{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 18 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 18."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 686 lines (recommend <300)", "shortDescription": {"text": "Average file size is 686 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v1`: `uses: softprops/action-gh-release@v1` reso", "shortDescription": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v1`: `uses: softprops/action-gh-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-file"}, "fullDescription": {"text": "Replace with: `uses: softprops/action-gh-release@<40-char-sha>  # v1` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `debian:bookworm` not pinned by digest: `FROM debian:bookworm` resolves the tag at build time", "shortDescription": {"text": "[MINED118] Dockerfile FROM `debian:bookworm` not pinned by digest: `FROM debian:bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production image"}, "fullDescription": {"text": "Replace with: `FROM debian:bookworm@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.", "shortDescription": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1269"}, "properties": {"repository": "charlesvestal/schwung", "repoUrl": "https://github.com/charlesvestal/schwung", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128819, "scanner": "repobility-ast-engine", "fingerprint": "dc98286c13fba6b3b874eb62551db3f6757c0c1eaa8b9e472aca55a83ec8aed9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc98286c13fba6b3b874eb62551db3f6757c0c1eaa8b9e472aca55a83ec8aed9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/analyze_wavs.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 128818, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128817, "scanner": "repobility-docker", "fingerprint": "d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 128815, "scanner": "repobility-agent-runtime", "fingerprint": "4c902493367e84c70cf0d617e701a3fea1e2f3014ad7dac73487467ad4a7c3a0", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4c902493367e84c70cf0d617e701a3fea1e2f3014ad7dac73487467ad4a7c3a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/uninstall.sh"}, "region": {"startLine": 124}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 128814, "scanner": "repobility-agent-runtime", "fingerprint": "877082318f79ef36cc65efbec176490cd18318c9d4e0af232315bdba5af722c5", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|877082318f79ef36cc65efbec176490cd18318c9d4e0af232315bdba5af722c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "schwung-manager/static/htmx.min.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 128813, "scanner": "repobility-agent-runtime", "fingerprint": "73d2d1396908fbb2dab62e504325aaf5e035937172d9bbdb3896dd5e6235f758", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|73d2d1396908fbb2dab62e504325aaf5e035937172d9bbdb3896dd5e6235f758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 128782, "scanner": "repobility-threat-engine", "fingerprint": "e29ec3d93f57c11bba615889fa2caefea2285e3ab00b63f24440388427294d92", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) { return true; }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e29ec3d93f57c11bba615889fa2caefea2285e3ab00b63f24440388427294d92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/parse_move_manual.mjs"}, "region": {"startLine": 211}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 128776, "scanner": "repobility-threat-engine", "fingerprint": "ecfa5bffde7077d07e422bc61eba3da4460fd5c9f121219564209de2cc12d601", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ecfa5bffde7077d07e422bc61eba3da4460fd5c9f121219564209de2cc12d601"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/parse_move_manual.mjs"}, "region": {"startLine": 303}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 128775, "scanner": "repobility-threat-engine", "fingerprint": "be9b470b3043ffd8183e3077bb8842a62c095f53969b1dc217556fb39fc11d5f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be9b470b3043ffd8183e3077bb8842a62c095f53969b1dc217556fb39fc11d5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/overtake/rnbo-runner/ui.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 128763, "scanner": "repobility-threat-engine", "fingerprint": "d2fcf1a94b30a3f79dbbed9299bc46cd777c6c67b98c4903a00fb8cc6134ab23", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|79|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/parse_move_manual.mjs"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 128762, "scanner": "repobility-threat-engine", "fingerprint": "9cac2ff5c318fb5d0d95d4970bbd3dd4ee57de19aea0f4a468d730b857d0dd84", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|86|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fetch_move_manual.sh"}, "region": {"startLine": 86}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, except=1, for=3, if=6, nested_bonus=7."}, "properties": {"repobilityId": 128758, "scanner": "repobility-threat-engine", "fingerprint": "b7a334354fc8f0216fc8b12a8be175a6425b5253d45aeb8c61053e6a7035c4ff", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 18 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 6, "for": 3, "except": 1, "continue": 1, "nested_bonus": 7}, "complexity": 18, "correlation_key": "fp|b7a334354fc8f0216fc8b12a8be175a6425b5253d45aeb8c61053e6a7035c4ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/analyze_wavs.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 686 lines (recommend <300)"}, "properties": {"repobilityId": 128752, "scanner": "repobility-core", "fingerprint": "5552fc837df2466188f62b1a6a10199772f97bf9aeedc591109433633abd090a", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|5552fc837df2466188f62b1a6a10199772f97bf9aeedc591109433633abd090a"}}}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128816, "scanner": "repobility-docker", "fingerprint": "987c65731b2811ebb9642c12ce1f3c31848a79e97dff22894e1b4a62c8af66d3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|987c65731b2811ebb9642c12ce1f3c31848a79e97dff22894e1b4a62c8af66d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128812, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92950e630b985c4f706607859f1211693e902952eb5928c5dc3ce14c5c6f836f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackChannel.h", "duplicate_line": 4, "correlation_key": "fp|92950e630b985c4f706607859f1211693e902952eb5928c5dc3ce14c5c6f836f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackEngineControl.h"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128811, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fe129acb669e3377c1d78a7af1eb76e3935a0e28ee98e4059fbe0de5017e117", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|6fe129acb669e3377c1d78a7af1eb76e3935a0e28ee98e4059fbe0de5017e117"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackEngineControl.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128810, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c87f480698c0f594306a4e7cc4c04b8c7a30f8a45668c1aa74d78cffde676563", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackClientControl.h", "duplicate_line": 1, "correlation_key": "fp|c87f480698c0f594306a4e7cc4c04b8c7a30f8a45668c1aa74d78cffde676563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackEngineControl.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128809, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1961ed18feaccd2475532c1ef5e626584c8a5edca68d86b4e843453bba82536", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAC3Encoder.h", "duplicate_line": 3, "correlation_key": "fp|e1961ed18feaccd2475532c1ef5e626584c8a5edca68d86b4e843453bba82536"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackEngine.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128808, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32dd0d3a7da86fd437c36e8937dccf205c1063b9166dc2759b0970e4da1af695", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAudioDriver.h", "duplicate_line": 2, "correlation_key": "fp|32dd0d3a7da86fd437c36e8937dccf205c1063b9166dc2759b0970e4da1af695"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackEngine.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128807, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0243b9039d065a65f190b0beb75b2891d3f57507988d27e3afe67fdadbcef162", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAC3Encoder.h", "duplicate_line": 3, "correlation_key": "fp|0243b9039d065a65f190b0beb75b2891d3f57507988d27e3afe67fdadbcef162"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackDummyDriver.h"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128806, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4292040563423772586085ff09503393db8e503b47e699a203323a75a2f7088", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAudioDriver.h", "duplicate_line": 1, "correlation_key": "fp|f4292040563423772586085ff09503393db8e503b47e699a203323a75a2f7088"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackDummyDriver.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128805, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce2438183045bfc8a0af49a03e5644cb23dfb35868e4368da955a5521b7ee49e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|ce2438183045bfc8a0af49a03e5644cb23dfb35868e4368da955a5521b7ee49e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackDriverLoader.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128804, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0887eb25967b96f94ce82f8f8a65f98509d2ee8bef3e6e359efd4b616f58f920", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAudioDriver.h", "duplicate_line": 2, "correlation_key": "fp|0887eb25967b96f94ce82f8f8a65f98509d2ee8bef3e6e359efd4b616f58f920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackDriverInfo.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128803, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac2550b94194b5efef110e8277c21910d2939a4a711e63d099f5448d6f87de22", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAC3Encoder.h", "duplicate_line": 3, "correlation_key": "fp|ac2550b94194b5efef110e8277c21910d2939a4a711e63d099f5448d6f87de22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackDriver.h"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128802, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f023afab3c42d7d54c0cf84df19bb9b3f81d655184a90ebbed29e9f8a3ecbea0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAudioDriver.h", "duplicate_line": 1, "correlation_key": "fp|f023afab3c42d7d54c0cf84df19bb9b3f81d655184a90ebbed29e9f8a3ecbea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackDriver.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128801, "scanner": "repobility-ai-code-hygiene", "fingerprint": "41966a4ce51bd83815cb31c99c6a37fe79cc8126db5963001d6d79ca0420f2ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|41966a4ce51bd83815cb31c99c6a37fe79cc8126db5963001d6d79ca0420f2ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackDebugClient.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128800, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aabf66b276a109c2d27d7e23a4f899686dafd331441cdb30597d2ae2bb926083", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|aabf66b276a109c2d27d7e23a4f899686dafd331441cdb30597d2ae2bb926083"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackConstants.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128799, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1b9c4b2f0059ec424d31e4631b6197c66fe808e5a74f5d2cca49d040c8e7547", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|d1b9c4b2f0059ec424d31e4631b6197c66fe808e5a74f5d2cca49d040c8e7547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackConnectionManager.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128798, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a37d6498c4cbdc6fd0f9c4404348b34230be0346b29682c94556700e3c9ca957", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|a37d6498c4cbdc6fd0f9c4404348b34230be0346b29682c94556700e3c9ca957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackClientInterface.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128797, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8231d7920f306e669fb4fa8176e96692c11c4db29d36b8526121370276303128", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackClient.h", "duplicate_line": 1, "correlation_key": "fp|8231d7920f306e669fb4fa8176e96692c11c4db29d36b8526121370276303128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackClientInterface.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eaeaa66897b2b87f5fd8e2f0d2f93fa9be2ca754e20135a75e0a07473f39f4e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|eaeaa66897b2b87f5fd8e2f0d2f93fa9be2ca754e20135a75e0a07473f39f4e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackClientControl.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84bb9bbaecdef8bfcab0d2497b93ab22d722f68c928c944d86174250de997791", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|84bb9bbaecdef8bfcab0d2497b93ab22d722f68c928c944d86174250de997791"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackClient.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128794, "scanner": "repobility-ai-code-hygiene", "fingerprint": "039588bb79008c4a3a295d24a50c2219489b425afbf7e560eda1106782fd6e97", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|039588bb79008c4a3a295d24a50c2219489b425afbf7e560eda1106782fd6e97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackChannel.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128793, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6d5f214b750f991585815fd2f546f16b1bf4db7318434c4bef495df6c3a432ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAC3Encoder.h", "duplicate_line": 3, "correlation_key": "fp|6d5f214b750f991585815fd2f546f16b1bf4db7318434c4bef495df6c3a432ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackAudioDriver.h"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128792, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b138092f5ea9c79d650f4d5edf4eeba63bac0294ff724a5bb620773731637715", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAC3Encoder.h", "duplicate_line": 3, "correlation_key": "fp|b138092f5ea9c79d650f4d5edf4eeba63bac0294ff724a5bb620773731637715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackAudioAdapterInterface.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128791, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dc595952a5043ebdb233f63d671082dfa1dae23878f30b48a8f52f7e80014882", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAudioAdapter.h", "duplicate_line": 1, "correlation_key": "fp|dc595952a5043ebdb233f63d671082dfa1dae23878f30b48a8f52f7e80014882"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackAudioAdapterInterface.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128790, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f5d5af03d100aac3f84977331c46d858ac37bed51a97153b281e16e55a654fd6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAC3Encoder.h", "duplicate_line": 3, "correlation_key": "fp|f5d5af03d100aac3f84977331c46d858ac37bed51a97153b281e16e55a654fd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackAudioAdapter.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128789, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2294ce3d9abfb625f0f91f20b35b1c822f8171fd89d5599e4643efc5555fef98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackAtomicArrayState.h", "duplicate_line": 4, "correlation_key": "fp|2294ce3d9abfb625f0f91f20b35b1c822f8171fd89d5599e4643efc5555fef98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackAtomicState.h"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128788, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac6ec7e7ebce6a55687ab7d43688512c8351a9a61ddaf71846d3a80f628c82b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|ac6ec7e7ebce6a55687ab7d43688512c8351a9a61ddaf71846d3a80f628c82b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackAtomicState.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128787, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff87df0e86fe0b3ba6362903ef235b4291dcf456dba6ede71fd140a30b3b4a66", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|ff87df0e86fe0b3ba6362903ef235b4291dcf456dba6ede71fd140a30b3b4a66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackAtomicArrayState.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128786, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ca9a4f4264fce4bf41f6886b3a51afaa282be0ae00cd1d64b203a8f920628c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 1, "correlation_key": "fp|8ca9a4f4264fce4bf41f6886b3a51afaa282be0ae00cd1d64b203a8f920628c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackAtomic.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128785, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8abddb36e014c3e01d15c290aa73588c39ce45a81a5aaecfea35a03dfb32208b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/jack2/common/JackActivationCount.h", "duplicate_line": 2, "correlation_key": "fp|8abddb36e014c3e01d15c290aa73588c39ce45a81a5aaecfea35a03dfb32208b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/jack2/common/JackArgParser.h"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128784, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d48054174e74161ba2cd5787f2a4074fd36e23d4af2d0ae6552a8a162416ace", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/host/tts_engine_espeak.c", "duplicate_line": 105, "correlation_key": "fp|5d48054174e74161ba2cd5787f2a4074fd36e23d4af2d0ae6552a8a162416ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/host/tts_engine_flite.c"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128783, "scanner": "repobility-ai-code-hygiene", "fingerprint": "290caa84816163fbda34a88837cd8f4c0982276c7396dc43799418d43e04ed46", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libs/quickjs/quickjs-2025-04-26/qjs.c", "duplicate_line": 169, "correlation_key": "fp|290caa84816163fbda34a88837cd8f4c0982276c7396dc43799418d43e04ed46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/quickjs/quickjs-2025-04-26/qjsc.c"}, "region": {"startLine": 357}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 128768, "scanner": "repobility-threat-engine", "fingerprint": "6674408339bdccb592a5c7f83510575ef45fed3febefd7a7b2e0fd25b5f82a41", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\">> Save \" + keptCount + \" Stem\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6674408339bdccb592a5c7f83510575ef45fed3febefd7a7b2e0fd25b5f82a41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shadow/shadow_ui_tools.mjs"}, "region": {"startLine": 308}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 128767, "scanner": "repobility-threat-engine", "fingerprint": "17e515eea69d086bb8f7e612e90acdd34b9539965cb1ba0bc6698b57630ae501", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'RNBO Runner init: resuming=' + resuming +\n                     ' host_file_exists='", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17e515eea69d086bb8f7e612e90acdd34b9539965cb1ba0bc6698b57630ae501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/overtake/rnbo-runner/ui.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 128766, "scanner": "repobility-threat-engine", "fingerprint": "a5f97d50b4f5415602a67dd7aedb654dcc2c1a1742cdf07d14adf43af214fc38", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "' chapters, ' + leaves + ' leaf topics'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a5f97d50b4f5415602a67dd7aedb654dcc2c1a1742cdf07d14adf43af214fc38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fetch_move_manual.sh"}, "region": {"startLine": 121}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `resolve_inputs` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=3, for=2, if=3, nested_bonus=3."}, "properties": {"repobilityId": 128759, "scanner": "repobility-threat-engine", "fingerprint": "5ace63926ec1f67484e98ae9cf53d3f13be535e4b58ea4f1f5de9eaf8ae16b4c", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "resolve_inputs", "breakdown": {"if": 3, "for": 2, "continue": 3, "nested_bonus": 3}, "complexity": 11, "correlation_key": "fp|5ace63926ec1f67484e98ae9cf53d3f13be535e4b58ea4f1f5de9eaf8ae16b4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/analyze_wavs.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 128779, "scanner": "repobility-threat-engine", "fingerprint": "17846a18d883e6ebae7c2df6b555d4cdf1f1f89378221812ea05157574071f22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17846a18d883e6ebae7c2df6b555d4cdf1f1f89378221812ea05157574071f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/tools/config-test/ui.js"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 128777, "scanner": "repobility-threat-engine", "fingerprint": "4551832245269152708f58ce8ec33636023a3d4cef96062fa2275d22614a9f7c", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "print(2, 15, `K1 Vel:${padConfig.velocityThreshold}`, 1)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|src/modules/text-test/ui.js|7|print 2 15 k1 vel: padconfig.velocitythreshold 1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/text-test/ui.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 128774, "scanner": "repobility-threat-engine", "fingerprint": "fbd987a0105d48441ae0a7cd59c8794caa2153bc894a85665937011a4ffdf858", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fbd987a0105d48441ae0a7cd59c8794caa2153bc894a85665937011a4ffdf858"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/tools/wav-player/wav_player.c"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 128773, "scanner": "repobility-threat-engine", "fingerprint": "25568aa2f8c0f1ca3c41788e7f16dcfdb427c1ab69e2aa3bb4917008b39eacba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|25568aa2f8c0f1ca3c41788e7f16dcfdb427c1ab69e2aa3bb4917008b39eacba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/tools/seq-test/dsp/seq-test.c"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 128772, "scanner": "repobility-threat-engine", "fingerprint": "baad8cf16f9b1e3e4dcb167c7e56fdfc272cf9fcd639bc0dee4b651b8b70607c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|baad8cf16f9b1e3e4dcb167c7e56fdfc272cf9fcd639bc0dee4b651b8b70607c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/midi_fx/velocity_scale/dsp/velocity_scale.c"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 128770, "scanner": "repobility-threat-engine", "fingerprint": "6f03f13afc5eb2b07b3a5e1e448e246ca2f54d54bf8440b10d56348bd2adce5b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6f03f13afc5eb2b07b3a5e1e448e246ca2f54d54bf8440b10d56348bd2adce5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/host/lfo_common.h"}, "region": {"startLine": 123}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 128761, "scanner": "repobility-threat-engine", "fingerprint": "33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 6, "for": 3, "except": 1, "continue": 1, "nested_bonus": 7}, "aggregated": true, "complexity": 18, "correlation_key": "fp|33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "aggregated_count": 1}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 128757, "scanner": "repobility-threat-engine", "fingerprint": "8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "aggregated_count": 1}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 128756, "scanner": "repobility-threat-engine", "fingerprint": "6d8053d86ddc5515fd5784edba9b299035faa90fc82fbc679f107d4aba91e28b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d8053d86ddc5515fd5784edba9b299035faa90fc82fbc679f107d4aba91e28b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/overtake/rnbo-runner/ui.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 128755, "scanner": "repobility-threat-engine", "fingerprint": "8893b7bea1cc6db69f8194bf824299e29572870332ddeb5ae6f01e63af34eb4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8893b7bea1cc6db69f8194bf824299e29572870332ddeb5ae6f01e63af34eb4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/controller/ui.js"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 128754, "scanner": "repobility-threat-engine", "fingerprint": "5de949f0de068f17e1387ffafd95571488eafea9d2d558801abfef16968f12aa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5de949f0de068f17e1387ffafd95571488eafea9d2d558801abfef16968f12aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "schwung-manager/static/schwung-remote-api.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v1`: `uses: softprops/action-gh-release@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128823, "scanner": "repobility-supply-chain", "fingerprint": "2f056cd5b71be5c53a4d34fe8dba09aaf45228e03644f79518e764b46330a987", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f056cd5b71be5c53a4d34fe8dba09aaf45228e03644f79518e764b46330a987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128822, "scanner": "repobility-supply-chain", "fingerprint": "6eeddf1eff27253ce14284d5095ed76458a99c1d847087a341d58587dc39c798", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6eeddf1eff27253ce14284d5095ed76458a99c1d847087a341d58587dc39c798"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 128821, "scanner": "repobility-supply-chain", "fingerprint": "aa27a056dc8bee760ca4776b4ae2b6c5a23b955cd451fe58e0111bb27683b45c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa27a056dc8bee760ca4776b4ae2b6c5a23b955cd451fe58e0111bb27683b45c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm` not pinned by digest: `FROM debian:bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128820, "scanner": "repobility-supply-chain", "fingerprint": "0fbdda04b7421f546143cbc514e9028f38e80ece1e9f8bda8f40d79f18bf6bb2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fbdda04b7421f546143cbc514e9028f38e80ece1e9f8bda8f40d79f18bf6bb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128781, "scanner": "repobility-threat-engine", "fingerprint": "67d3ace59f0ba6d55635800b32d652879b44ee6d914375d26b69c65f63514e10", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "encoderLastTime.delete(encoderId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67d3ace59f0ba6d55635800b32d652879b44ee6d914375d26b69c65f63514e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/input_filter.mjs"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 128780, "scanner": "repobility-threat-engine", "fingerprint": "e0a0f78872fb9e3dc1759e3ddce14d9506c3be5f4a0593f7528f382bbbd071e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0a0f78872fb9e3dc1759e3ddce14d9506c3be5f4a0593f7528f382bbbd071e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/filepath_browser.mjs"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 128778, "scanner": "repobility-threat-engine", "fingerprint": "9828c5e78faff499bc57f3ee54c27dcead2c8caa88dd80174377a95b04106f55", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "print(2, y,     \"secret bytes: \" + secretLen, 1)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|10|print 2 y secret bytes: + secretlen 1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/tools/config-test/ui.js"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 128769, "scanner": "repobility-threat-engine", "fingerprint": "e9ac543486f066f34e152419733d48fb21fb9f6a38889d4c03fb4a5cf3462219", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9ac543486f066f34e152419733d48fb21fb9f6a38889d4c03fb4a5cf3462219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/uninstall.sh"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 128765, "scanner": "repobility-threat-engine", "fingerprint": "6102049703b8e2e3b564036744d6d3ca758b782c8d849cfe438a8c376ded6a9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6102049703b8e2e3b564036744d6d3ca758b782c8d849cfe438a8c376ded6a9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/parse_move_manual.mjs"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 128764, "scanner": "repobility-threat-engine", "fingerprint": "d0386cfb6eeeff64f0202edd7e05e7248ab07e8e23dd61a6229d9437525380c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d0386cfb6eeeff64f0202edd7e05e7248ab07e8e23dd61a6229d9437525380c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fetch_move_manual.sh"}, "region": {"startLine": 86}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `migrate_module` has cognitive complexity 72 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=5, for=6, if=11, nested_bonus=48."}, "properties": {"repobilityId": 128760, "scanner": "repobility-threat-engine", "fingerprint": "17b17cedbc1dad0a6aeb4637f584c8deec4a5df1609b5fec85ba082e7b6d2452", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 72 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "migrate_module", "breakdown": {"if": 11, "for": 6, "elif": 2, "else": 5, "nested_bonus": 48}, "complexity": 72, "correlation_key": "fp|17b17cedbc1dad0a6aeb4637f584c8deec4a5df1609b5fec85ba082e7b6d2452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/migrate-module-params.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 128753, "scanner": "repobility-threat-engine", "fingerprint": "aaef6f08127a3781b7374d4b312c20d9487a32bab2c37ebcd79b71d85d28198f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(heal)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aaef6f08127a3781b7374d4b312c20d9487a32bab2c37ebcd79b71d85d28198f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "schwung-manager/self_heal.go"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 128771, "scanner": "repobility-threat-engine", "fingerprint": "58c47932744bb6ee3b47af0c1447018a3f65b1caa3e9fdcfe2d0fcf0fbef093e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58c47932744bb6ee3b47af0c1447018a3f65b1caa3e9fdcfe2d0fcf0fbef093e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/audio_fx/freeverb/freeverb.c"}, "region": {"startLine": 310}}}]}]}]}