{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED086", "name": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info.", "shortDescription": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk (and 1 more): Same pattern found in 1 additional files. Review if need", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED083] Java Thread Start (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `integration-tests/gradle/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `integrati", "shortDescription": {"text": "[MINED134] Binary file `integration-tests/gradle/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `integration-tests/gradle/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherwise ha"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CI_DEPLOY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_reque", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CI_DEPLOY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CI_DEPLOY_PASSWORD }` lets a PR from any fork exfiltrate "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/946"}, "properties": {"repository": "google/guava", "repoUrl": "https://github.com/google/guava", "branch": "master"}, "results": [{"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db2e4f46b324a57da7d19ed31d1602e307a4ccafd9dde1457f3209c924f72d09", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava/src/com/google/common/collect/FilteredEntrySetMultimap.java", "duplicate_line": 13, "correlation_key": "fp|db2e4f46b324a57da7d19ed31d1602e307a4ccafd9dde1457f3209c924f72d09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/FilteredKeySetMultimap.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98240489ed6a9210644d32ea4edd09553798a5a14018241a087b6e10f2d59a03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava/src/com/google/common/collect/DescendingImmutableSortedMultiset.java", "duplicate_line": 47, "correlation_key": "fp|98240489ed6a9210644d32ea4edd09553798a5a14018241a087b6e10f2d59a03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/DescendingImmutableSortedSet.java"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a34235c7a6d0ec9d9aba2775f4285fd93dea5a1a21686974c19551fdb91f3f2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava/src/com/google/common/collect/CompactLinkedHashMap.java", "duplicate_line": 75, "correlation_key": "fp|a34235c7a6d0ec9d9aba2775f4285fd93dea5a1a21686974c19551fdb91f3f2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/CompactLinkedHashSet.java"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49e4b492791425a3fde1e634447adf82a442f574bd0e7960a314ca5c89ebee89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava/src/com/google/common/collect/CompactHashMap.java", "duplicate_line": 62, "correlation_key": "fp|49e4b492791425a3fde1e634447adf82a442f574bd0e7960a314ca5c89ebee89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/CompactHashSet.java"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1c8867d8f1089435fe3be74bc86a32a92bde0c332af145879d9aeb16d8b4472", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/Helpers.java", "duplicate_line": 308, "correlation_key": "fp|e1c8867d8f1089435fe3be74bc86a32a92bde0c332af145879d9aeb16d8b4472"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/AbstractMapEntry.java"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c170fc900e50eca043c2cc30347d8d04fdcf8211a14283e40b542380e4251bb2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava/src/com/google/common/base/AbstractIterator.java", "duplicate_line": 11, "correlation_key": "fp|c170fc900e50eca043c2cc30347d8d04fdcf8211a14283e40b542380e4251bb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/AbstractIterator.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d2b889154dc5c43c8bc235fa1c52a349bf59f8ef417619a47f0bb91afea13405", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/testers/ConcurrentMapReplaceTester.java", "duplicate_line": 29, "correlation_key": "fp|d2b889154dc5c43c8bc235fa1c52a349bf59f8ef417619a47f0bb91afea13405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/testers/MapReplaceTester.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16bbe22bc56e49383bcf6af2ccc6182dba26f08fe9ba8cc432af5f97f5cad1c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/testers/ConcurrentMapReplaceEntryTester.java", "duplicate_line": 28, "correlation_key": "fp|16bbe22bc56e49383bcf6af2ccc6182dba26f08fe9ba8cc432af5f97f5cad1c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/testers/MapReplaceEntryTester.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb783e6171c3ff3b4abf80d0a4929ac1d2410f7cde98e588411a724fe3cfd4fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/testers/ConcurrentMapRemoveTester.java", "duplicate_line": 23, "correlation_key": "fp|fb783e6171c3ff3b4abf80d0a4929ac1d2410f7cde98e588411a724fe3cfd4fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/testers/MapRemoveEntryTester.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c459225f47e83a1e0b416bb499bfb160ef8d0087ba7b416c2e8b473187528ce2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/testers/ConcurrentMapPutIfAbsentTester.java", "duplicate_line": 28, "correlation_key": "fp|c459225f47e83a1e0b416bb499bfb160ef8d0087ba7b416c2e8b473187528ce2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/testers/MapPutIfAbsentTester.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63bb81077590c9a512d6e24629f44d3ea1b50f1d95992a19123a6a8f52ad44e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/TestStringMapGenerator.java", "duplicate_line": 33, "correlation_key": "fp|63bb81077590c9a512d6e24629f44d3ea1b50f1d95992a19123a6a8f52ad44e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/TestStringSetMultimapGenerator.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eeec7a41a96033987e55722bc46a2825b098a9faed37398b7b04e71ed351e59d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/google/TestStringListMultimapGenerator.java", "duplicate_line": 15, "correlation_key": "fp|eeec7a41a96033987e55722bc46a2825b098a9faed37398b7b04e71ed351e59d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/TestStringSetMultimapGenerator.java"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "afc2eb186816ec0a309b0d6e6f41eaafcf3fc38e39238610a0ca9886a8ccab7e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/TestStringMapGenerator.java", "duplicate_line": 33, "correlation_key": "fp|afc2eb186816ec0a309b0d6e6f41eaafcf3fc38e39238610a0ca9886a8ccab7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/TestStringListMultimapGenerator.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb440af505ee044bc09830d642a2b26598d49c70f16283732e5dcc58158bd4bd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/TestStringMapGenerator.java", "duplicate_line": 33, "correlation_key": "fp|cb440af505ee044bc09830d642a2b26598d49c70f16283732e5dcc58158bd4bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/TestStringBiMapGenerator.java"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d01e5089678fa65fab33d997038b42a1abe40d06d73641b6a1b8cf3773c77cfc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/google/SetMultimapTestSuiteBuilder.java", "duplicate_line": 24, "correlation_key": "fp|d01e5089678fa65fab33d997038b42a1abe40d06d73641b6a1b8cf3773c77cfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/SortedSetMultimapTestSuiteBuilder.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f38f27c81a5ffb345ad35210e2ad112d250ed8dcdaf74eb8dfcf9ef7edd606d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/DerivedCollectionGenerators.java", "duplicate_line": 276, "correlation_key": "fp|3f38f27c81a5ffb345ad35210e2ad112d250ed8dcdaf74eb8dfcf9ef7edd606d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/SortedMultisetTestSuiteBuilder.java"}, "region": {"startLine": 212}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b4259e179051cba3b808d2b8a0a0b2205ee1a5de50ba0b1b0fcc61054690c829", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/google/MapGenerators.java", "duplicate_line": 91, "correlation_key": "fp|b4259e179051cba3b808d2b8a0a0b2205ee1a5de50ba0b1b0fcc61054690c829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/SortedMapGenerators.java"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4bb7044e6bafcef80cb5720cd28afaa37d3da71d73acfe87c5ccdcdad948071", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/google/MultimapAsMapGetTester.java", "duplicate_line": 77, "correlation_key": "fp|c4bb7044e6bafcef80cb5720cd28afaa37d3da71d73acfe87c5ccdcdad948071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/MultimapGetTester.java"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "283fc4320f6702be9d83051db0dfb381fdcf3a300453a261c18863b0b7ad89da", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/DerivedCollectionGenerators.java", "duplicate_line": 152, "correlation_key": "fp|283fc4320f6702be9d83051db0dfb381fdcf3a300453a261c18863b0b7ad89da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/DerivedGoogleCollectionGenerators.java"}, "region": {"startLine": 121}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e39c72c67f8f9c5e06971a8d6adb217831f8006ed10cc99d381005d8796f9233", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/AbstractMapTester.java", "duplicate_line": 49, "correlation_key": "fp|e39c72c67f8f9c5e06971a8d6adb217831f8006ed10cc99d381005d8796f9233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/google/AbstractMultimapTester.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffd0a08ef7c8b3d883ae616cbd75de94813b6d1fea070f27b4bd5e53002a464a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/CollectionTestSuiteBuilder.java", "duplicate_line": 49, "correlation_key": "fp|ffd0a08ef7c8b3d883ae616cbd75de94813b6d1fea070f27b4bd5e53002a464a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/SetTestSuiteBuilder.java"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f4ab8aa21f81570248cdad045c6bd8a2a8b750d37bd42463d505068856a44e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/SafeTreeMap.java", "duplicate_line": 230, "correlation_key": "fp|6f4ab8aa21f81570248cdad045c6bd8a2a8b750d37bd42463d505068856a44e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/SafeTreeSet.java"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c65fb556ecf02a342868c6fce7155a6dabdffada9cae56b4c0c5fb71bda03a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/DerivedCollectionGenerators.java", "duplicate_line": 276, "correlation_key": "fp|3c65fb556ecf02a342868c6fce7155a6dabdffada9cae56b4c0c5fb71bda03a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/ReserializingTestCollectionGenerator.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a6a1187531b74f1d4d602c79f90e1fd50858edb6f26a449e128f8d9a5d23750", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "android/guava-testlib/src/com/google/common/collect/testing/CollectionTestSuiteBuilder.java", "duplicate_line": 49, "correlation_key": "fp|6a6a1187531b74f1d4d602c79f90e1fd50858edb6f26a449e128f8d9a5d23750"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-testlib/src/com/google/common/collect/testing/ListTestSuiteBuilder.java"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 88679, "scanner": "repobility-threat-engine", "fingerprint": "f561e723c94637e9241ce788d6c81eb665dab41bcf797ddf6b2d8e4b7b876aa0", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Conflicting values \" + v1 + \" and \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f561e723c94637e9241ce788d6c81eb665dab41bcf797ddf6b2d8e4b7b876aa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/TableCollectors.java"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 88678, "scanner": "repobility-threat-engine", "fingerprint": "265528b8ed8621a2b1d69f8da7fa8bc233eda0609db781ff369c9c46acdd7174", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Expected an \" + type + \" but got \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|265528b8ed8621a2b1d69f8da7fa8bc233eda0609db781ff369c9c46acdd7174"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/EnumMultiset.java"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 88677, "scanner": "repobility-threat-engine", "fingerprint": "ab9bbcde03bbaaf220f8fb1b8da6e1cf78b271b3e9ccb0ca75fb5758d34e0ff8", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"null value in entry: \" + key + \"=null\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab9bbcde03bbaaf220f8fb1b8da6e1cf78b271b3e9ccb0ca75fb5758d34e0ff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/collect/CollectPreconditions.java"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED086", "level": "none", "message": {"text": "[MINED086] Kotlin Runtime Exception: Throwing bare RuntimeException loses type info."}, "properties": {"repobilityId": 88685, "scanner": "repobility-threat-engine", "fingerprint": "cb0a802aa84f18a86c8f8fd5e221934301e9c95dd7154788c8fd3a4f6fb1505c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-runtime-exception", "owasp": null, "cwe_ids": [], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348138+00:00", "triaged_in_corpus": 12, "observations_count": 751, "ai_coder_pattern_id": 156}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb0a802aa84f18a86c8f8fd5e221934301e9c95dd7154788c8fd3a4f6fb1505c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gradle/build.gradle.kts"}, "region": {"startLine": 206}}}]}, {"ruleId": "SEC035", "level": "none", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 88684, "scanner": "repobility-threat-engine", "fingerprint": "0fa1f864063ea447e11d1cd4dcf64f383fc1779c1e2b958022ab8b0318d4f51c", "category": "resource_exhaustion", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0fa1f864063ea447e11d1cd4dcf64f383fc1779c1e2b958022ab8b0318d4f51c"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 88680, "scanner": "repobility-threat-engine", "fingerprint": "c954db5209d912985723d805431a5bfcaecf940534fa8998411f625de1bb227d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c954db5209d912985723d805431a5bfcaecf940534fa8998411f625de1bb227d"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 88676, "scanner": "repobility-threat-engine", "fingerprint": "18f784dfe40a9db7e9eeb4da73c7a90cbbac138b56c85550563cf29eca32aee2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|18f784dfe40a9db7e9eeb4da73c7a90cbbac138b56c85550563cf29eca32aee2", "aggregated_count": 3}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 88675, "scanner": "repobility-threat-engine", "fingerprint": "3133bfd59d94ace76bb69206f92e37ca76b355ce37813d96ac77f7c343582a91", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3133bfd59d94ace76bb69206f92e37ca76b355ce37813d96ac77f7c343582a91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/base/internal/Finalizer.java"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 88674, "scanner": "repobility-threat-engine", "fingerprint": "511633bffd8582efd9c8a291e5c7a1631a71ec467b5e7d8d26a022a01344fbee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|511633bffd8582efd9c8a291e5c7a1631a71ec467b5e7d8d26a022a01344fbee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-tests/benchmark/com/google/common/util/concurrent/MoreExecutorsDirectExecutorBenchmark.java"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 88673, "scanner": "repobility-threat-engine", "fingerprint": "f2d17ddc54513676d089aabe0daa27acffa830f5997cc423ed27a13dd7c51503", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2d17ddc54513676d089aabe0daa27acffa830f5997cc423ed27a13dd7c51503"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-tests/benchmark/com/google/common/util/concurrent/AbstractFutureFootprintBenchmark.java"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 88670, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 88666, "scanner": "repobility-threat-engine", "fingerprint": "3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "aggregated_count": 3}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `integration-tests/gradle/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `integration-tests/gradle/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherwise has 3233 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 88713, "scanner": "repobility-supply-chain", "fingerprint": "d1a25fdaeba60ac9d622546539225ba6279cd2ee56c6049cc5daf59017c98039", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1a25fdaeba60ac9d622546539225ba6279cd2ee56c6049cc5daf59017c98039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/gradle/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 88683, "scanner": "repobility-threat-engine", "fingerprint": "7ea225f10360c8e012498abe53914d236e3b18f70eba533fae6ca5a5fe98af32", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ea225f10360c8e012498abe53914d236e3b18f70eba533fae6ca5a5fe98af32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guava/src/com/google/common/hash/AbstractNonStreamingHashFunction.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 88682, "scanner": "repobility-threat-engine", "fingerprint": "d946baddfa2bf56defaa2c68d88da8a2ed5ea1dbb126553ace3cf4f2fae29717", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d946baddfa2bf56defaa2c68d88da8a2ed5ea1dbb126553ace3cf4f2fae29717"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/hash/Murmur3_32HashFunction.java"}, "region": {"startLine": 199}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 88681, "scanner": "repobility-threat-engine", "fingerprint": "4777a804019bca3ad71865539094cbc8df8c67039d18c96979bcb1785239d580", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4777a804019bca3ad71865539094cbc8df8c67039d18c96979bcb1785239d580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/hash/AbstractNonStreamingHashFunction.java"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88672, "scanner": "repobility-threat-engine", "fingerprint": "d2dbe7e2b1c28936217462fc6a16c55ec1764268d14184676e31396235897b39", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(B", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d2dbe7e2b1c28936217462fc6a16c55ec1764268d14184676e31396235897b39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guava-tests/benchmark/com/google/common/io/BaseEncodingBenchmark.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88671, "scanner": "repobility-threat-engine", "fingerprint": "99d9ccbbb256c24a3a28a37a46269be296607cd19bddd72fcb18535f2b1a590e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(B", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|99d9ccbbb256c24a3a28a37a46269be296607cd19bddd72fcb18535f2b1a590e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-tests/benchmark/com/google/common/io/BaseEncodingBenchmark.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88669, "scanner": "repobility-threat-engine", "fingerprint": "47266d06fad5835c4fcb7af4dfd305e616684aaed3efc0ef233aa8466b6a7b50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mac.update(b);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|47266d06fad5835c4fcb7af4dfd305e616684aaed3efc0ef233aa8466b6a7b50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/hash/MacHashFunction.java"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88668, "scanner": "repobility-threat-engine", "fingerprint": "872975ce22e45b6240fe844ec55509f7881d76689383440c60fcd4b52b84113d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "checksum.update(b);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|872975ce22e45b6240fe844ec55509f7881d76689383440c60fcd4b52b84113d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava/src/com/google/common/hash/ChecksumHashFunction.java"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88667, "scanner": "repobility-threat-engine", "fingerprint": "5de3505ef789f773674b95cef0389eda04b53c03c035b6541c57570019a89607", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "md.update(input);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5de3505ef789f773674b95cef0389eda04b53c03c035b6541c57570019a89607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-tests/benchmark/com/google/common/hash/MessageDigestAlgorithmBenchmark.java"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88665, "scanner": "repobility-threat-engine", "fingerprint": "0595a52739858d903e27ee416ef3f2f56d14069d930443afacadc0210b246c55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0595a52739858d903e27ee416ef3f2f56d14069d930443afacadc0210b246c55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-tests/benchmark/com/google/common/hash/MessageDigestCreationBenchmark.java"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88664, "scanner": "repobility-threat-engine", "fingerprint": "dc79c5ef68a5f9f7d693226e6bc8bbf0b5344a2d2000eeace6c96a511036cab5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc79c5ef68a5f9f7d693226e6bc8bbf0b5344a2d2000eeace6c96a511036cab5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-tests/benchmark/com/google/common/hash/MessageDigestAlgorithmBenchmark.java"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 88663, "scanner": "repobility-threat-engine", "fingerprint": "261cba6aca0dc58b31e75a0527bc72bd73ca0e8d5656d8dd9046e7bc88f22cba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|261cba6aca0dc58b31e75a0527bc72bd73ca0e8d5656d8dd9046e7bc88f22cba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-tests/benchmark/com/google/common/hash/HashStringBenchmark.java"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 88662, "scanner": "repobility-threat-engine", "fingerprint": "2095ce9145f1db839e86dd3d8fec92e179cc554bb7757ce31851c0fa2ea76650", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2095ce9145f1db839e86dd3d8fec92e179cc554bb7757ce31851c0fa2ea76650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guava-tests/benchmark/com/google/common/cache/LoadingCacheSingleThreadBenchmark.java"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 88661, "scanner": "repobility-threat-engine", "fingerprint": "abacff61d815d37816ad53eefc009ac6c5fffcb937a44b4d3a2a6c82c8d14014", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|abacff61d815d37816ad53eefc009ac6c5fffcb937a44b4d3a2a6c82c8d14014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "android/guava-tests/benchmark/com/google/common/cache/LoadingCacheSingleThreadBenchmark.java"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CI_DEPLOY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CI_DEPLOY_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 88712, "scanner": "repobility-supply-chain", "fingerprint": "892c56db243fa2497b1bd5f6a0afc17e9b0dfd3280a5fd41b64057326c277c59", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|892c56db243fa2497b1bd5f6a0afc17e9b0dfd3280a5fd41b64057326c277c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CI_DEPLOY_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CI_DEPLOY_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 88711, "scanner": "repobility-supply-chain", "fingerprint": "176ab9537ca638f244855a493c3b257b7a144401ffc494ebe1478cc8fd1aab0c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|176ab9537ca638f244855a493c3b257b7a144401ffc494ebe1478cc8fd1aab0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 88686, "scanner": "repobility-threat-engine", "fingerprint": "14bfcce236c20e02dee731ad34010354728ac254f6266e2df022eb3ea69f0cd9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14bfcce236c20e02dee731ad34010354728ac254f6266e2df022eb3ea69f0cd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "util/update_snapshot_docs.sh"}, "region": {"startLine": 8}}}]}]}]}