{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/414"}, "properties": {"repository": "OpenZeppelin/openzeppelin-contracts", "repoUrl": "https://github.com/OpenZeppelin/openzeppelin-contracts.git", "branch": "master"}, "results": [{"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68c0a162fa134bd78ee4900a6f0cdd50c830fe3689df193389bd278b1bdadf3a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/proxy/Clones.behaviour.js", "duplicate_line": 96, "correlation_key": "fp|68c0a162fa134bd78ee4900a6f0cdd50c830fe3689df193389bd278b1bdadf3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/proxy/Proxy.behaviour.js"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a40629afba5033017e05a70828f2cfd41a7ae178895a8357fe309cbb8062795", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/crosschain/BridgeERC20.behavior.js", "duplicate_line": 13, "correlation_key": "fp|2a40629afba5033017e05a70828f2cfd41a7ae178895a8357fe309cbb8062795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/crosschain/BridgeERC721.behavior.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69d19cdc5a3d37fd7ba06ca7d3fbc8cb02a96e6ae76eedb7680ffadd36debf8d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/crosschain/BridgeERC1155.behavior.js", "duplicate_line": 13, "correlation_key": "fp|69d19cdc5a3d37fd7ba06ca7d3fbc8cb02a96e6ae76eedb7680ffadd36debf8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/crosschain/BridgeERC721.behavior.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16462, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8512a0f6b98562ba9bd8271bbcc7bfd602124ec7f49f1ec86c638d38afb56fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/crosschain/BridgeERC1155.behavior.js", "duplicate_line": 13, "correlation_key": "fp|c8512a0f6b98562ba9bd8271bbcc7bfd602124ec7f49f1ec86c638d38afb56fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/crosschain/BridgeERC20.behavior.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23129, "scanner": "repobility-threat-engine", "fingerprint": "6842e86e12f7ca22b9b6c4674d0bc7add6671f9bcb70246c1bc20875f4b5ad99", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6842e86e12f7ca22b9b6c4674d0bc7add6671f9bcb70246c1bc20875f4b5ad99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contracts/utils/cryptography/WebAuthn.sol"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23128, "scanner": "repobility-threat-engine", "fingerprint": "0a9596fbd7421fa6ed19b385fdd45eac6d1406a72d2fe8132a0a45273151a4c6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a9596fbd7421fa6ed19b385fdd45eac6d1406a72d2fe8132a0a45273151a4c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contracts/utils/Base64.sol"}, "region": {"startLine": 27}}}]}]}]}