{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 77 more): Same pattern found in 77 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 77 more): Same pattern found in 77 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.", "shortDescription": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `spine-libgdx/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `spine-libgdx/gradle/w", "shortDescription": {"text": "[MINED134] Binary file `spine-libgdx/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `spine-libgdx/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (63,721 bytes) committed to a repo that otherwise has 1543 source files. Tro"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v3` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `spine-c-codegen` pulled from URL/Git: `dependencies.spine-c-codegen` = `file:../../spine-c/", "shortDescription": {"text": "[MINED122] package.json dep `spine-c-codegen` pulled from URL/Git: `dependencies.spine-c-codegen` = `file:../../spine-c/codegen` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git "}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `GodotWebServer` reads ", "shortDescription": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `GodotWebServer` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError"}, "fullDescription": {"text": "Initialize `self.send_header = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.", "shortDescription": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1072"}, "properties": {"repository": "EsotericSoftware/spine-runtimes", "repoUrl": "https://github.com/EsotericSoftware/spine-runtimes", "branch": "4.3"}, "results": [{"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 105484, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 105483, "scanner": "repobility-docker", "fingerprint": "076f90cad92a888598ff37f136668c8eb4b6ac4777d5517c68a561c18d412848", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|076f90cad92a888598ff37f136668c8eb4b6ac4777d5517c68a561c18d412848"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 105436, "scanner": "repobility-threat-engine", "fingerprint": "940430df2ef66501ebb9ab3fac0af0d6a87e5c4444459b4a5e4e216886e4f242", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.GetName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|24|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/example-v4-csharp/examples/03-mix-and-match/MixAndMatch.cs"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 105402, "scanner": "repobility-threat-engine", "fingerprint": "1e8f88b2a14ce72f171ec2da8e802f839f5077ef99a462866e717aa057ceed17", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|spine-ts/publish.sh|62|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/publish.sh"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 105401, "scanner": "repobility-threat-engine", "fingerprint": "6dde955de046b074b61cb19e33ffa8c8b51107cc8a26756dc40eb067e162e110", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|30|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pi/extensions/prompt-url-widget.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 105400, "scanner": "repobility-threat-engine", "fingerprint": "3135fca7bc5189173a76e372ea59f975db640d195a0778c76c9cb35b551a5fd9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|.pi/extensions/diff.ts|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pi/extensions/diff.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 105482, "scanner": "repobility-docker", "fingerprint": "975190cb87c6ed126d771b56db396e8c347485591529dccf6391500f50ca5742", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|975190cb87c6ed126d771b56db396e8c347485591529dccf6391500f50ca5742"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105481, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88fc63d591f34c72696327384f9352194629620739b845d9c0b6b7d361d1d9d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/FboTest.java", "duplicate_line": 17, "correlation_key": "fp|88fc63d591f34c72696327384f9352194629620739b845d9c0b6b7d361d1d9d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/PngExportTest.java"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105480, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d68cd957ea0f8b1f7da1323ef0b40697aba30938212f71e4c3c3d518bac30568", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/PhysicsTest.java", "duplicate_line": 10, "correlation_key": "fp|d68cd957ea0f8b1f7da1323ef0b40697aba30938212f71e4c3c3d518bac30568"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/PhysicsTest4.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105479, "scanner": "repobility-ai-code-hygiene", "fingerprint": "85d96b4077cb051ac865fb3a56234f2e258355d51896cd59fc78af1be1a9ba5a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/PhysicsTest.java", "duplicate_line": 10, "correlation_key": "fp|85d96b4077cb051ac865fb3a56234f2e258355d51896cd59fc78af1be1a9ba5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/PhysicsTest3.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105478, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae1330c6e553be387e3f8ebe661036990bcc05f36a580211bfc16bf21416705d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/PhysicsTest.java", "duplicate_line": 34, "correlation_key": "fp|ae1330c6e553be387e3f8ebe661036990bcc05f36a580211bfc16bf21416705d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/PhysicsTest2.java"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105477, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8fd411d3bc9d13b3c76c782b20e5c648ce656e7f209e4157af2865c261faf736", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/AnimationStateTests.java", "duplicate_line": 22, "correlation_key": "fp|8fd411d3bc9d13b3c76c782b20e5c648ce656e7f209e4157af2865c261faf736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/BonePlotting.java"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105476, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2765498f12a837601ca48477233dbd9069a937a896e1e831c40b9083019d78ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-godot/spine_godot/SpineIkConstraint.cpp", "duplicate_line": 24, "correlation_key": "fp|2765498f12a837601ca48477233dbd9069a937a896e1e831c40b9083019d78ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/spine_godot/SpineTransformConstraint.cpp"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105475, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ceea7a400cd58229c81f15fbc299d4471eefcadc1e8f4c2990447cc844a53812", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-godot/spine_godot/SpineIkConstraint.cpp", "duplicate_line": 24, "correlation_key": "fp|ceea7a400cd58229c81f15fbc299d4471eefcadc1e8f4c2990447cc844a53812"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/spine_godot/SpinePathConstraint.cpp"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105474, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6eb10ebfc8c170ba4bc982441a8f3386f2cefdb598716041f09914ddbf5eb86a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-godot/spine_godot/SpineBoneLocal.h", "duplicate_line": 13, "correlation_key": "fp|6eb10ebfc8c170ba4bc982441a8f3386f2cefdb598716041f09914ddbf5eb86a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/spine_godot/SpineBonePose.h"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105473, "scanner": "repobility-ai-code-hygiene", "fingerprint": "59877b29b4d139541a1f91250ddc4429b39a4d59dbdf34fed42d354912630965", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/src/spine/SkeletonClipping.cpp", "duplicate_line": 439, "correlation_key": "fp|59877b29b4d139541a1f91250ddc4429b39a4d59dbdf34fed42d354912630965"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-csharp/src/SkeletonClipping.cs"}, "region": {"startLine": 428}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105472, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1a6d74175756daf32640fd9d8cf6b3d5e3b0d0968552fa7ba1e1b6e2fb34c65", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/src/spine/IkConstraint.cpp", "duplicate_line": 124, "correlation_key": "fp|f1a6d74175756daf32640fd9d8cf6b3d5e3b0d0968552fa7ba1e1b6e2fb34c65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-csharp/src/IkConstraint.cs"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105471, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e77f4b7594b48b6160c37f136af1574fbf5fef53288905b8d2f3de6c0a80ab01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-csharp/src/ColorMono.cs", "duplicate_line": 37, "correlation_key": "fp|e77f4b7594b48b6160c37f136af1574fbf5fef53288905b8d2f3de6c0a80ab01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-csharp/src/ColorUnity.cs"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105470, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0be0fbde362dcdaf74dcd53c5e25629d8aa73147b21e7bfd0ae312c9df0e13a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-csharp/src/ColorMono.cs", "duplicate_line": 23, "correlation_key": "fp|0be0fbde362dcdaf74dcd53c5e25629d8aa73147b21e7bfd0ae312c9df0e13a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-csharp/src/ColorOther.cs"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105469, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1bdb0560aa5540cfabc39c01a38103233bfba7cb15ebc62cb4f4e37071737bfd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/src/spine/RegionAttachment.cpp", "duplicate_line": 145, "correlation_key": "fp|1bdb0560aa5540cfabc39c01a38103233bfba7cb15ebc62cb4f4e37071737bfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-csharp/src/Attachments/RegionAttachment.cs"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105468, "scanner": "repobility-ai-code-hygiene", "fingerprint": "414470504b3a7106773f23d068619a43ac56e0ee420537e53183f27c1292476f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/src/spine/ShearTimeline.cpp", "duplicate_line": 35, "correlation_key": "fp|414470504b3a7106773f23d068619a43ac56e0ee420537e53183f27c1292476f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/src/spine/TranslateTimeline.cpp"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105467, "scanner": "repobility-ai-code-hygiene", "fingerprint": "44c1e82d6842d80cb0c8ef35f27f68e8c55ed27a33a1d8b30d5aecba2d0ec417", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/src/spine/ScaleTimeline.cpp", "duplicate_line": 16, "correlation_key": "fp|44c1e82d6842d80cb0c8ef35f27f68e8c55ed27a33a1d8b30d5aecba2d0ec417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/src/spine/TranslateTimeline.cpp"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105466, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b93352f68ba7f7ca307e1b6f2dccc6b2266111dd283476f643f5d3554c23ade", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/src/spine/ScaleTimeline.cpp", "duplicate_line": 16, "correlation_key": "fp|6b93352f68ba7f7ca307e1b6f2dccc6b2266111dd283476f643f5d3554c23ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/src/spine/ShearTimeline.cpp"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06066d9d1736d66c52f02e2a3303cd539260f40dff04379b681c4fa2572f4749", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/include/spine/BoneLocal.h", "duplicate_line": 20, "correlation_key": "fp|06066d9d1736d66c52f02e2a3303cd539260f40dff04379b681c4fa2572f4749"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/TransformConstraintPose.h"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cda06cc3828f6a554dda754947a90ae7fe96ed49e2cec69311f6b560da85d18b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/include/spine/Slot.h", "duplicate_line": 13, "correlation_key": "fp|cda06cc3828f6a554dda754947a90ae7fe96ed49e2cec69311f6b560da85d18b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/SlotData.h"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c93a0097a3923bf0e6fb65c03b03fe5debd0ea53a9636014a5ee2b1d05d814b0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/include/spine/Animation.h", "duplicate_line": 11, "correlation_key": "fp|c93a0097a3923bf0e6fb65c03b03fe5debd0ea53a9636014a5ee2b1d05d814b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/SlotData.h"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105462, "scanner": "repobility-ai-code-hygiene", "fingerprint": "388fdee2a70a8b00efef1ba1e8f5c77645d50da216f8befe66d9d9f4296bdd98", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/include/spine/Animation.h", "duplicate_line": 11, "correlation_key": "fp|388fdee2a70a8b00efef1ba1e8f5c77645d50da216f8befe66d9d9f4296bdd98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/Slot.h"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105461, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4af30e2ad8fc1855d3a4474945a26f784bc074bf2ca63f4df126b8860c866309", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/include/spine/Posed.h", "duplicate_line": 34, "correlation_key": "fp|4af30e2ad8fc1855d3a4474945a26f784bc074bf2ca63f4df126b8860c866309"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/PosedData.h"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105460, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b1125c7749b32403d4c3f7b073aff09c2e8227cdd7f21fd9e745979545a0695", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/include/spine/Bone.h", "duplicate_line": 14, "correlation_key": "fp|6b1125c7749b32403d4c3f7b073aff09c2e8227cdd7f21fd9e745979545a0695"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/PosedData.h"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105459, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23bc25c4d1010aa50fa393a6986b063e4b1f7ba0842a68cbfae401bca8826f36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/include/spine/Bone.h", "duplicate_line": 12, "correlation_key": "fp|23bc25c4d1010aa50fa393a6986b063e4b1f7ba0842a68cbfae401bca8826f36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/Posed.h"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105458, "scanner": "repobility-ai-code-hygiene", "fingerprint": "358f9c166cdb7f90ce8b7952086dd278ca047936e40091e072e3b70e6c8d93d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-cpp/include/spine/Debug.h", "duplicate_line": 65, "correlation_key": "fp|358f9c166cdb7f90ce8b7952086dd278ca047936e40091e072e3b70e6c8d93d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/HashMap.h"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105457, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef35f2d296fbc192d55deb7c515256cae5e9e45d20703b65914e435d384796f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spine-android/app/src/main/java/com/esotericsoftware/spine/IKFollowing.kt", "duplicate_line": 61, "correlation_key": "fp|ef35f2d296fbc192d55deb7c515256cae5e9e45d20703b65914e435d384796f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/app/src/main/java/com/esotericsoftware/spine/Physics.kt"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 105453, "scanner": "repobility-threat-engine", "fingerprint": "9f0ae61aaa04027c44af1e8107ceb8fa141d2efd1f0914a350f65eab529637c6", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = d", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|97|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-player/src/PlayerEditor.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 105415, "scanner": "repobility-threat-engine", "fingerprint": "df1a2f8af7f31167c18d678d920268897e7f898640fe2e3b66c65bf96c5c305e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Region not found in atlas: \" + path + \" (attachment: \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df1a2f8af7f31167c18d678d920268897e7f898640fe2e3b66c65bf96c5c305e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-libgdx/src/com/esotericsoftware/spine/attachments/AtlasAttachmentLoader.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 105414, "scanner": "repobility-threat-engine", "fingerprint": "8c39ae743971f54fa63d0ea080e0ac6f137f0b2ea17ff168300a42325b30bab8", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Region not found in atlas: \" + path + \" (attachment: \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8c39ae743971f54fa63d0ea080e0ac6f137f0b2ea17ff168300a42325b30bab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/spine-android/src/main/java/com/esotericsoftware/spine/android/AndroidAtlasAttachmentLoader.java"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 105413, "scanner": "repobility-threat-engine", "fingerprint": "db7a8dd0eb12b0c17187cfdcbe6e03981adaee700c697e09534ba902ee522f92", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Formatting complete: \" + changedCount + \" files changed, \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|db7a8dd0eb12b0c17187cfdcbe6e03981adaee700c697e09534ba902ee522f92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "formatters/eclipse-formatter/src/main/java/com/esotericsoftware/spine/formatter/EclipseFormatter.java"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 105452, "scanner": "repobility-threat-engine", "fingerprint": "77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "aggregated_count": 5}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 105451, "scanner": "repobility-threat-engine", "fingerprint": "a0738767a13ec8bdebe7251f9abf699b26b660097d4bf71977a1108a4048036d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0738767a13ec8bdebe7251f9abf699b26b660097d4bf71977a1108a4048036d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-pixi-v7/src/assets/AtlasLoader.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 105450, "scanner": "repobility-threat-engine", "fingerprint": "6176d37de4321474ba72e43889f9dfaf68582297ac58ee5b8cc8bcef9947c1d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6176d37de4321474ba72e43889f9dfaf68582297ac58ee5b8cc8bcef9947c1d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-core/src/Texture.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 105449, "scanner": "repobility-threat-engine", "fingerprint": "805bed90f53b1dfcc062cdac755d0a9a47df9f6cf19c9b5359926744e0a3293a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|805bed90f53b1dfcc062cdac755d0a9a47df9f6cf19c9b5359926744e0a3293a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-core/src/SkeletonRendererCore.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 105448, "scanner": "repobility-threat-engine", "fingerprint": "90e362140b3866d3dde8a0b6f82265c37c04ba196167c3d2b3ae3d096ee15566", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|90e362140b3866d3dde8a0b6f82265c37c04ba196167c3d2b3ae3d096ee15566", "aggregated_count": 7}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 105447, "scanner": "repobility-threat-engine", "fingerprint": "2a5ec6bd838a8dcfec55bd8a1f67775ad09c6f3d24076188d786c975fd7f5dc0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a5ec6bd838a8dcfec55bd8a1f67775ad09c6f3d24076188d786c975fd7f5dc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-phaser-v3/src/mixins.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 105446, "scanner": "repobility-threat-engine", "fingerprint": "04c605892bada218183a8cff86f2c874e00a6df985ead5c3bee46928d28fb1ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04c605892bada218183a8cff86f2c874e00a6df985ead5c3bee46928d28fb1ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-phaser-v3/src/index.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 105445, "scanner": "repobility-threat-engine", "fingerprint": "c5b7b7bb6f7c6fd2821b348ffc3946b6965aa0c06a5ed5c7f9d85264d9af525e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5b7b7bb6f7c6fd2821b348ffc3946b6965aa0c06a5ed5c7f9d85264d9af525e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-canvaskit/src/index.ts"}, "region": {"startLine": 265}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 105444, "scanner": "repobility-threat-engine", "fingerprint": "53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "aggregated_count": 7}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 105443, "scanner": "repobility-threat-engine", "fingerprint": "ebb5fdf073d226f293f85487e7dfa6e95a522b0ff793bedebe1cd45749e8ffe5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebb5fdf073d226f293f85487e7dfa6e95a522b0ff793bedebe1cd45749e8ffe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-core/src/SkeletonRendererCore.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 105442, "scanner": "repobility-threat-engine", "fingerprint": "b54598c86377468c4ceab93fcd2a63322bcc89bc3fafaa68312fa94662ed67a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b54598c86377468c4ceab93fcd2a63322bcc89bc3fafaa68312fa94662ed67a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-core/src/IkConstraint.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 105441, "scanner": "repobility-threat-engine", "fingerprint": "f5889fc2dbde8401e47f4563f0b89d43e6042160b6e44a7d23f8641d2f229be0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5889fc2dbde8401e47f4563f0b89d43e6042160b6e44a7d23f8641d2f229be0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-canvas/src/SkeletonRenderer.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 105440, "scanner": "repobility-threat-engine", "fingerprint": "5cd92d7f6c97bdfd798d116b3cf8eb0d77a6afbc716ee36d76938eb31979c074", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5cd92d7f6c97bdfd798d116b3cf8eb0d77a6afbc716ee36d76938eb31979c074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-skeletonviewer/src/com/esotericsoftware/spine/SkeletonViewerAtlas.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 105439, "scanner": "repobility-threat-engine", "fingerprint": "5d3d345cc2e0ab5e6b46660cc38bbd2219e83230f42aa878d837cb817ee690a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d3d345cc2e0ab5e6b46660cc38bbd2219e83230f42aa878d837cb817ee690a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ios/Example/Spine iOS Example/SimpleAnimationViewController.m"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 105437, "scanner": "repobility-threat-engine", "fingerprint": "63be71eef64d4224d5997b9f7ff46ba471b00363894ea0a8ffff8152ac479adb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|63be71eef64d4224d5997b9f7ff46ba471b00363894ea0a8ffff8152ac479adb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/spine_godot/config.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 105434, "scanner": "repobility-threat-engine", "fingerprint": "2d0677d09afb5e514e6b4dfddf9df0427d880a43e5c6e02440beb52222931198", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2d0677d09afb5e514e6b4dfddf9df0427d880a43e5c6e02440beb52222931198", "aggregated_count": 10}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 105433, "scanner": "repobility-threat-engine", "fingerprint": "d5afc5f2c0571470819cc7e00a247ed9666be74ffb8b197ac5f47d02ea00e5ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5afc5f2c0571470819cc7e00a247ed9666be74ffb8b197ac5f47d02ea00e5ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-glfw/example/dragon-json.cpp"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 105432, "scanner": "repobility-threat-engine", "fingerprint": "e98b5ddbb40a6d25291fe33446e351e7cc6f3f116f21514ca9a4ef1c0a94277c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e98b5ddbb40a6d25291fe33446e351e7cc6f3f116f21514ca9a4ef1c0a94277c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-flutter/example/windows/runner/win32_window.cpp"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 105431, "scanner": "repobility-threat-engine", "fingerprint": "2d40699812672e9435f800e701110be33cb1dad37a1d66f2d42e6a5ea569156f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d40699812672e9435f800e701110be33cb1dad37a1d66f2d42e6a5ea569156f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/include/spine/Debug.h"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 105430, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 105426, "scanner": "repobility-threat-engine", "fingerprint": "1130471c3d8b6a1045d90de63245d2880dee414c45e7a18c4db815893370e4cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1130471c3d8b6a1045d90de63245d2880dee414c45e7a18c4db815893370e4cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-unity/Assets/Spine/Runtime/spine-unity/Components/Following/BoundingBoxFollowerGraphic.cs"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 105425, "scanner": "repobility-threat-engine", "fingerprint": "db74385fb96f4b8e9240d436ccdf3ec175e240a50088ab76de326079993c9ac7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db74385fb96f4b8e9240d436ccdf3ec175e240a50088ab76de326079993c9ac7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-unity/Assets/Spine/Runtime/spine-unity/Components/Following/BoundingBoxFollower.cs"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 105424, "scanner": "repobility-threat-engine", "fingerprint": "ccc52bbbd29a1aebe4239b9479b5cf2c56ada0afc111db8fcd45048dce9f5f77", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ccc52bbbd29a1aebe4239b9479b5cf2c56ada0afc111db8fcd45048dce9f5f77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/spine-android/build.gradle.kts"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 77 more): Same pattern found in 77 additional files. Review if needed."}, "properties": {"repobilityId": 105423, "scanner": "repobility-threat-engine", "fingerprint": "f782745cac562958fa86b276a00134adda220f4c9b404539b6ed09e05f10711c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 77 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 77 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f782745cac562958fa86b276a00134adda220f4c9b404539b6ed09e05f10711c"}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 105419, "scanner": "repobility-threat-engine", "fingerprint": "5087b1418007deaf97c8daa9a54a100058c10f6aa2af0e551d6896961c832ac9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5087b1418007deaf97c8daa9a54a100058c10f6aa2af0e551d6896961c832ac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-skeletonviewer/src/com/esotericsoftware/spine/JsonRollback.java"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 105418, "scanner": "repobility-threat-engine", "fingerprint": "fe1e6c2481ecb731849bf86f39acc572e04e1391106ef6ed0e5e0418818afb82", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe1e6c2481ecb731849bf86f39acc572e04e1391106ef6ed0e5e0418818afb82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/spine-libgdx-tests/src/com/esotericsoftware/spine/EventTimelineTests.java"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 105417, "scanner": "repobility-threat-engine", "fingerprint": "0e31453d6bb97ec1172d0d940b314d77fae78ac3aed874e255fa711a5d803a09", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e31453d6bb97ec1172d0d940b314d77fae78ac3aed874e255fa711a5d803a09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "formatters/eclipse-formatter/src/main/java/com/esotericsoftware/spine/formatter/EclipseFormatter.java"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 105416, "scanner": "repobility-threat-engine", "fingerprint": "0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 105411, "scanner": "repobility-threat-engine", "fingerprint": "4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "aggregated_count": 3}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 105410, "scanner": "repobility-threat-engine", "fingerprint": "d227a2ded9c65438cfcc3645936656de2e77e28375f38ddf27964445e55c9945", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d227a2ded9c65438cfcc3645936656de2e77e28375f38ddf27964445e55c9945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/scripts/format.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 105409, "scanner": "repobility-threat-engine", "fingerprint": "5729467f5c2cb688dd9fddfeae36eaff5abc98d6fcc30d9db2f55cb82d78d342", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5729467f5c2cb688dd9fddfeae36eaff5abc98d6fcc30d9db2f55cb82d78d342"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/main.mjs"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 105408, "scanner": "repobility-threat-engine", "fingerprint": "640723d404d559cbdf6c842fde589eabe560e0b8525b4e8877941aac9f6d274a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|640723d404d559cbdf6c842fde589eabe560e0b8525b4e8877941aac9f6d274a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pi/skills/forum/fetch.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 105407, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 105403, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `spine-libgdx/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `spine-libgdx/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (63,721 bytes) committed to a repo that otherwise has 1543 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 105520, "scanner": "repobility-supply-chain", "fingerprint": "79b8057902b08028ee01bcaa9647f775f74131daaf801d9a74378870ae56487c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79b8057902b08028ee01bcaa9647f775f74131daaf801d9a74378870ae56487c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-libgdx/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `spine-android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `spine-android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (59,203 bytes) committed to a repo that otherwise has 1543 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 105519, "scanner": "repobility-supply-chain", "fingerprint": "9f055007f08f21f46f91ea1c14848eb7fe4a96adafb5043f1d0eb3770c47dcc6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f055007f08f21f46f91ea1c14848eb7fe4a96adafb5043f1d0eb3770c47dcc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105518, "scanner": "repobility-supply-chain", "fingerprint": "0fcce2ca018b0278ba2c59a52ed5790e05fb50446acbf668405a0c854d6535e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fcce2ca018b0278ba2c59a52ed5790e05fb50446acbf668405a0c854d6535e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105517, "scanner": "repobility-supply-chain", "fingerprint": "51dd41b134aa935551e4d16def7e389893611938ef22e34bfdf56c6b7111354b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51dd41b134aa935551e4d16def7e389893611938ef22e34bfdf56c6b7111354b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105516, "scanner": "repobility-supply-chain", "fingerprint": "8251842fa1ac81f6269de256a49cb3b664ea3637f4fa263ecacedc9dbf6cceab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8251842fa1ac81f6269de256a49cb3b664ea3637f4fa263ecacedc9dbf6cceab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105515, "scanner": "repobility-supply-chain", "fingerprint": "dd8bdd449458340d47dd8d80fa57fcb66e5ff10095f16b4a7b14f4c78e8ab5c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd8bdd449458340d47dd8d80fa57fcb66e5ff10095f16b4a7b14f4c78e8ab5c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105514, "scanner": "repobility-supply-chain", "fingerprint": "60e7189cc8d03978ed9fdad8669d5d9ff63e0c3d32306f01a8b0450bd2e65910", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|60e7189cc8d03978ed9fdad8669d5d9ff63e0c3d32306f01a8b0450bd2e65910"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105513, "scanner": "repobility-supply-chain", "fingerprint": "69535bc1328c5af82668054405d8f9c66155dccb08b6af573f10bb3dd1804baa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|69535bc1328c5af82668054405d8f9c66155dccb08b6af573f10bb3dd1804baa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105512, "scanner": "repobility-supply-chain", "fingerprint": "3f421a787c6435df9bab8f5d789cfed07680d6c92027613f6ff0888c71803c21", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f421a787c6435df9bab8f5d789cfed07680d6c92027613f6ff0888c71803c21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105511, "scanner": "repobility-supply-chain", "fingerprint": "be33e4127db792edeb75077bb9d90de80d42abd827323ce78cd4e0ad54cf84bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be33e4127db792edeb75077bb9d90de80d42abd827323ce78cd4e0ad54cf84bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105510, "scanner": "repobility-supply-chain", "fingerprint": "3b74f8c49a7c07878225d8f16e9843203dda951e0aad61c7bb281a04d43cf5f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b74f8c49a7c07878225d8f16e9843203dda951e0aad61c7bb281a04d43cf5f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105509, "scanner": "repobility-supply-chain", "fingerprint": "55964ef243ca6607c8ff220578b35050d73c7b4bb3e5c4fc2eed5d33a13a7239", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|55964ef243ca6607c8ff220578b35050d73c7b4bb3e5c4fc2eed5d33a13a7239"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105508, "scanner": "repobility-supply-chain", "fingerprint": "39f200fa8ad905ada788752b5d1c23865cfb43bc7dfac7e87924791068e38963", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39f200fa8ad905ada788752b5d1c23865cfb43bc7dfac7e87924791068e38963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-godot-v4.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105507, "scanner": "repobility-supply-chain", "fingerprint": "5ed2f5c578d186818bdd80bd23e1f206f2098d57aeb6bdbce21d9a11b80291c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ed2f5c578d186818bdd80bd23e1f206f2098d57aeb6bdbce21d9a11b80291c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format-check-typescript.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105506, "scanner": "repobility-supply-chain", "fingerprint": "1db6d41b8836d05e2bf89db6b4d7fa39b044175a84f0958bc69e727f52994550", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1db6d41b8836d05e2bf89db6b4d7fa39b044175a84f0958bc69e727f52994550"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format-check-typescript.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105505, "scanner": "repobility-supply-chain", "fingerprint": "f363c5258749302bb1f3681d892eae071976c23b6d9b8972cc8f3acb1ebe1995", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f363c5258749302bb1f3681d892eae071976c23b6d9b8972cc8f3acb1ebe1995"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format-check-dart.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `flutter-actions/setup-flutter` pinned to mutable ref `@v4`: `uses: flutter-actions/setup-flutter@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105504, "scanner": "repobility-supply-chain", "fingerprint": "51de794b34a12b276fd256ef7dfe421bc73e63fab2cd5b4d6405e9ccf67490bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51de794b34a12b276fd256ef7dfe421bc73e63fab2cd5b4d6405e9ccf67490bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format-check-dart.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105503, "scanner": "repobility-supply-chain", "fingerprint": "b4d7c16c103477cffc54a68dcd33b08399d9fa35cca7633c538df8065d7f94f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4d7c16c103477cffc54a68dcd33b08399d9fa35cca7633c538df8065d7f94f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format-check-dart.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105502, "scanner": "repobility-supply-chain", "fingerprint": "e8df1382dad0896e3fc19e2fc2772cd8b7c7d1325ee29f6465ef50f8bb781a60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8df1382dad0896e3fc19e2fc2772cd8b7c7d1325ee29f6465ef50f8bb781a60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-c-bindings-check.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105501, "scanner": "repobility-supply-chain", "fingerprint": "f0609f91503050ca021152be0fe8edc0c2908015984cf7ead798a4fbf76dadbf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0609f91503050ca021152be0fe8edc0c2908015984cf7ead798a4fbf76dadbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-c-bindings-check.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `krdlab/setup-haxe` pinned to mutable ref `@v1`: `uses: krdlab/setup-haxe@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105500, "scanner": "repobility-supply-chain", "fingerprint": "e98667caf1a3ac91705f076376bb5bd80d53c926190ceebb52efe9532e39dc07", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e98667caf1a3ac91705f076376bb5bd80d53c926190ceebb52efe9532e39dc07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format-check-haxe.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105499, "scanner": "repobility-supply-chain", "fingerprint": "f0ee1fdd1edf378b743a022d13f29a4c0d51247d3b4e847c3f98cc02a372da3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0ee1fdd1edf378b743a022d13f29a4c0d51247d3b4e847c3f98cc02a372da3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/format-check-haxe.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105498, "scanner": "repobility-supply-chain", "fingerprint": "8e7bb4fdf771c6e2ea81004fd1d2bbae91970cb59d638d514d09fc71a8c36f9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e7bb4fdf771c6e2ea81004fd1d2bbae91970cb59d638d514d09fc71a8c36f9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-ts.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105497, "scanner": "repobility-supply-chain", "fingerprint": "e96dd7101ddc631a85becf61e816ac980f8275f94478d52d6aae90f99b76c2d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e96dd7101ddc631a85becf61e816ac980f8275f94478d52d6aae90f99b76c2d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spine-ts.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mymindstorm/setup-emsdk` pinned to mutable ref `@v14`: `uses: mymindstorm/setup-emsdk@v14` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105496, "scanner": "repobility-supply-chain", "fingerprint": "decd0b3dc22927bf5daea8ab2fb46b411fc09baefc8d7f5216911fa28876aa35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|decd0b3dc22927bf5daea8ab2fb46b411fc09baefc8d7f5216911fa28876aa35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-spine-flutter.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105495, "scanner": "repobility-supply-chain", "fingerprint": "553d21057d79bc4165209c206ac6738334204db008e3046cc33f0babe322f296", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|553d21057d79bc4165209c206ac6738334204db008e3046cc33f0babe322f296"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-spine-flutter.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `subosito/flutter-action` pinned to mutable ref `@v2`: `uses: subosito/flutter-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 105494, "scanner": "repobility-supply-chain", "fingerprint": "f0346d858eac666c0f404dd3f55661bb378fe458e33ab11d6d3249549c1ae0af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0346d858eac666c0f404dd3f55661bb378fe458e33ab11d6d3249549c1ae0af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-spine-flutter.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `spine-c-codegen` pulled from URL/Git: `dependencies.spine-c-codegen` = `file:../../spine-c/codegen` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 105493, "scanner": "repobility-supply-chain", "fingerprint": "ba3514fa8d6585fceaf53d08f24fd101aa85e10f28faf9912510db82fb7dd8ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba3514fa8d6585fceaf53d08f24fd101aa85e10f28faf9912510db82fb7dd8ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ios/codegen/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@esotericsoftware/spine-phaser-v4` pulled from URL/Git: `dependencies.@esotericsoftware/spine-phaser-v4` = `file://../../` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 105492, "scanner": "repobility-supply-chain", "fingerprint": "029aff77c135584673ecd474865e162a424ff330ea4c7005df0facdba4fc3668", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|029aff77c135584673ecd474865e162a424ff330ea4c7005df0facdba4fc3668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-phaser-v4/example/typescript/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@esotericsoftware/spine-phaser-v3` pulled from URL/Git: `dependencies.@esotericsoftware/spine-phaser-v3` = `file://../../` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 105491, "scanner": "repobility-supply-chain", "fingerprint": "5166d10d087912b42021e89d39a93fbb769e95803ed70f0af87835aac60abf1d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5166d10d087912b42021e89d39a93fbb769e95803ed70f0af87835aac60abf1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-phaser-v3/example/typescript/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@esotericsoftware/spine-threejs` pulled from URL/Git: `dependencies.@esotericsoftware/spine-threejs` = `file:../..` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 105490, "scanner": "repobility-supply-chain", "fingerprint": "6424d78bb9744ab85b9f63c3d11b0c7289a143a35bb8cfe6f1d93563ed5f700d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6424d78bb9744ab85b9f63c3d11b0c7289a143a35bb8cfe6f1d93563ed5f700d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-threejs/example/react-three-fiber/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `spine-c-codegen` pulled from URL/Git: `dependencies.spine-c-codegen` = `file:../../spine-c/codegen` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 105489, "scanner": "repobility-supply-chain", "fingerprint": "f12ce9b1efba7b2eb9526a44d54a3257447d88e6dbbc562e88b2c39478d6cc79", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f12ce9b1efba7b2eb9526a44d54a3257447d88e6dbbc562e88b2c39478d6cc79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-flutter/codegen/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 105488, "scanner": "repobility-supply-chain", "fingerprint": "bdb5b0060b66f21e8922ee2149234517999ce4be339091fb43b71f493775c043", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bdb5b0060b66f21e8922ee2149234517999ce4be339091fb43b71f493775c043"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `GodotWebServer` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 105487, "scanner": "repobility-ast-engine", "fingerprint": "cb30dfd5a888fd804b3bf51418a921e072da9bf5e6841021eafad51a238047a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb30dfd5a888fd804b3bf51418a921e072da9bf5e6841021eafad51a238047a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/webserver.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `GodotWebServer` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 105486, "scanner": "repobility-ast-engine", "fingerprint": "9b1d6149613350f8caecaa482b383472bd7c54adc60ad01daeb9bad937fdb0e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b1d6149613350f8caecaa482b383472bd7c54adc60ad01daeb9bad937fdb0e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/webserver.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.value` used but never assigned in __init__: Method `__str__` of class `ANSI` reads `self.value`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 105485, "scanner": "repobility-ast-engine", "fingerprint": "4f10c183fadb17dc8bd6a4cad057aafc4ac86f7a02556d7f9fc08da9d3e078eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f10c183fadb17dc8bd6a4cad057aafc4ac86f7a02556d7f9fc08da9d3e078eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/methods.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 105438, "scanner": "repobility-threat-engine", "fingerprint": "e7f651c5c1bc9d7545817af4b69463a4521f7ef6ec4fdb0e54f16522b4554343", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7f651c5c1bc9d7545817af4b69463a4521f7ef6ec4fdb0e54f16522b4554343"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-godot/webserver.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105429, "scanner": "repobility-threat-engine", "fingerprint": "f7809ba12583c745c5a8e3ce476d8405c7458bd76811f51477046439ebda3127", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7809ba12583c745c5a8e3ce476d8405c7458bd76811f51477046439ebda3127"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ios/Sources/SpineiOS/SpineSwiftExtensions.swift"}, "region": {"startLine": 197}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105428, "scanner": "repobility-threat-engine", "fingerprint": "55c9db8df9fc15b8800a75c089764d03987b537f12cd35af3cb52466d3003879", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "HttpURLConnection)url.openConnection(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55c9db8df9fc15b8800a75c089764d03987b537f12cd35af3cb52466d3003879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/spine-android/src/main/java/com/esotericsoftware/spine/android/utils/HttpUtils.java"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105427, "scanner": "repobility-threat-engine", "fingerprint": "3a3b0e5d30e0354d5719994a3e71037b63206fb5ce9546e4a0f4bf313576238e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a3b0e5d30e0354d5719994a3e71037b63206fb5ce9546e4a0f4bf313576238e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/spine-android/src/main/java/com/esotericsoftware/spine/android/AndroidTextureAtlas.java"}, "region": {"startLine": 183}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 105422, "scanner": "repobility-threat-engine", "fingerprint": "8b8d6a714ca589eae04e386dd4ca798e8c86325e555c37317cb83be6951b7966", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "drawable.update(0);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b8d6a714ca589eae04e386dd4ca798e8c86325e555c37317cb83be6951b7966"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/spine-android/src/main/java/com/esotericsoftware/spine/android/bounds/SkinAndAnimationBounds.java"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 105421, "scanner": "repobility-threat-engine", "fingerprint": "dba7f0753d2530700ccafeacd227e1920f35a33699d4010e0f9d836c2f1ecec2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "animationState.update(delta);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dba7f0753d2530700ccafeacd227e1920f35a33699d4010e0f9d836c2f1ecec2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/spine-android/src/main/java/com/esotericsoftware/spine/android/AndroidSkeletonDrawable.java"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 105420, "scanner": "repobility-threat-engine", "fingerprint": "cdd37d663494676fefcf6a8bda8de1b1135733a6d9341eae1794df81193f8a71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skeleton.update(0f)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cdd37d663494676fefcf6a8bda8de1b1135733a6d9341eae1794df81193f8a71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-android/app/src/main/java/com/esotericsoftware/spine/DressUp.kt"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 105412, "scanner": "repobility-threat-engine", "fingerprint": "2a5b0c42c5f49b445e64d73bb6af544901cedb884c8667e1de074d40602c0aec", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a5b0c42c5f49b445e64d73bb6af544901cedb884c8667e1de074d40602c0aec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "formatters/eclipse-formatter/src/main/java/com/esotericsoftware/spine/formatter/EclipseFormatter.java"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 105406, "scanner": "repobility-threat-engine", "fingerprint": "8fa4825fca3859c66f86cd8e8f0800ce6da79aecced770b547c76d3745dc1d69", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8fa4825fca3859c66f86cd8e8f0800ce6da79aecced770b547c76d3745dc1d69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-pixi-v7/src/assets/AtlasLoader.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 105405, "scanner": "repobility-threat-engine", "fingerprint": "559ba4c02d169d22d3b11254c4050077add14bceedfa8c9a6a70352f446fb8ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|559ba4c02d169d22d3b11254c4050077add14bceedfa8c9a6a70352f446fb8ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/publish.sh"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 105404, "scanner": "repobility-threat-engine", "fingerprint": "39a9cfc9c659a5b05df14d6eae62d16f2d55b7fa4936fc3f36613552cffd9955", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(prompt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|39a9cfc9c659a5b05df14d6eae62d16f2d55b7fa4936fc3f36613552cffd9955"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pi/extensions/prompt-url-widget.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 105456, "scanner": "repobility-threat-engine", "fingerprint": "9c13f132bd19264bd25202fc7d9378eecce816ea592da725dcefae6471b765e0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(atlasFile", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c13f132bd19264bd25202fc7d9378eecce816ea592da725dcefae6471b765e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-webgl/example/drag-and-drop.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 105455, "scanner": "repobility-threat-engine", "fingerprint": "5edf296f32a1fd2b03828cd8a3d2172df117a499e9b003dbba0bf0d1f1ba527c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(atlasFile", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5edf296f32a1fd2b03828cd8a3d2172df117a499e9b003dbba0bf0d1f1ba527c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-threejs/example/typescript/index.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 105454, "scanner": "repobility-threat-engine", "fingerprint": "1d3331f7fd41ae347299913882f9404d40b493fde65e91e87d6b654cb24bfcbc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(atlasFile", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d3331f7fd41ae347299913882f9404d40b493fde65e91e87d6b654cb24bfcbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-ts/spine-threejs/example/react-three-fiber/src/main.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 105435, "scanner": "repobility-threat-engine", "fingerprint": "a414341ec0f8f40f2ffccaa6dae5985e3b4ab518dae2ecaca0be7892e3797bf4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a414341ec0f8f40f2ffccaa6dae5985e3b4ab518dae2ecaca0be7892e3797bf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spine-cpp/src/spine/Atlas.cpp"}, "region": {"startLine": 254}}}]}]}]}