{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_README", "name": "No README file found", "shortDescription": {"text": "No README file found"}, "fullDescription": {"text": "Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /login has no auth", "shortDescription": {"text": "Express POST /login has no auth"}, "fullDescription": {"text": "Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED114", "name": "Admin endpoint without auth: POST /admin/create-user", "shortDescription": {"text": "Admin endpoint without auth: POST /admin/create-user"}, "fullDescription": {"text": "Express route on /admin path (/admin/create-user) with no auth middleware."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "critical", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/616"}, "properties": {"repository": "caresmartsuits-eng/adminapplication-internal", "repoUrl": "https://github.com/caresmartsuits-eng/adminapplication-internal.git", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43992, "scanner": "repobility-journey-contract", "fingerprint": "415192f9fb04f44cc2cea52cb435287befb36afa3d66c9497a025e01a6cea1e7", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|94|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/orders/CreateOrder.jsx"}, "region": {"startLine": 94}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43991, "scanner": "repobility-journey-contract", "fingerprint": "10b7ca54072c5459a9218ab0ff477b3ff59414e73cecb8220f79f908656b5070", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|71|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/orders/CreateOrder.jsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43990, "scanner": "repobility-journey-contract", "fingerprint": "358514db26e1c38286ba5131ff12bc75a921e92efac6b14e776e0b28f42a101b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|47|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/orders/CreateOrder.jsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43989, "scanner": "repobility-journey-contract", "fingerprint": "0f66d5eb9814b534ca13d378154e71815f1cd3fd47d0fb1d4fb2311196d5b7e1", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|32|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/orders/CreateOrder.jsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43988, "scanner": "repobility-journey-contract", "fingerprint": "b8071e7112b61192b1c43ca1610da32e9ea0dd314443ea348bab36179c91a429", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|58|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configs/CreateConfiguration.jsx"}, "region": {"startLine": 58}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43987, "scanner": "repobility-journey-contract", "fingerprint": "31f28af2a2995267f403ebde5d94165bfd1454247d8be1897085d7840df63539", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|21|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configs/CreateConfiguration.jsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43986, "scanner": "repobility-journey-contract", "fingerprint": "1f190d269eca811136f5ac53bba4dd13632af93ab74a5d1ee5e52a2bfb2d568f", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|31|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configs/ConfigurationsList.jsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43985, "scanner": "repobility-journey-contract", "fingerprint": "0b8a88a84dc466ee405e64b3f6c47f898b03d04472ff29df9564d71d9c46f92c", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|12|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configHeaders/UpdateConfigHeaderModal.jsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43984, "scanner": "repobility-journey-contract", "fingerprint": "3d2170be145a4d2a85b42f1e013a10a9755c598974af8c4623260022abb7bd4c", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|17|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configHeaders/CreateConfigHeader.jsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43983, "scanner": "repobility-journey-contract", "fingerprint": "6f3e420f17d9df78580701f19631e4501c7b95ecdcb9fe3c5ced762c02ff6c91", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|11|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configHeaders/ConfigHeadersList.jsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43982, "scanner": "repobility-journey-contract", "fingerprint": "36efb3cd857337ccd771bfadebdf3044b0a4f18f8d858e07e4f18edbc2cb36d4", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|20|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/audits/AuditLogsList.jsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 43981, "scanner": "repobility-journey-contract", "fingerprint": "b54435b1b79e61b86944a2722c7f342beb86689d311a08a31d24d506ef014895", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|35|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/admin/AdminDashboard.jsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 43973, "scanner": "repobility-threat-engine", "fingerprint": "5c5f6e28c3bed202cae74be879dcb86831845ab42a222c2d8f5875a6b329ef01", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"${resetLink}\" target=\"_blank\" style=\"padding: 10px 20px; background-color: #007bff; color:", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|112|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backendmongo/src/utils/axiosmailer.js"}, "region": {"startLine": 112}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 43947, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "CORE_NO_README", "level": "warning", "message": {"text": "No README file found"}, "properties": {"repobilityId": 43945, "scanner": "repobility-core", "fingerprint": "b55c73163757fe6b2364bb829fcd26e87b9d9e7b367dd2a3307a814b02b29cbd", "category": "documentation", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_README", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_readme"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43956, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6ee5263125f1d202eb7041c7a903478bbc99f5cdce88daf8a3e38887a7bc41a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/pages/admin/AdminDashboard.jsx", "duplicate_line": 90, "correlation_key": "fp|d6ee5263125f1d202eb7041c7a903478bbc99f5cdce88daf8a3e38887a7bc41a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/user/UserDashboard.jsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43955, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30783c51264bb38880f4d5ea364ce72ccc2e3be8a738a4819a36719cc1ba1f15", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/pages/user/ForgotPassword.jsx", "duplicate_line": 82, "correlation_key": "fp|30783c51264bb38880f4d5ea364ce72ccc2e3be8a738a4819a36719cc1ba1f15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/user/ResetPassword.jsx"}, "region": {"startLine": 122}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43954, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76c57cb488a09c1e8e6071eda590b7134e3a79750331e9c8599c9d912fead2f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/App.jsx", "duplicate_line": 93, "correlation_key": "fp|76c57cb488a09c1e8e6071eda590b7134e3a79750331e9c8599c9d912fead2f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/user/ResetPassword.jsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43953, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4cb818deef2c1fe0ac852306390556ad1c324e85ea8b8ba6cbe69b5a0580b9b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/App.jsx", "duplicate_line": 94, "correlation_key": "fp|4cb818deef2c1fe0ac852306390556ad1c324e85ea8b8ba6cbe69b5a0580b9b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/user/ForgotPassword.jsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43952, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a351631c6937b859a56b2a53667d25988314b5a7df46f0e66204feb046de48fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/pages/features/configHeaders/UpdateConfigHeaderModal.jsx", "duplicate_line": 80, "correlation_key": "fp|a351631c6937b859a56b2a53667d25988314b5a7df46f0e66204feb046de48fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/orders/UpdateOrderModal.jsx"}, "region": {"startLine": 140}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43951, "scanner": "repobility-ai-code-hygiene", "fingerprint": "566e17f01fe198f4808c1ae6862a60b63370f3b63007417823de3559ec2156f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/pages/features/orders/CurrentDeliveries.jsx", "duplicate_line": 75, "correlation_key": "fp|566e17f01fe198f4808c1ae6862a60b63370f3b63007417823de3559ec2156f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/orders/OrdersList.jsx"}, "region": {"startLine": 223}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43950, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4c5f67875e0ce1aad3a2c577900735cf1be8f27f51f4b02fd702906e24c34f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/pages/features/configs/ConfigurationsList.jsx", "duplicate_line": 9, "correlation_key": "fp|d4c5f67875e0ce1aad3a2c577900735cf1be8f27f51f4b02fd702906e24c34f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configs/UpdateConfigurationModal.jsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "931ab6d328945181d35237323c241274fe440f4e740ed16305358d35454bda75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/pages/features/configHeaders/ConfigHeadersList.jsx", "duplicate_line": 60, "correlation_key": "fp|931ab6d328945181d35237323c241274fe440f4e740ed16305358d35454bda75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configs/ConfigurationsList.jsx"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 43948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36a653dd40f4d887d78816b5cf2a6837a90f1676709c72552afa06186ca2cef3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backendmongo/src/models/ConfigHeader.js", "duplicate_line": 9, "correlation_key": "fp|36a653dd40f4d887d78816b5cf2a6837a90f1676709c72552afa06186ca2cef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backendmongo/src/models/Configuration.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 43946, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 43980, "scanner": "repobility-threat-engine", "fingerprint": "a528d3cc4debed03f5af141a08a3ace351560be9bd966d8f9ae83768bf150828", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a528d3cc4debed03f5af141a08a3ace351560be9bd966d8f9ae83768bf150828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/configs/CreateConfiguration.jsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 43979, "scanner": "repobility-threat-engine", "fingerprint": "a289f5b3bc77567cbc5e9d56e8a53570c9aaa40a66bb0de4d19183ce9f248b72", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a289f5b3bc77567cbc5e9d56e8a53570c9aaa40a66bb0de4d19183ce9f248b72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/audits/AuditLogsList.jsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 43978, "scanner": "repobility-threat-engine", "fingerprint": "f90a80be33cdb7eb4f1e174272bd42a8322bae290fe1ef9ab9246e9e44f0ce32", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f90a80be33cdb7eb4f1e174272bd42a8322bae290fe1ef9ab9246e9e44f0ce32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/App.jsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 43977, "scanner": "repobility-threat-engine", "fingerprint": "79283a98116511e763ab9213586d6bab1d3e3455d3485c469bc375b23e233838", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79283a98116511e763ab9213586d6bab1d3e3455d3485c469bc375b23e233838"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backendmongo/src/utils/nodemailer.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 43976, "scanner": "repobility-threat-engine", "fingerprint": "49659780d4ee753ba163f53e77bd042f7683b2d9b55139a0499f09ec91d86c67", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Reset password error:', e)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|console.error reset password error: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/user/ResetPassword.jsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 43975, "scanner": "repobility-threat-engine", "fingerprint": "eb4f1f26e5bf69beddc57182a491a94ecc659a2756af9016d87eb66a84ed7b23", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Error updating password:', err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|console.error error updating password: err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/users/UpdatePassword.jsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 43974, "scanner": "repobility-threat-engine", "fingerprint": "1fe194dcaa383d85ce91e15e111fd9c0cc3626ff1c17b528594f4b9659f07b9e", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(\"MAIL_HOST:\"+process.env.MAIL_HOST)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|3|console.log mail_host: +process.env.mail_host"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backendmongo/src/utils/nodemailer.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 43971, "scanner": "repobility-threat-engine", "fingerprint": "5680103535bbab2af243b8478e7b12d0f2454e4bb155499f8d5f47bc7d4ec190", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5680103535bbab2af243b8478e7b12d0f2454e4bb155499f8d5f47bc7d4ec190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/server.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 43968, "scanner": "repobility-threat-engine", "fingerprint": "8323284e71c0a31a05bed90ab17738fa73ec0ef9ce708f2be963d66c42fd127f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8323284e71c0a31a05bed90ab17738fa73ec0ef9ce708f2be963d66c42fd127f", "aggregated_count": 11}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 43967, "scanner": "repobility-threat-engine", "fingerprint": "bc72eb7176f7fcfae3af5ce687599333bd1be03f7f03abaca3b97415e73d22e6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc72eb7176f7fcfae3af5ce687599333bd1be03f7f03abaca3b97415e73d22e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/server.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 43966, "scanner": "repobility-threat-engine", "fingerprint": "763966a9d1abadb8c274bcaa445812bdd02464f997c82424ad2417355e38d0b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|763966a9d1abadb8c274bcaa445812bdd02464f997c82424ad2417355e38d0b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/db.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 43965, "scanner": "repobility-threat-engine", "fingerprint": "945d83da8ed8b7d3ed3f1488b60a6e09b366dca0580c32050a0ac2814f2c839c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|945d83da8ed8b7d3ed3f1488b60a6e09b366dca0580c32050a0ac2814f2c839c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/audits.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 43995, "scanner": "repobility-journey-contract", "fingerprint": "14ed8ac43e7fb4a0da821b8426ba5d97509f08995bb91d0769a153cea911610b", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|125|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/user/ResetPassword.jsx"}, "region": {"startLine": 125}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 43994, "scanner": "repobility-journey-contract", "fingerprint": "e8bb85d4197424110e0a64ac73ed2a9ab7ae51fc003fea9c0de8f5b918d27c07", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|118|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/features/users/CreateUser.jsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 43993, "scanner": "repobility-journey-contract", "fingerprint": "e58657c21b6338ece8ebcbd1f7c539e9d758c41e7b28fdaeda071c181244135d", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|client/src/app.jsx|156|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/App.jsx"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 43972, "scanner": "repobility-threat-engine", "fingerprint": "5ca1254703a56226b96fc40e3c37a896f8a0379d5e0d2599cc47f7939c042c7e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5ca1254703a56226b96fc40e3c37a896f8a0379d5e0d2599cc47f7939c042c7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backendmongo/src/routes/orders.routes.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 43970, "scanner": "repobility-threat-engine", "fingerprint": "f176210ecb28a928382e787af1cbad67aa01c0a29cf34036906d299be660adb5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Router.post('/login', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f176210ecb28a928382e787af1cbad67aa01c0a29cf34036906d299be660adb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backendmongo/src/routes/auth.routes.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 43969, "scanner": "repobility-threat-engine", "fingerprint": "924a4784806b88bb9bc0ea41c3fbd6b535b89c6aaac6bc84f1658313446b0875", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/login', (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|924a4784806b88bb9bc0ea41c3fbd6b535b89c6aaac6bc84f1658313446b0875"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/auth.routes.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /login has no auth"}, "properties": {"repobilityId": 43963, "scanner": "repobility-route-auth", "fingerprint": "2a75669ebe7a085746487115c48216e7e51fe0a1c3828f6fa0ed008d9cbd1ec1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2a75669ebe7a085746487115c48216e7e51fe0a1c3828f6fa0ed008d9cbd1ec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/auth.routes.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /orders/update/:id has no auth"}, "properties": {"repobilityId": 43958, "scanner": "repobility-route-auth", "fingerprint": "301005734e718c47c3a0b705b304d73096ab5f6fc3108ffaf589f80734e8f087", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|301005734e718c47c3a0b705b304d73096ab5f6fc3108ffaf589f80734e8f087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/orders.routes.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /orders/create has no auth"}, "properties": {"repobilityId": 43957, "scanner": "repobility-route-auth", "fingerprint": "cd9fa9a5fefe565d70f4907fe40143dcb4f01f27c681995c4de1b41ce1510a87", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cd9fa9a5fefe565d70f4907fe40143dcb4f01f27c681995c4de1b41ce1510a87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/orders.routes.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 43944, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/create-user"}, "properties": {"repobilityId": 43964, "scanner": "repobility-route-auth", "fingerprint": "660ab52f0a3679fa66b8c2fdac91a47f1e2145daaf5a2b4a445eb3a6c491eb7b", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|660ab52f0a3679fa66b8c2fdac91a47f1e2145daaf5a2b4a445eb3a6c491eb7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/users.routes.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: PUT /admin/config-headers/update/:id"}, "properties": {"repobilityId": 43962, "scanner": "repobility-route-auth", "fingerprint": "48cc26da2e018774d099be4a645820860a736968146444dc304246e3455bbf1f", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|48cc26da2e018774d099be4a645820860a736968146444dc304246e3455bbf1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/configHeaders.routes.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/config-headers/create"}, "properties": {"repobilityId": 43961, "scanner": "repobility-route-auth", "fingerprint": "d50774dbbed896c0047b92901e1ddf49c6346f6d2b88ab4b29a105e2aa7b5f09", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|d50774dbbed896c0047b92901e1ddf49c6346f6d2b88ab4b29a105e2aa7b5f09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/configHeaders.routes.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: PUT /admin/configurations/update/:id"}, "properties": {"repobilityId": 43960, "scanner": "repobility-route-auth", "fingerprint": "7ef57d59221a727bf5887cf2b9963436a82f9e7a4c728bf2f45a4395aa61efb0", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|7ef57d59221a727bf5887cf2b9963436a82f9e7a4c728bf2f45a4395aa61efb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/configs.routes.js"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /admin/configurations/create"}, "properties": {"repobilityId": 43959, "scanner": "repobility-route-auth", "fingerprint": "93ea8309eea08275c15230f23105add76ec9fdb4536515368f49c7b30f387336", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|93ea8309eea08275c15230f23105add76ec9fdb4536515368f49c7b30f387336"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/src/routes/configs.routes.js"}, "region": {"startLine": 34}}}]}]}]}