{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/316"}, "properties": {"repository": "ros/rosdistro", "repoUrl": "https://github.com/ros/rosdistro", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 9935, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9934, "scanner": "repobility-threat-engine", "fingerprint": "1d68a5c854173ddb407a3c77be1f0080d25a7ccd516132e70772d44a295c1fcd", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d68a5c854173ddb407a3c77be1f0080d25a7ccd516132e70772d44a295c1fcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_rosdep.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9931, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbf0934669d7a1ae09310d27a4df6fcf7c8e43ad89e9bdf890e62c4ebf221c12", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/check_rosdep.py", "duplicate_line": 2, "correlation_key": "fp|cbf0934669d7a1ae09310d27a4df6fcf7c8e43ad89e9bdf890e62c4ebf221c12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_rosdistro.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC005", "level": "note", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 9933, "scanner": "repobility-threat-engine", "fingerprint": "c6e60f581b70f9040c743dfc5cdc1cf6ab4b11e8b7b48b7d482790a545d9e22b", "category": "injection", "severity": "low", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Command is a hardcoded string literal \u2014 lower risk", "evidence": {"match": "subprocess.call('ls %s' % index_path, shell=True", "reason": "Command is a hardcoded string literal \u2014 lower risk", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "code|injection|token|72|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/count_rosdistro_packages.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 9932, "scanner": "repobility-threat-engine", "fingerprint": "a4830b02005006f4d9f1983957ac35fac0ac81de67569891c4122e5f79716ff1", "category": "injection", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "evidence": {"match": "commit_msg = f'Update", "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "code|injection|token|33|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "migration-tools/migrate-rosdistro.py"}, "region": {"startLine": 33}}}]}]}]}