility-ast-engine", "fingerprint": "6fe6ec8d065b7baead5f92a12e0708006cf9c1436fc0313d2a88eac13c3a9764", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fe6ec8d065b7baead5f92a12e0708006cf9c1436fc0313d2a88eac13c3a9764"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43577, "scanner": "repobility-ast-engine", "fingerprint": "9b5cca122b9ac0c6612614472036a02cf0bbb6807c2c2c4ddbd95abbb6ec58f7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b5cca122b9ac0c6612614472036a02cf0bbb6807c2c2c4ddbd95abbb6ec58f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruview_live.py"}, "region": {"startLine": 578}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43576, "scanner": "repobility-ast-engine", "fingerprint": "fd60e70d5fc18223c6b3359821f03ca4faa15cbeb3b91866e5896de201171fa0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd60e70d5fc18223c6b3359821f03ca4faa15cbeb3b91866e5896de201171fa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruview_live.py"}, "region": {"startLine": 543}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43575, "scanner": "repobility-ast-engine", "fingerprint": "f75e1c6589aae01e55b225280aa05da2481aea45ef7e76df3665e5c337926790", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f75e1c6589aae01e55b225280aa05da2481aea45ef7e76df3665e5c337926790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruview_live.py"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43574, "scanner": "repobility-ast-engine", "fingerprint": "4e39a3078a4cb8f69ea85bd86546e3c9283c4895748cfa0a211ca4ea16e9b4c4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e39a3078a4cb8f69ea85bd86546e3c9283c4895748cfa0a211ca4ea16e9b4c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruview_live.py"}, "region": {"startLine": 572}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 43573, "scanner": "repobility-ast-engine", "fingerprint": "8126820098864447a362cd00e94238b3e12ca9d219f8b88443a267ea29a23472", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8126820098864447a362cd00e94238b3e12ca9d219f8b88443a267ea29a23472"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruview_live.py"}, "region": {"startLine": 536}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 43570, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43569, "scanner": "repobility-journey-contract", "fingerprint": "7cd85dc108904c3337302171e4337fd16c34ce41e03b6a6b38aa481c7f14aa10", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/config", "correlation_key": "fp|7cd85dc108904c3337302171e4337fd16c34ce41e03b6a6b38aa481c7f14aa10", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Settings.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43568, "scanner": "repobility-journey-contract", "fingerprint": "b4cf0356b507f24a4c39373a543cc0984c959b1531e4681449106830fdd501d8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/services", "correlation_key": "fp|b4cf0356b507f24a4c39373a543cc0984c959b1531e4681449106830fdd501d8", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Services.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43567, "scanner": "repobility-journey-contract", "fingerprint": "3673aa9c97d50e533c547097416c3e0596ef41c109b1c0a03c32e8edd43deb00", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/services/{param}/{param}", "correlation_key": "fp|3673aa9c97d50e533c547097416c3e0596ef41c109b1c0a03c32e8edd43deb00", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/client.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43566, "scanner": "repobility-journey-contract", "fingerprint": "6e0a4cd78110a750967af3cd5dde9f97d6cd6e5824cc9044d79b32547d2936b6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/services", "correlation_key": "fp|6e0a4cd78110a750967af3cd5dde9f97d6cd6e5824cc9044d79b32547d2936b6", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/client.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43565, "scanner": "repobility-journey-contract", "fingerprint": "884990dae58b8f73d79c60a48249d66531541381113acb2fa6e03be4e5f3fc23", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/states", "correlation_key": "fp|884990dae58b8f73d79c60a48249d66531541381113acb2fa6e03be4e5f3fc23", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/client.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43564, "scanner": "repobility-journey-contract", "fingerprint": "ea20a7d52e6c6a8253be5fdc539287be7a2400532cc46cde732b6107ec4f8973", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/config", "correlation_key": "fp|ea20a7d52e6c6a8253be5fdc539287be7a2400532cc46cde732b6107ec4f8973", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/client.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43563, "scanner": "repobility-journey-contract", "fingerprint": "2f9fbb1fb9e74076ddd24c28b255e724732d176f67abd4f2ef0755bfb7c0d261", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/witness/verify", "correlation_key": "fp|2f9fbb1fb9e74076ddd24c28b255e724732d176f67abd4f2ef0755bfb7c0d261", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43562, "scanner": "repobility-journey-contract", "fingerprint": "c457993e27d4a5a4f9e2bc436e460cceaab7570fc46bd6fdbd5c0ecc6d494364", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/witness/generate", "correlation_key": "fp|c457993e27d4a5a4f9e2bc436e460cceaab7570fc46bd6fdbd5c0ecc6d494364", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43561, "scanner": "repobility-journey-contract", "fingerprint": "c89b214104692959f1339a78097fcd13d8a09720f9d70ebbf2cce592a76295a3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/step", "correlation_key": "fp|c89b214104692959f1339a78097fcd13d8a09720f9d70ebbf2cce592a76295a3", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43560, "scanner": "repobility-journey-contract", "fingerprint": "725e7573f8ae14abfa3bfd84175ba41b50c6800de105f942f5148510a839c635", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/pause", "correlation_key": "fp|725e7573f8ae14abfa3bfd84175ba41b50c6800de105f942f5148510a839c635", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43559, "scanner": "repobility-journey-contract", "fingerprint": "5e3cb5cf99fa3f890e7539d238907e598625ad10ab9d1246c8fbc97a7104bc8d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/run", "correlation_key": "fp|5e3cb5cf99fa3f890e7539d238907e598625ad10ab9d1246c8fbc97a7104bc8d", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43558, "scanner": "repobility-journey-contract", "fingerprint": "f8079123fb6ec824b6300d44d027b63e6f193aa50f044b9d5abded75b62942e5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/reset", "correlation_key": "fp|f8079123fb6ec824b6300d44d027b63e6f193aa50f044b9d5abded75b62942e5", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43557, "scanner": "repobility-journey-contract", "fingerprint": "f4450800c5162db902f45fe5a143f08675a8d19f39679d1b02fb10c00cf05b34", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/seed", "correlation_key": "fp|f4450800c5162db902f45fe5a143f08675a8d19f39679d1b02fb10c00cf05b34", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 139}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43556, "scanner": "repobility-journey-contract", "fingerprint": "837d94548ed6081545e53fb05ebb2617c0410e94e094bc8f48fe56dd0b99aca4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/config", "correlation_key": "fp|837d94548ed6081545e53fb05ebb2617c0410e94e094bc8f48fe56dd0b99aca4", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 43555, "scanner": "repobility-journey-contract", "fingerprint": "d156e7a281fc9742bd2f0159b8ca6bec707f4c738d4f0ed960473061ab54e204", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/scene", "correlation_key": "fp|d156e7a281fc9742bd2f0159b8ca6bec707f4c738d4f0ed960473061ab54e204", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43554, "scanner": "repobility-journey-contract", "fingerprint": "85cfae36b18b07e4dd475c6239865f3da7bd8a02687fb08b0a4d4011c8f334dc", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|14|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/States.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43553, "scanner": "repobility-journey-contract", "fingerprint": "dd4380728ecb070c78ac8f104099f0a09d76c368bc4751ab35c510d54d1611ed", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|140|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Settings.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43552, "scanner": "repobility-journey-contract", "fingerprint": "51bc205b1cab6d01d57ba2b8c0978b7e27e14595a9a71f55050f1af54d4575a2", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|23|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Settings.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43551, "scanner": "repobility-journey-contract", "fingerprint": "35b2c134a4b592cbf166341ae6fd02718df62c4a8e8efb1dc74eedee9891450d", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|15|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Services.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43550, "scanner": "repobility-journey-contract", "fingerprint": "a61177ac8c9bbe6f5ecfe9ecf751bf8caf12defc91ac09df7bccf441ffc43665", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|22|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Dashboard.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 43549, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 65, "file_path": "archive/v1/src/app.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 34, "file_path": "archive/v1/tests/integration/test_api_endpoints.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 243, "file_path": "archive/v1/tests/integration/test_api_endpoints.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 274, "file_path": "archive/v1/tests/integration/test_api_endpoints.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 308, "file_path": "archive/v1/tests/integration/test_api_endpoints.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /clients/{client_id}."}, "properties": {"repobilityId": 43548, "scanner": "repobility-access-control", "fingerprint": "a4eeb2b88afab87ecda98d7e8a62b86f8570acdcf5e2ef8a2476d616efc72f44", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/clients/{client_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|436|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/routers/stream.py"}, "region": {"startLine": 436}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /{settings.api_prefix}/dev/reset."}, "properties": {"repobilityId": 43547, "scanner": "repobility-access-control", "fingerprint": "9c121c5b1c59d5e5bc9fa8cd87b82f94cd1d658c22ddfc7a602495c298dfadac", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/dev/reset", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|405|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 405}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/dev/config."}, "properties": {"repobilityId": 43546, "scanner": "repobility-access-control", "fingerprint": "0b53babfee9a0a858861e6b606da5942ecf0074107ba8c7b82a553bce0445845", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/dev/config", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|387|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/metrics."}, "properties": {"repobilityId": 43545, "scanner": "repobility-access-control", "fingerprint": "9ce60f1ff5effb41f0753a52bab807202c5fc5221ce59cfe07354d8d61e90335", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/metrics", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|366|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 366}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/status."}, "properties": {"repobilityId": 43544, "scanner": "repobility-access-control", "fingerprint": "6dc410b7fa22bffdeb998c53112dad9351ce41261667f4fd7bf0db9f7bea7a2d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/status", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|326|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/info."}, "properties": {"repobilityId": 43543, "scanner": "repobility-access-control", "fingerprint": "00b1cd616674f0e2f7533ae1032be8728872da1b3d670d2bf29e05626a46fa1e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/info", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|293|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /{settings.api_prefix}/dev/reset."}, "properties": {"repobilityId": 43542, "scanner": "repobility-access-control", "fingerprint": "3d76e87bead2ddf8571e074c22629fe29dff4ed906f8ccb1ee46c05fad825d38", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/dev/reset", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|312|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 312}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/dev/config."}, "properties": {"repobilityId": 43541, "scanner": "repobility-access-control", "fingerprint": "f8f0d33406fc560275524677c91e0cbd055032a1d2f29aca282a4818f607002e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/dev/config", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|293|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/metrics."}, "properties": {"repobilityId": 43540, "scanner": "repobility-access-control", "fingerprint": "fe157da9d9026f20b50dfbe2b3fead839b7211333da461d3e660bf8ab73f81cb", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/metrics", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|274|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 274}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/status."}, "properties": {"repobilityId": 43539, "scanner": "repobility-access-control", "fingerprint": "e275d4e5a43dace2412ef58be4f9dfdb45901c3b2ca7eed63a157cc9bdf424b6", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/status", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|245|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/info."}, "properties": {"repobilityId": 43538, "scanner": "repobility-access-control", "fingerprint": "626f7b3ab1af07453f2604c26928a3b0fd5cdea0df7b0f0f34ef7f0414619fdd", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/info", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|219|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 43537, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 43536, "scanner": "repobility-agent-runtime", "fingerprint": "e9bcc70fb5bcf4419f78d539d015c58ea52ce75978a9f532697d0302383317aa", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e9bcc70fb5bcf4419f78d539d015c58ea52ce75978a9f532697d0302383317aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/three.js/server/ruvultra-csi-bridge.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 43535, "scanner": "repobility-agent-runtime", "fingerprint": "d8efddefff2a8994de9f57dcda37df2a76e798fd02e94cb5e2cc441adf6f3ce6", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d8efddefff2a8994de9f57dcda37df2a76e798fd02e94cb5e2cc441adf6f3ce6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/sensing/ws_server.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 43534, "scanner": "repobility-agent-runtime", "fingerprint": "824e5501d85c35a3ccb2c63c775d825e027604863edd7c7f2c0a3e792b6410e1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|824e5501d85c35a3ccb2c63c775d825e027604863edd7c7f2c0a3e792b6410e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pip-release.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 43533, "scanner": "repobility-agent-runtime", "fingerprint": "9e27be744f4dc861749b9f61a4ca1cee2512ad036ade9052cab254a943637d7d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9e27be744f4dc861749b9f61a4ca1cee2512ad036ade9052cab254a943637d7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dashboard-pages.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 43532, "scanner": "repobility-agent-runtime", "fingerprint": "4ddbd3c06dbdda5c7207446092d9175046415a28b352db32d3f773019dce5f59", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4ddbd3c06dbdda5c7207446092d9175046415a28b352db32d3f773019dce5f59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dashboard-a11y.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 43528, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 43521, "scanner": "repobility-threat-engine", "fingerprint": "fde79e3fa0504e6ec05161844c572043006d5858496dca679131dd3a234cbbe3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|119|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/nv-console.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC119", "level": "warning", "message": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "properties": {"repobilityId": 43499, "scanner": "repobility-threat-engine", "fingerprint": "cf28c6d25f7c2efd8f93756303974c7c9e51ff22429739921c9abd452b0241fb", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.umask(0)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC119", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|293|sec119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/commands/start.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 43491, "scanner": "repobility-threat-engine", "fingerprint": "f41756ee9cf019cd2442c3a107aa2dc2940cb3a3d8eedbf701ab41fdb46f16b7", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.debug(f\"Calling {func.__name__} with args={args", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f41756ee9cf019cd2442c3a107aa2dc2940cb3a3d8eedbf701ab41fdb46f16b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/logger.py"}, "region": {"startLine": 265}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 43490, "scanner": "repobility-threat-engine", "fingerprint": "028e0dc0152942864313b08da90470d330115023c5f24867d57c2015b2ea226e", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.error(f\"Unhandled exception on {req", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|028e0dc0152942864313b08da90470d330115023c5f24867d57c2015b2ea226e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 43489, "scanner": "repobility-threat-engine", "fingerprint": "8cd045a6d6cefcdcb81c0a3faf0389753c23034d7511605a99c8d93ce3d05af2", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.debug(f\"Authenticated user: {user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8cd045a6d6cefcdcb81c0a3faf0389753c23034d7511605a99c8d93ce3d05af2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/middleware/auth.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 43531, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9c7e73fbdad05e0d3489f92220f1106ffae4523114b35ab9217f2b3d50adf8a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|b9c7e73fbdad05e0d3489f92220f1106ffae4523114b35ab9217f2b3d50adf8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "firmware/esp32-csi-node/main/ota_update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 43530, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1baefc3044aa0ee99288a9d3947e7a3df5b40e17510461a03f8d14a52872a89", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|a1baefc3044aa0ee99288a9d3947e7a3df5b40e17510461a03f8d14a52872a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "firmware/esp32-csi-node/main/ota_update.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC006", "level": "note", "message": {"text": "Archive or legacy directory is mixed into the active repository root"}, "properties": {"repobilityId": 43529, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a7d2f4e50dd6f0a3ca0adfbcb9cb1f442d6b4ebfb1b14f4466301798c4f394e", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains an archive/legacy directory name.", "evidence": {"rule_id": "AIC006", "scanner": "repobility-ai-code-hygiene", "directory": "archive", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|0a7d2f4e50dd6f0a3ca0adfbcb9cb1f442d6b4ebfb1b14f4466301798c4f394e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 43516, "scanner": "repobility-threat-engine", "fingerprint": "6d526919b26f01b64a5dbca08b49d65505cbdc23c76717aa58128afc62ff8f34", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML=$", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|150|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/StateCard.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 43515, "scanner": "repobility-threat-engine", "fingerprint": "7f6495f0052f9346db96a4b3e62475c57f068073ac197a25b678db902b80875f", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML=$", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|140|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/nv-modal.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 43514, "scanner": "repobility-threat-engine", "fingerprint": "734e440f32cf0048cbfb9ff390ed802656466561d2f7559e316a4a2a3aed3ece", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML=$", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|254|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/nv-console.ts"}, "region": {"startLine": 254}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_validate_startup_requirements` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=2, for=1, if=2, nested_bonus=2."}, "properties": {"repobilityId": 43495, "scanner": "repobility-threat-engine", "fingerprint": "5fc9416ef1d509d4b913fbeb9e57b7213da14cabfb87ff430a874e5dcd3b3c14", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_validate_startup_requirements", "breakdown": {"if": 2, "for": 1, "else": 1, "except": 2, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|5fc9416ef1d509d4b913fbeb9e57b7213da14cabfb87ff430a874e5dcd3b3c14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/commands/start.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `start_command` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=2, if=4, ternary=2."}, "properties": {"repobilityId": 43494, "scanner": "repobility-threat-engine", "fingerprint": "8ad123ad23458b739ddae0e7722a7edb25b0e1bee54000c2e89f724609cbb458", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "start_command", "breakdown": {"if": 4, "else": 1, "except": 2, "ternary": 2}, "complexity": 9, "correlation_key": "fp|8ad123ad23458b739ddae0e7722a7edb25b0e1bee54000c2e89f724609cbb458"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/commands/start.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `dispatch` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, except=1, if=5, nested_bonus=4."}, "properties": {"repobilityId": 43493, "scanner": "repobility-threat-engine", "fingerprint": "d649750ca32156ac22cc7f9d4d1443dd51a281fda18e4a283b23f2f52555d844", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "dispatch", "breakdown": {"if": 5, "else": 2, "except": 1, "nested_bonus": 4}, "complexity": 12, "correlation_key": "fp|d649750ca32156ac22cc7f9d4d1443dd51a281fda18e4a283b23f2f52555d844"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/middleware/auth.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 43527, "scanner": "repobility-threat-engine", "fingerprint": "352b698eef45141f03c8b604d3dad67659484d7bfef3e9df2d759f3acba74676", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|352b698eef45141f03c8b604d3dad67659484d7bfef3e9df2d759f3acba74676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/src/bindings/bfld.rs"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 43526, "scanner": "repobility-threat-engine", "fingerprint": "690a363270395de3e3eefc64833267086e6a5b400182b856968a11eeaab51d2f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|690a363270395de3e3eefc64833267086e6a5b400182b856968a11eeaab51d2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/ruview-meta/src/ruview/__init__.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 43524, "scanner": "repobility-threat-engine", "fingerprint": "ce0e2920f6d60379ce18938728acd28a8f93eb346a87d2461756326510e706c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce0e2920f6d60379ce18938728acd28a8f93eb346a87d2461756326510e706c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/worker.ts"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 43523, "scanner": "repobility-threat-engine", "fingerprint": "ca79493743e37e4ea859900f2890aaf869e3e402916390135d36475c35eb3bb4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca79493743e37e4ea859900f2890aaf869e3e402916390135d36475c35eb3bb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 43522, "scanner": "repobility-threat-engine", "fingerprint": "cf1ee7824543b597081de16bbcbdec8209c9d3d5e82dc6b21505bb2776dd86a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf1ee7824543b597081de16bbcbdec8209c9d3d5e82dc6b21505bb2776dd86a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/nv-debug-hud.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 43520, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 43513, "scanner": "repobility-threat-engine", "fingerprint": "4d8de28fa7f0d17d847d62df426366f7b28e8fe2e773f09e62c5be2307bbf24a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d8de28fa7f0d17d847d62df426366f7b28e8fe2e773f09e62c5be2307bbf24a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/sensing/feature_extractor.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 43512, "scanner": "repobility-threat-engine", "fingerprint": "1ea6643adc1de4bf3844b226b8d8d5e730260cbb37aaeb28b5415ee96fd54520", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ea6643adc1de4bf3844b226b8d8d5e730260cbb37aaeb28b5415ee96fd54520"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/sensing/classifier.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 43511, "scanner": "repobility-threat-engine", "fingerprint": "bd632c4ade7e75e1a901d5e2da5e3e85b36e57e91ccdfbe5098de1738a5edc96", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bd632c4ade7e75e1a901d5e2da5e3e85b36e57e91ccdfbe5098de1738a5edc96", "aggregated_count": 3}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 43507, "scanner": "repobility-threat-engine", "fingerprint": "1698e3912b6d9dd861cdbd90388c4b765deec1d8e7ad7de6be18e4190ac332f6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1698e3912b6d9dd861cdbd90388c4b765deec1d8e7ad7de6be18e4190ac332f6", "aggregated_count": 9}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 43506, "scanner": "repobility-threat-engine", "fingerprint": "a84a1368a4e466630a32ce1c88d2e34e4ac55cd4c178b1fc8438ff793c9a8d6c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a84a1368a4e466630a32ce1c88d2e34e4ac55cd4c178b1fc8438ff793c9a8d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/main.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 43505, "scanner": "repobility-threat-engine", "fingerprint": "1a076999ac33688677227cb1ee612048c5335801ae20a3b52ce03d2e0f9b4e29", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a076999ac33688677227cb1ee612048c5335801ae20a3b52ce03d2e0f9b4e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/logger.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 43504, "scanner": "repobility-threat-engine", "fingerprint": "fdab0fc6b485fc99596d8a55c61963f50bebac533e09e939fae9ca8545be7d12", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fdab0fc6b485fc99596d8a55c61963f50bebac533e09e939fae9ca8545be7d12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/hardware/router_interface.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED006", "level": "none", "message": {"text": "[MINED006] Overcatch Baseexception (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 43503, "scanner": "repobility-threat-engine", "fingerprint": "15ac530bdb50595d50b23f1a74f70ffeb0f4ce71d3d01f926d92c1695b696c35", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|15ac530bdb50595d50b23f1a74f70ffeb0f4ce71d3d01f926d92c1695b696c35", "aggregated_count": 5}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 43498, "scanner": "repobility-threat-engine", "fingerprint": "138a21985a34e76ea0b8041b5d6c9e13257f129e4477cdc3b7360c736d8e2056", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|138a21985a34e76ea0b8041b5d6c9e13257f129e4477cdc3b7360c736d8e2056"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 43496, "scanner": "repobility-threat-engine", "fingerprint": "f32658a5bd3d365389dc9d8dcea6e6d2e8635eb72198c95a3e3592aeed9da33b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "dispatch", "breakdown": {"if": 5, "else": 2, "except": 1, "nested_bonus": 4}, "aggregated": true, "complexity": 12, "correlation_key": "fp|f32658a5bd3d365389dc9d8dcea6e6d2e8635eb72198c95a3e3592aeed9da33b", "aggregated_count": 34}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 43488, "scanner": "repobility-threat-engine", "fingerprint": "13934ea3f04df14cabd63ed1771b26b06204207e115f54db6d15a56f2861ce6e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.info(\"Token blacklisted via /auth/logout\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|logger.info token blacklisted via /auth/logout"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/routers/auth.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 43487, "scanner": "repobility-threat-engine", "fingerprint": "48b75e863e22144322ba90160abad6a70b9d99d76c4f95284731be48fa9f5196", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warning(f\"Token validation failed: {e}\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|logger.warning f token validation failed: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/middleware/auth.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 43485, "scanner": "repobility-threat-engine", "fingerprint": "f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5f0ee0407b51d0ac20b895b10fb0fb2d25d496c71c3de2200e03e778c4fe3f2", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 43484, "scanner": "repobility-threat-engine", "fingerprint": "b7fed93d8c04ab1ae05d1801cd9654df72a6cf420e002d7bf486de81187b40f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7fed93d8c04ab1ae05d1801cd9654df72a6cf420e002d7bf486de81187b40f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/router.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 43483, "scanner": "repobility-threat-engine", "fingerprint": "097dcabce89e5ae13acdfeee6bd37558f367e4d18dd47a28cecc16f281cb927e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|097dcabce89e5ae13acdfeee6bd37558f367e4d18dd47a28cecc16f281cb927e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/memory.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 43482, "scanner": "repobility-threat-engine", "fingerprint": "64cd835a3124be5d5ca15a7f127de68367fc8f32a3b0575e7011a5f1a1ff547e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64cd835a3124be5d5ca15a7f127de68367fc8f32a3b0575e7011a5f1a1ff547e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/github-safe.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `espressif/idf:v5.4` unpinned: `container/services image: espressif/idf:v5.4` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 43689, "scanner": "repobility-supply-chain", "fingerprint": "a14a5241a05f0584a0fa9c0be54944692d9f155636f71b8c1fe7b58845cfeeb4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a14a5241a05f0584a0fa9c0be54944692d9f155636f71b8c1fe7b58845cfeeb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/firmware-qemu.yml"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `espressif/idf:v5.4` unpinned: `container/services image: espressif/idf:v5.4` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 43688, "scanner": "repobility-supply-chain", "fingerprint": "649f74e1be558f51945f992e8166874f999fdedac00d06cde743fc5eff7a6294", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|649f74e1be558f51945f992e8166874f999fdedac00d06cde743fc5eff7a6294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/firmware-qemu.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `espressif/idf:v5.4` unpinned: `container/services image: espressif/idf:v5.4` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 43687, "scanner": "repobility-supply-chain", "fingerprint": "7685928f2d6f140beff110cc883414a0679b639ee8994d4abcae2a8adeed6a68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7685928f2d6f140beff110cc883414a0679b639ee8994d4abcae2a8adeed6a68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/firmware-ci.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7` unpinned: `container/services image: redis:7` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 43686, "scanner": "repobility-supply-chain", "fingerprint": "7407dfb17fb9650adc2e9432b878a9ff80331fa1079bea17ed9e4c875eb55421", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7407dfb17fb9650adc2e9432b878a9ff80331fa1079bea17ed9e4c875eb55421"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:15` unpinned: `container/services image: postgres:15` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 43685, "scanner": "repobility-supply-chain", "fingerprint": "38c2d4a0ed4257f90250af9401ed1621c7def3ce83fa0e4717557b4eab657c36", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38c2d4a0ed4257f90250af9401ed1621c7def3ce83fa0e4717557b4eab657c36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `eclipse-mosquitto:2` unpinned: `container/services image: eclipse-mosquitto:2` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 43683, "scanner": "repobility-supply-chain", "fingerprint": "187f43b2dc0b96502f45e09ac7806348877be8249d5fcd8a014e8cc418a7180d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|187f43b2dc0b96502f45e09ac7806348877be8249d5fcd8a014e8cc418a7180d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bfld-mqtt-integration.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `wifi-densepose:scan` unpinned: `container/services image: wifi-densepose:scan` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 43682, "scanner": "repobility-supply-chain", "fingerprint": "3859e65c0c78f5157a5a23874fb862d640baf8d286940d08790cacca84fccb11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3859e65c0c78f5157a5a23874fb862d640baf8d286940d08790cacca84fccb11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `wifi-densepose:scan` unpinned: `container/services image: wifi-densepose:scan` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 43681, "scanner": "repobility-supply-chain", "fingerprint": "a8ea7dea7b4ce1d3b33868ab1ccd346a6a4bfde4ef7a22f937af32ec968401f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8ea7dea7b4ce1d3b33868ab1ccd346a6a4bfde4ef7a22f937af32ec968401f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43676, "scanner": "repobility-supply-chain", "fingerprint": "14fa5ee98badac4af0ef561d3f80cbb1977e8bc97422f0fd13f0698901cec1f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|14fa5ee98badac4af0ef561d3f80cbb1977e8bc97422f0fd13f0698901cec1f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43675, "scanner": "repobility-supply-chain", "fingerprint": "47c29e5edfbf803e2df623516cd7df3de4d8d17ee7652b02f782f93ea4bb70fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47c29e5edfbf803e2df623516cd7df3de4d8d17ee7652b02f782f93ea4bb70fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gitleaks/gitleaks-action` pinned to mutable ref `@v2`: `uses: gitleaks/gitleaks-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43674, "scanner": "repobility-supply-chain", "fingerprint": "496badcd284ab796246147b7262c195b0ca1d3e3f76b9497795ebf1230129bdd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|496badcd284ab796246147b7262c195b0ca1d3e3f76b9497795ebf1230129bdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 322}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43673, "scanner": "repobility-supply-chain", "fingerprint": "954a2024ae6260d1d7e32fc58d6ef945430bf51d868bd82b6cb8c99303ef5bc6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|954a2024ae6260d1d7e32fc58d6ef945430bf51d868bd82b6cb8c99303ef5bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43672, "scanner": "repobility-supply-chain", "fingerprint": "0bc608578cc17172f2f84e2a5b95374f2d4dda201955a80e2b92630ba32527dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0bc608578cc17172f2f84e2a5b95374f2d4dda201955a80e2b92630ba32527dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43671, "scanner": "repobility-supply-chain", "fingerprint": "510a85176cdfa054d944540d2385512308a68d066677be53c48e9f621bca93c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|510a85176cdfa054d944540d2385512308a68d066677be53c48e9f621bca93c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43670, "scanner": "repobility-supply-chain", "fingerprint": "d774ddd20174f6363f6aed02cfa8f9f691f50df4d2cd726dae3119871251be78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d774ddd20174f6363f6aed02cfa8f9f691f50df4d2cd726dae3119871251be78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43669, "scanner": "repobility-supply-chain", "fingerprint": "084c888c61f298777b7010d35e5a26d4d951b152a9eda4162c3e283dc5223fd1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|084c888c61f298777b7010d35e5a26d4d951b152a9eda4162c3e283dc5223fd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43668, "scanner": "repobility-supply-chain", "fingerprint": "763a60200e7efbfb62b7b7875f4b9651c54f0d5bf2471ca16ffe314f9ddd41ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|763a60200e7efbfb62b7b7875f4b9651c54f0d5bf2471ca16ffe314f9ddd41ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anchore/scan-action` pinned to mutable ref `@v7`: `uses: anchore/scan-action@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43667, "scanner": "repobility-supply-chain", "fingerprint": "45ea92ac40a9d8a990d7fcc489f28af06fb46196e780a019cdce494317565616", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45ea92ac40a9d8a990d7fcc489f28af06fb46196e780a019cdce494317565616"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43666, "scanner": "repobility-supply-chain", "fingerprint": "a817d2b4af136a7a4d0b4ab3308efc3605decb8b8d35d7079e6159d4ed11c237", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a817d2b4af136a7a4d0b4ab3308efc3605decb8b8d35d7079e6159d4ed11c237"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43665, "scanner": "repobility-supply-chain", "fingerprint": "8a3ac10cf0da15296fafc99a7406fe1d25cb98a9509df323535687e3c21ac171", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a3ac10cf0da15296fafc99a7406fe1d25cb98a9509df323535687e3c21ac171"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43664, "scanner": "repobility-supply-chain", "fingerprint": "f0aec8730f6be83de3800dacb4923bb428a3b58968ea25fada4bcb9938c777a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0aec8730f6be83de3800dacb4923bb428a3b58968ea25fada4bcb9938c777a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43663, "scanner": "repobility-supply-chain", "fingerprint": "67f782db00000e7f4d50da6812580d63fb9b5ce30896f547c14616ba0302f408", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67f782db00000e7f4d50da6812580d63fb9b5ce30896f547c14616ba0302f408"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43662, "scanner": "repobility-supply-chain", "fingerprint": "2e262f831a027bb5a37a2646ab0a515a5fb44c06901a5de6c2afe1cee5c3eb39", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e262f831a027bb5a37a2646ab0a515a5fb44c06901a5de6c2afe1cee5c3eb39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43661, "scanner": "repobility-supply-chain", "fingerprint": "180fcd4cba8e3dac5b56f2c06987dd4a2c51925912700cb4e6b9f79305856a2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|180fcd4cba8e3dac5b56f2c06987dd4a2c51925912700cb4e6b9f79305856a2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43660, "scanner": "repobility-supply-chain", "fingerprint": "ff1264fdd4b81b346d68d86d41fc2817396b242f094cf9cd37660b6998627bd8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff1264fdd4b81b346d68d86d41fc2817396b242f094cf9cd37660b6998627bd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `returntocorp/semgrep-action` pinned to mutable ref `@v1`: `uses: returntocorp/semgrep-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43659, "scanner": "repobility-supply-chain", "fingerprint": "8dd0fe2751127d76639259fff3dcac4cef4b88bb3e7f4cbf9f46f9058676c32a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8dd0fe2751127d76639259fff3dcac4cef4b88bb3e7f4cbf9f46f9058676c32a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43658, "scanner": "repobility-supply-chain", "fingerprint": "6014c8101e569d6e6218669c2c4453c0771db8fe3dde43e1a954aee288e0f7b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6014c8101e569d6e6218669c2c4453c0771db8fe3dde43e1a954aee288e0f7b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43657, "scanner": "repobility-supply-chain", "fingerprint": "c115c9441519971dfd5ffb662e868e17f27f0f245f78557144ce7d54c18d9269", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c115c9441519971dfd5ffb662e868e17f27f0f245f78557144ce7d54c18d9269"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43656, "scanner": "repobility-supply-chain", "fingerprint": "b4b69d47093dac2463b6ba730560541b6362c497a03fe6446545c1aab1d0c134", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4b69d47093dac2463b6ba730560541b6362c497a03fe6446545c1aab1d0c134"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43655, "scanner": "repobility-supply-chain", "fingerprint": "cd861a0d5803446621fae83e91c0db79586b01396e51f560b9fde6ec4b2a8448", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd861a0d5803446621fae83e91c0db79586b01396e51f560b9fde6ec4b2a8448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mqtt-integration.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43654, "scanner": "repobility-supply-chain", "fingerprint": "743e2a0e47b5004f33ae1c4013d73262334d7b4df2c6af628727d2e8cc145f4e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|743e2a0e47b5004f33ae1c4013d73262334d7b4df2c6af628727d2e8cc145f4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mqtt-integration.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43653, "scanner": "repobility-supply-chain", "fingerprint": "be35bb7b1eeb757fd3231a988774786df2eb0bc1637c9e73efb27d03c77926fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be35bb7b1eeb757fd3231a988774786df2eb0bc1637c9e73efb27d03c77926fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mqtt-integration.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 43652, "scanner": "repobility-supply-chain", "fingerprint": "08ae3211e5671830fc75238adf454e45140f2f4b614d39e8645e1cb22d169f44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08ae3211e5671830fc75238adf454e45140f2f4b614d39e8645e1cb22d169f44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sensing-server-docker.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /logout has no auth: Handler `logout` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 43651, "scanner": "repobility-route-auth", "fingerprint": "e96e6c5bc9958e60fa1ff1c41de718f2d355fa1dd8f0c8a011dbfe35331953e4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|e96e6c5bc9958e60fa1ff1c41de718f2d355fa1dd8f0c8a011dbfe35331953e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/routers/auth.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST (unknown path) has no auth: Handler `dev_reset` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 43650, "scanner": "repobility-route-auth", "fingerprint": "c93bd5c391804f63923703caf49c7ac09376906a172a845201d48f651b47b200", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c93bd5c391804f63923703caf49c7ac09376906a172a845201d48f651b47b200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 406}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST (unknown path) has no auth: Handler `dev_reset` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 43649, "scanner": "repobility-route-auth", "fingerprint": "9392388b05b64830b646e789d7a04c1068d262d48ac090b3f01ba47a70bf2103", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|9392388b05b64830b646e789d7a04c1068d262d48ac090b3f01ba47a70bf2103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 313}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `run_test`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 43647, "scanner": "repobility-ast-engine", "fingerprint": "5a5db8afcd0a31626ad3c14af601b770c073d41a296895eab2270e984e700006", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a5db8afcd0a31626ad3c14af601b770c073d41a296895eab2270e984e700006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/tests/unit/test_esp32_binary_parser.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_execute_command_requires_connection: Test function `test_execute_command_requires_connection` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43646, "scanner": "repobility-ast-engine", "fingerprint": "64792e21f0a0d4a2b2ac6a191c20c43f168c9ab048deffa446b3a7cf15ca8598", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64792e21f0a0d4a2b2ac6a191c20c43f168c9ab048deffa446b3a7cf15ca8598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/tests/unit/test_router_interface.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_execute_command_handles_command_errors: Test function `test_execute_command_handles_command_errors` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43645, "scanner": "repobility-ast-engine", "fingerprint": "fd08d83122afc2489b2def94ca9c25f7ccde1a448c020705b489e5c60e02ce79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd08d83122afc2489b2def94ca9c25f7ccde1a448c020705b489e5c60e02ce79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/tests/unit/test_router_interface.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_websocket_streaming: Test function `test_websocket_streaming` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43643, "scanner": "repobility-ast-engine", "fingerprint": "06ed7010965d31346169c67eb65cc758c286f88d3380055fdbdda536a9916991", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06ed7010965d31346169c67eb65cc758c286f88d3380055fdbdda536a9916991"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/tests/fixtures/api_client.py"}, "region": {"startLine": 505}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_pose_detection: Test function `test_pose_detection` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43642, "scanner": "repobility-ast-engine", "fingerprint": "5b69ec7693640f3fcca06639a8be009ec94f03cf763b5a7881eb016bf15ba8d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b69ec7693640f3fcca06639a8be009ec94f03cf763b5a7881eb016bf15ba8d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/tests/fixtures/api_client.py"}, "region": {"startLine": 501}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_health_endpoint: Test function `test_health_endpoint` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43641, "scanner": "repobility-ast-engine", "fingerprint": "3ae46dcd71e20cd6e593c3d4c1efd8e11ee914a91db0ce58df26f5fcfcca4944", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3ae46dcd71e20cd6e593c3d4c1efd8e11ee914a91db0ce58df26f5fcfcca4944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/tests/fixtures/api_client.py"}, "region": {"startLine": 497}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_websocket_errors: Test function `test_websocket_errors` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43639, "scanner": "repobility-ast-engine", "fingerprint": "0e0c7f98706370ed8da3c9d58ae0657dbfeceb22f97b0c2f8f1323da62be7050", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e0c7f98706370ed8da3c9d58ae0657dbfeceb22f97b0c2f8f1323da62be7050"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_websocket_streaming.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_event_streaming: Test function `test_event_streaming` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43638, "scanner": "repobility-ast-engine", "fingerprint": "456776c7c744222dc60181cc5d56299a4d980ae218b25e6ce84bb5de58c30b09", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|456776c7c744222dc60181cc5d56299a4d980ae218b25e6ce84bb5de58c30b09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_websocket_streaming.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_pose_streaming: Test function `test_pose_streaming` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43637, "scanner": "repobility-ast-engine", "fingerprint": "0c75f1866ecaf4bbdb7c3361f9a81c5c410d4952e6766e646ba79bd22f90a619", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c75f1866ecaf4bbdb7c3361f9a81c5c410d4952e6766e646ba79bd22f90a619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_websocket_streaming.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_system_load: Test function `test_system_load` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43629, "scanner": "repobility-ast-engine", "fingerprint": "cbdaab79a3aa0a73d345a670b565b98d3c71ea6d65a22ba7b02976438bafb5c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cbdaab79a3aa0a73d345a670b565b98d3c71ea6d65a22ba7b02976438bafb5c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_monitoring.py"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_websocket_endpoint: Test function `test_websocket_endpoint` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43627, "scanner": "repobility-ast-engine", "fingerprint": "786373cb8a1a4325abb43fe71fd130ff6e6507c203ad26b0e1c3e749e1e3f28e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|786373cb8a1a4325abb43fe71fd130ff6e6507c203ad26b0e1c3e749e1e3f28e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_api_endpoints.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_endpoint: Test function `test_endpoint` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43626, "scanner": "repobility-ast-engine", "fingerprint": "3444e8e31ead732a249407fb1d3356b847e97c62842193580947a09a5140e4ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3444e8e31ead732a249407fb1d3356b847e97c62842193580947a09a5140e4ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/scripts/test_api_endpoints.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_calibration_endpoints: Test function `test_calibration_endpoints` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43615, "scanner": "repobility-ast-engine", "fingerprint": "58454aa14d3e27fddb2fe9afb36df5939cde0d569dcb3ddde63cc6e39b825dff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|58454aa14d3e27fddb2fe9afb36df5939cde0d569dcb3ddde63cc6e39b825dff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_application.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_websocket_connection: Test function `test_websocket_connection` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43614, "scanner": "repobility-ast-engine", "fingerprint": "1ca4fbe55f39c40422add85c2089529cd0ec62672ae7da248d0087ac871d553e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ca4fbe55f39c40422add85c2089529cd0ec62672ae7da248d0087ac871d553e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_application.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_stream_endpoints: Test function `test_stream_endpoints` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43613, "scanner": "repobility-ast-engine", "fingerprint": "9dc7f7f0447d78abebe8e3282404b79b7aab10e214388f58674b3b094f7be9f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9dc7f7f0447d78abebe8e3282404b79b7aab10e214388f58674b3b094f7be9f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_application.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_pose_endpoints: Test function `test_pose_endpoints` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43612, "scanner": "repobility-ast-engine", "fingerprint": "647d8682505d16ae1ee6bb1f0e2240ff0826b40ff113574b2558b36f3f5c5af8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|647d8682505d16ae1ee6bb1f0e2240ff0826b40ff113574b2558b36f3f5c5af8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_application.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_api_endpoints: Test function `test_api_endpoints` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43611, "scanner": "repobility-ast-engine", "fingerprint": "89705521fdf6ac0d01d2a29c5a59e4c42321412689fb1bae0160d1e7eb573f52", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89705521fdf6ac0d01d2a29c5a59e4c42321412689fb1bae0160d1e7eb573f52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_application.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_health_endpoints: Test function `test_health_endpoints` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43610, "scanner": "repobility-ast-engine", "fingerprint": "1cbd19b8d114ea5b1e44ec49531986629511db551a18723244059629b1c74c14", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1cbd19b8d114ea5b1e44ec49531986629511db551a18723244059629b1c74c14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_application.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.test_authentication_headers` used but never assigned in __init__: Method `run_all_tests` of class `AuthRateLimitTester` reads `self.test_authentication_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43608, "scanner": "repobility-ast-engine", "fingerprint": "206380eb2793279d8a942e5b5c8ee32fb2569e364ae02c66139d9ef56fff39db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|206380eb2793279d8a942e5b5c8ee32fb2569e364ae02c66139d9ef56fff39db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 427}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.test_protected_endpoints` used but never assigned in __init__: Method `run_all_tests` of class `AuthRateLimitTester` reads `self.test_protected_endpoints`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43607, "scanner": "repobility-ast-engine", "fingerprint": "047f5e45a384f430578f907850c00ebe15d41a50b4c0c6459b368f4559506353", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|047f5e45a384f430578f907850c00ebe15d41a50b4c0c6459b368f4559506353"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 426}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.test_public_endpoints` used but never assigned in __init__: Method `run_all_tests` of class `AuthRateLimitTester` reads `self.test_public_endpoints`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43606, "scanner": "repobility-ast-engine", "fingerprint": "1e93a5e0d8d6d1941b26e878c55f58468b76e9d9a257dac6c4d33d8ed27f6a8c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e93a5e0d8d6d1941b26e878c55f58468b76e9d9a257dac6c4d33d8ed27f6a8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 425}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_authentication_states` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43605, "scanner": "repobility-ast-engine", "fingerprint": "6b84e25d4a54e720f772d4f19dfa4f2f612772eb553633209a9c88121cb1f801", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b84e25d4a54e720f772d4f19dfa4f2f612772eb553633209a9c88121cb1f801"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_authentication_states` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43604, "scanner": "repobility-ast-engine", "fingerprint": "7d3d1e17cac1aedbeb8c320ecc973cbb8a3960c0472bb1772ae816fcf7206dcf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7d3d1e17cac1aedbeb8c320ecc973cbb8a3960c0472bb1772ae816fcf7206dcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_security_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43603, "scanner": "repobility-ast-engine", "fingerprint": "4ee63365fbc962f567bbbb9930a026c90112bbf6a636c2802d8aac47961bca60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ee63365fbc962f567bbbb9930a026c90112bbf6a636c2802d8aac47961bca60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 383}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_security_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43602, "scanner": "repobility-ast-engine", "fingerprint": "ec069d17ce1c845b55de25815f7e537e76cf9b03eea65544dd84bea8cf157bd5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec069d17ce1c845b55de25815f7e537e76cf9b03eea65544dd84bea8cf157bd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_cors_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43601, "scanner": "repobility-ast-engine", "fingerprint": "4bfcf602fc735848813297630d56991500bb396eff482092816ea00a9cc5d488", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4bfcf602fc735848813297630d56991500bb396eff482092816ea00a9cc5d488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 350}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_cors_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43600, "scanner": "repobility-ast-engine", "fingerprint": "8b8ed5643d68467d34aec631e1386e00277eef770e7478e4a96e1603fc85fa8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b8ed5643d68467d34aec631e1386e00277eef770e7478e4a96e1603fc85fa8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_cors_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43599, "scanner": "repobility-ast-engine", "fingerprint": "c9caccd43bf256e67abbe740a3c2bce79f349a9f0b7776fcc8c58238cf17cc1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9caccd43bf256e67abbe740a3c2bce79f349a9f0b7776fcc8c58238cf17cc1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 325}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_rate_limit_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43598, "scanner": "repobility-ast-engine", "fingerprint": "3dc03f9996086dbd136300a7264b857d4b6abb8b258a84e18e880221ab9a35a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3dc03f9996086dbd136300a7264b857d4b6abb8b258a84e18e880221ab9a35a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 285}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_rate_limit_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43597, "scanner": "repobility-ast-engine", "fingerprint": "2aa05cbdbd4bac44e69be32ea15f8932736dfc0b89a1f53caa12ff686825026c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2aa05cbdbd4bac44e69be32ea15f8932736dfc0b89a1f53caa12ff686825026c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 294}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_rate_limit_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43596, "scanner": "repobility-ast-engine", "fingerprint": "1d2ed3c213b36fe5ac229ae386c0e32c505cd7b2e62fde24cf548cf04290b316", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d2ed3c213b36fe5ac229ae386c0e32c505cd7b2e62fde24cf548cf04290b316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generate_test_token` used but never assigned in __init__: Method `test_rate_limiting` of class `AuthRateLimitTester` reads `self.generate_test_token`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43595, "scanner": "repobility-ast-engine", "fingerprint": "3b2ae0bb6a61ea1286d53a01eae7e8016bbe5e811f030f31e56f9cfd9d2d2edf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b2ae0bb6a61ea1286d53a01eae7e8016bbe5e811f030f31e56f9cfd9d2d2edf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_rate_limiting` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43594, "scanner": "repobility-ast-engine", "fingerprint": "f7de0dc53dfbd9e89ab462b9c2721d86b5520e44e6882f5107bb4451f76cad88", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f7de0dc53dfbd9e89ab462b9c2721d86b5520e44e6882f5107bb4451f76cad88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generate_test_token` used but never assigned in __init__: Method `test_authentication_headers` of class `AuthRateLimitTester` reads `self.generate_test_token`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43593, "scanner": "repobility-ast-engine", "fingerprint": "8332cd39118c2baac7160b71398151a530214e5a9ca6086c5dc59454bfa211c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8332cd39118c2baac7160b71398151a530214e5a9ca6086c5dc59454bfa211c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generate_test_token` used but never assigned in __init__: Method `test_authentication_headers` of class `AuthRateLimitTester` reads `self.generate_test_token`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43592, "scanner": "repobility-ast-engine", "fingerprint": "1ff1968901f9535cfaa6c5bacd25d5b10f33ef20f1fd43872d1fe797e5786ec2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ff1968901f9535cfaa6c5bacd25d5b10f33ef20f1fd43872d1fe797e5786ec2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_authentication_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43591, "scanner": "repobility-ast-engine", "fingerprint": "3f4ca24cb50850a201a9b567d4975899aa4db8153037dfd14813754e7ee0a170", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f4ca24cb50850a201a9b567d4975899aa4db8153037dfd14813754e7ee0a170"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_authentication_headers` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43590, "scanner": "repobility-ast-engine", "fingerprint": "c3e27d7ff5f77deb298680312aaea91ca224fbd3bb6145cb0286330aa4284bb0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3e27d7ff5f77deb298680312aaea91ca224fbd3bb6145cb0286330aa4284bb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_protected_endpoints` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43589, "scanner": "repobility-ast-engine", "fingerprint": "9815be56ec0e55f62d690a31c1a3adaa25cab56f66e5eabe091bc7a08db0bd23", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9815be56ec0e55f62d690a31c1a3adaa25cab56f66e5eabe091bc7a08db0bd23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_protected_endpoints` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43588, "scanner": "repobility-ast-engine", "fingerprint": "62ca86b97c324c094d8fe0db5969708ee592ccd7c792628c7d8dacff3a845e6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62ca86b97c324c094d8fe0db5969708ee592ccd7c792628c7d8dacff3a845e6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_public_endpoints` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43587, "scanner": "repobility-ast-engine", "fingerprint": "402cd2c381892247fb2ff03ea856197a6ba04d6451c941b11dbfab890991f60b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|402cd2c381892247fb2ff03ea856197a6ba04d6451c941b11dbfab890991f60b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.log_result` used but never assigned in __init__: Method `test_public_endpoints` of class `AuthRateLimitTester` reads `self.log_result`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43586, "scanner": "repobility-ast-engine", "fingerprint": "8d52f39600e2dfd668162d20e9ae94de0511bfb141de65e28ce6a019fcf07b77", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8d52f39600e2dfd668162d20e9ae94de0511bfb141de65e28ce6a019fcf07b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_authentication_states: Test function `test_authentication_states` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43585, "scanner": "repobility-ast-engine", "fingerprint": "1c33de39638e41a50e44b8b670bbefa312f894e16fa6dc28a08926b1fcda248f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c33de39638e41a50e44b8b670bbefa312f894e16fa6dc28a08926b1fcda248f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 389}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_security_headers: Test function `test_security_headers` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43584, "scanner": "repobility-ast-engine", "fingerprint": "7f782bcc78e881a4db317d31709daaba7c3e088192ea733e07e242ecb6e5a6a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f782bcc78e881a4db317d31709daaba7c3e088192ea733e07e242ecb6e5a6a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_cors_headers: Test function `test_cors_headers` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43583, "scanner": "repobility-ast-engine", "fingerprint": "4001212badb17904b734d52fb774fda7043b761cc8f91caf37a97193a5a506de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4001212badb17904b734d52fb774fda7043b761cc8f91caf37a97193a5a506de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rate_limit_headers: Test function `test_rate_limit_headers` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43582, "scanner": "repobility-ast-engine", "fingerprint": "33a0e06f586bd0042164a511566ecd3c26bc1a2b0147b9b3defb0bf9b9bfd72c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|33a0e06f586bd0042164a511566ecd3c26bc1a2b0147b9b3defb0bf9b9bfd72c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rate_limiting: Test function `test_rate_limiting` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43581, "scanner": "repobility-ast-engine", "fingerprint": "c3fa36849c07066b7ad41c74c5beaaed4824aff0199fb951cd5180d994ade291", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3fa36849c07066b7ad41c74c5beaaed4824aff0199fb951cd5180d994ade291"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_authentication_headers: Test function `test_authentication_headers` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43580, "scanner": "repobility-ast-engine", "fingerprint": "d4fd0ee21bec8b07a758ce3c7be4d42713514ac77f488ec93d83786e5099fdca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4fd0ee21bec8b07a758ce3c7be4d42713514ac77f488ec93d83786e5099fdca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_protected_endpoints: Test function `test_protected_endpoints` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43579, "scanner": "repobility-ast-engine", "fingerprint": "064142d4ae0e42618bd788ae0edbbc5927c97386c1c1b1fdbbc8d52afaed6ce0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|064142d4ae0e42618bd788ae0edbbc5927c97386c1c1b1fdbbc8d52afaed6ce0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_public_endpoints: Test function `test_public_endpoints` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 43578, "scanner": "repobility-ast-engine", "fingerprint": "2aa51c033a3c52d4574027890d250318bdd4e72a28a019450bbdf7d5aa3744a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2aa51c033a3c52d4574027890d250318bdd4e72a28a019450bbdf7d5aa3744a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/test_auth_rate_limit.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.std` used but never assigned in __init__: Method `z_score` of class `WelfordStats` reads `self.std`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43572, "scanner": "repobility-ast-engine", "fingerprint": "1c49d7658dba0aa967e783d7cbb388319844b3046900d40577d1d395cfda8608", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c49d7658dba0aa967e783d7cbb388319844b3046900d40577d1d395cfda8608"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruview_live.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.variance` used but never assigned in __init__: Method `std` of class `WelfordStats` reads `self.variance`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 43571, "scanner": "repobility-ast-engine", "fingerprint": "b2cadfc61e6ef63422366e7805243d9c4944cc0f6338d91fd7b7ef926f25f492", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2cadfc61e6ef63422366e7805243d9c4944cc0f6338d91fd7b7ef926f25f492"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruview_live.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 43525, "scanner": "repobility-threat-engine", "fingerprint": "2667a77a3b7fd1d71b1c585c237d70bd01a3a772bb8b8854433d78a8a13b2cd9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.pending.delete(m.id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2667a77a3b7fd1d71b1c585c237d70bd01a3a772bb8b8854433d78a8a13b2cd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WasmClient.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 43519, "scanner": "repobility-threat-engine", "fingerprint": "11a6a6bdfd52ee679f50233e5d0ddf4f5e62d0535d90ef2219d4cacd9f73aefa", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11a6a6bdfd52ee679f50233e5d0ddf4f5e62d0535d90ef2219d4cacd9f73aefa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 43518, "scanner": "repobility-threat-engine", "fingerprint": "8226ee77cc5249da96e342062806249f48892a28f309440c29dad1ab1bf9ca3d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8226ee77cc5249da96e342062806249f48892a28f309440c29dad1ab1bf9ca3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/nv-palette.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 43517, "scanner": "repobility-threat-engine", "fingerprint": "4225e21d460d445657cc85648ed126a5e64a0cd090281795cdc22392f39e28cb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4225e21d460d445657cc85648ed126a5e64a0cd090281795cdc22392f39e28cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/nv-console.ts"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 43510, "scanner": "repobility-threat-engine", "fingerprint": "606f7c7bfee5f4652ac9bf5fdff8f48cae2892bade39250bc611440bf0188e02", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|606f7c7bfee5f4652ac9bf5fdff8f48cae2892bade39250bc611440bf0188e02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/environment/room_monitor.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 43509, "scanner": "repobility-threat-engine", "fingerprint": "120ed24de91c989f3523cb2c692f8837f88b61e528f107bbaa6aed83fd26195c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|120ed24de91c989f3523cb2c692f8837f88b61e528f107bbaa6aed83fd26195c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/main.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 43508, "scanner": "repobility-threat-engine", "fingerprint": "73789160c7a7da1582eee5f3271d791d057d682b9ce4614257c22ae95214ff38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|73789160c7a7da1582eee5f3271d791d057d682b9ce4614257c22ae95214ff38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/logger.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 43502, "scanner": "repobility-threat-engine", "fingerprint": "483faabbae9576b821fb4f9945e5151d838f0c68eea594b574e8152dc670cbe6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|483faabbae9576b821fb4f9945e5151d838f0c68eea594b574e8152dc670cbe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/environment/room_monitor.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 43501, "scanner": "repobility-threat-engine", "fingerprint": "a19993951531334c58266054334cd49e27ce42e68ff4586f07137a0bbc6e05b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a19993951531334c58266054334cd49e27ce42e68ff4586f07137a0bbc6e05b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/main.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 43500, "scanner": "repobility-threat-engine", "fingerprint": "b1d845c05c1e7c5c144fa2da5561caace89c9005a1607f6aea8bc8fd26fc996e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b1d845c05c1e7c5c144fa2da5561caace89c9005a1607f6aea8bc8fd26fc996e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/commands/start.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 43497, "scanner": "repobility-threat-engine", "fingerprint": "fcd71dd3b273fb75e3289840093893501ff98caae7bf897d1e5c9fc140422277", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"/logout\")\nasync def logout(request: Request)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fcd71dd3b273fb75e3289840093893501ff98caae7bf897d1e5c9fc140422277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/routers/auth.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC036", "level": "error", "message": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-2019-11358 (Django), CVE-2020-26116 (Python http.client). CWE-93/113."}, "properties": {"repobilityId": 43492, "scanner": "repobility-threat-engine", "fingerprint": "61be1bbafa41f556b6d132a98735a6aa141a70a929fa5ef8f5fb2ebbae0090e6", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "response.headers[\"X-User-ID\"] = request.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC036", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|111|sec036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/middleware/auth.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 43486, "scanner": "repobility-threat-engine", "fingerprint": "769e5321eb4ea4084377164b52873e1f2b82ab63593ce3f4ac3cf5e69f9847b2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|769e5321eb4ea4084377164b52873e1f2b82ab63593ce3f4ac3cf5e69f9847b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/router.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 43481, "scanner": "repobility-threat-engine", "fingerprint": "e9970409d35a0f1a5a1cb4f254d2ba1f7152791a6abdc1eddf0411da7801c0a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9970409d35a0f1a5a1cb4f254d2ba1f7152791a6abdc1eddf0411da7801c0a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/nv-console.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 43480, "scanner": "repobility-threat-engine", "fingerprint": "943686a0813c0ac40cef7f570bf66adb39d2ca4d25307fe0f4251ae136e3ac30", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(ghCommand", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|943686a0813c0ac40cef7f570bf66adb39d2ca4d25307fe0f4251ae136e3ac30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/github-safe.js"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 43684, "scanner": "repobility-supply-chain", "fingerprint": "4ab6cd1d349fceecf60b30c67505c70f44046e376c316a9275dfe8b08091b7f2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ab6cd1d349fceecf60b30c67505c70f44046e376c316a9275dfe8b08091b7f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 388}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SECURITY_SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SECURITY_SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 43680, "scanner": "repobility-supply-chain", "fingerprint": "6c0b52d90d0693f2b04582519651bfe07f31349f44681ed06a1b0c762d5450c1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c0b52d90d0693f2b04582519651bfe07f31349f44681ed06a1b0c762d5450c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 430}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GITLEAKS_LICENSE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GITLEAKS_LICENSE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 43679, "scanner": "repobility-supply-chain", "fingerprint": "b96ac66cdcab528df1d796099357f2ea6be0a4cf6749cf56027f5e9460335672", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b96ac66cdcab528df1d796099357f2ea6be0a4cf6749cf56027f5e9460335672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 325}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SNYK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SNYK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 43678, "scanner": "repobility-supply-chain", "fingerprint": "65bbb61a4a0f9a3f7c150bda58478615109fc85385e19dbda292427cd35b3d8e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65bbb61a4a0f9a3f7c150bda58478615109fc85385e19dbda292427cd35b3d8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SEMGREP_APP_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SEMGREP_APP_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 43677, "scanner": "repobility-supply-chain", "fingerprint": "00cd2329dc430c57f3ec8cd96bf56b6a5e7b9fb585e6d91c47796f8bcec28211", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|00cd2329dc430c57f3ec8cd96bf56b6a5e7b9fb585e6d91c47796f8bcec28211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scan.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 43648, "scanner": "repobility-ast-engine", "fingerprint": "034bd3c8f8a6843469a3045e474522b701e085cc5ac441870b23a0507f92dd54", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|034bd3c8f8a6843469a3045e474522b701e085cc5ac441870b23a0507f92dd54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/tasks/backup.py"}, "region": {"startLine": 570}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `random` used but not imported: The file uses `random.something(...)` but never imports `random`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 43644, "scanner": "repobility-ast-engine", "fingerprint": "8a2c3278037e0c11f9906b363574454d4d86c096a85b995f6f327617b5350428", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a2c3278037e0c11f9906b363574454d4d86c096a85b995f6f327617b5350428"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/tests/fixtures/api_client.py"}, "region": {"startLine": 131}}}]}]}]}