{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC130", "name": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resemble", "shortDescription": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh en"}, "fullDescription": {"text": "Verify the import resolves to a real, maintained package: check pypi.org / npmjs.com directly. If the package doesn't exist, the AI invented it \u2014 find the real package the AI was thinking of and swap. Pin all deps to known-good versions and require a registry allowlist in CI."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.ALI_OSS_AK_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.ALI_OSS_AK_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ALI_OSS_AK_SECRET }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/771"}, "properties": {"repository": "ant-design/ant-design", "repoUrl": "https://github.com/ant-design/ant-design", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 64645, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 64644, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 64632, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC130", "level": "warning", "message": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh environments, and (2) supply-chain attackers publish typosquat packages targeting exactly these AI-hallucinated names, so installing succeeds and ships malware ('slopsquatting'). CWE-1357 (dependency on an unmaintained / unverified component). CVE-2024-class sup"}, "properties": {"repobilityId": 64631, "scanner": "repobility-threat-engine", "fingerprint": "dcd1129db02bdf176d477c4a27e1a1f7e6d90805ccdf9c34374de852ddcf1720", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import ReactT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC130", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dcd1129db02bdf176d477c4a27e1a1f7e6d90805ccdf9c34374de852ddcf1720"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/plugins/tech-stack.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 64616, "scanner": "repobility-threat-engine", "fingerprint": "3570f9bfe54bc59c4b5bff4b8300f0872106022ac49ce3db836bec48feecf102", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/BezierVisualizer/index.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 64615, "scanner": "repobility-threat-engine", "fingerprint": "68301289058dab14b36518086dd3a12e098e782561ec6aa2e52a08b9d617192d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|.dumi/rehypeantd.ts|80|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/rehypeAntd.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 64643, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 64642, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 64641, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64640, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e3c3f0dc8feb19fc2c738a6e10b8e8ed03bc5a6d14bbb60895deb39291ca9d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".dumi/theme/common/SelectSemanticTemplate.tsx", "duplicate_line": 63, "correlation_key": "fp|0e3c3f0dc8feb19fc2c738a6e10b8e8ed03bc5a6d14bbb60895deb39291ca9d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/TreeSelectSemanticTemplate.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64639, "scanner": "repobility-ai-code-hygiene", "fingerprint": "056f01ec2d6f2965dfa05af179eab62fb0121d2d8d07781659b71e657ffba652", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".dumi/theme/common/ThemeSwitch/usePromptRecommend.ts", "duplicate_line": 50, "correlation_key": "fp|056f01ec2d6f2965dfa05af179eab62fb0121d2d8d07781659b71e657ffba652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/ThemeSwitch/usePromptTheme.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64638, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1be142522af2bb654f520359572fa0170d2d847641c6c8bc6bade0f42a84921", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".dumi/theme/builtins/Sandpack/index.tsx", "duplicate_line": 16, "correlation_key": "fp|a1be142522af2bb654f520359572fa0170d2d847641c6c8bc6bade0f42a84921"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/BehaviorMap/index.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64637, "scanner": "repobility-ai-code-hygiene", "fingerprint": "62505d677a54911dd6e5567b865e943e000974ecffc39f1c7c16438405d72c03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".dumi/theme/builtins/InstallDependencies/bun.tsx", "duplicate_line": 1, "correlation_key": "fp|62505d677a54911dd6e5567b865e943e000974ecffc39f1c7c16438405d72c03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/builtins/InstallDependencies/yarn.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64636, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75753481a2420c14bcc3006a96c0830123d519db4d5c19182c01c4792ae23f20", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".dumi/theme/builtins/InstallDependencies/bun.tsx", "duplicate_line": 1, "correlation_key": "fp|75753481a2420c14bcc3006a96c0830123d519db4d5c19182c01c4792ae23f20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/builtins/InstallDependencies/pnpm.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64635, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b237ed3df671176de3b4b9dac978d45c72ffd2a33ba778d3bbedd07896ec1c9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".dumi/theme/builtins/InstallDependencies/bun.tsx", "duplicate_line": 1, "correlation_key": "fp|b237ed3df671176de3b4b9dac978d45c72ffd2a33ba778d3bbedd07896ec1c9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/builtins/InstallDependencies/npm.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64634, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd3103b3873440f76b441c53c07659d0223e9d1727689e467a9b9661e2ce31f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".dumi/pages/index/components/ThemePreview/previewThemes/muiTheme.ts", "duplicate_line": 243, "correlation_key": "fp|fd3103b3873440f76b441c53c07659d0223e9d1727689e467a9b9661e2ce31f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/index/components/ThemePreview/previewThemes/shadcnTheme.ts"}, "region": {"startLine": 192}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 64633, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed6d4d7d1ccad87d9afdd5004e3e8b57f6071832e799fef41fd4aa8900531ecf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".dumi/pages/index/components/PreviewBanner/ComponentsBlock.tsx", "duplicate_line": 26, "correlation_key": "fp|ed6d4d7d1ccad87d9afdd5004e3e8b57f6071832e799fef41fd4aa8900531ecf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/index/components/ThemePreview/ComponentsBlock.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 64618, "scanner": "repobility-threat-engine", "fingerprint": "28ebb2fc4c815f6e565a548627a875c0df68dadb45f78fc175a0ac8c3e6469e8", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|. token|32|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/scripts/mirror-notify.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 64624, "scanner": "repobility-threat-engine", "fingerprint": "24f97df3fe9e09a03794379a84a05c23e2aecd825fc2148cb1569ab22403044f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|24f97df3fe9e09a03794379a84a05c23e2aecd825fc2148cb1569ab22403044f", "aggregated_count": 3}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 64623, "scanner": "repobility-threat-engine", "fingerprint": "51f58efe82cdc20b3aae611066ac6397bdf2894c20a024736338a015998e3f4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51f58efe82cdc20b3aae611066ac6397bdf2894c20a024736338a015998e3f4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/builtins/Previewer/DesignPreviewer.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 64622, "scanner": "repobility-threat-engine", "fingerprint": "ad3368b2a885f56409f9f81213fea454dc9e9f9fb19af877d85ff87f34c75672", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ad3368b2a885f56409f9f81213fea454dc9e9f9fb19af877d85ff87f34c75672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/builtins/Previewer/CodePreviewer.tsx"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 64621, "scanner": "repobility-threat-engine", "fingerprint": "b3f42ae2ed8ed91931703e78c4e218f06bd5816c9a690957f8f3cdd650feb9f0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b3f42ae2ed8ed91931703e78c4e218f06bd5816c9a690957f8f3cdd650feb9f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/builtins/ImagePreview/index.tsx"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 64620, "scanner": "repobility-threat-engine", "fingerprint": "42291edd335cf9dec060d344b80ef3dcf01cd18657579f69808a5df71b13ea6c", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "UI component library ('chart') \u2014 innerHTML usage is controlled by the framework", "evidence": {"match": ".innerHTML = s", "reason": "UI component library ('chart') \u2014 innerHTML usage is controlled by the framework", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|. token|142|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/BehaviorMap/BehaviorMap.tsx"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 64619, "scanner": "repobility-threat-engine", "fingerprint": "9b034d06688e0b0853f8bd579a39d49eb38c529bfb4fb3b4babe0662af54dc06", "category": "injection", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "evidence": {"match": ".innerHTML = s", "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|injection|. token|296|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/builtins/Previewer/CodePreviewer.tsx"}, "region": {"startLine": 296}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 64614, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 64610, "scanner": "repobility-threat-engine", "fingerprint": "d7f594181ef7d6a707278fd0bbfa9918494cb5e31e08de25eb7881e568738c27", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d7f594181ef7d6a707278fd0bbfa9918494cb5e31e08de25eb7881e568738c27", "aggregated_count": 8}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 64609, "scanner": "repobility-threat-engine", "fingerprint": "6766a217f9f6c9f548159dc9f84e73d4756eabff744a5b19794171dfac399c23", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6766a217f9f6c9f548159dc9f84e73d4756eabff744a5b19794171dfac399c23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/index/components/Theme/MobileCarousel.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 64608, "scanner": "repobility-threat-engine", "fingerprint": "e16666546e50bb8e734acd1a5b13606648c8bd92675296d40ae9b8c963992ebc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e16666546e50bb8e734acd1a5b13606648c8bd92675296d40ae9b8c963992ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/index/components/DesignFramework.tsx"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 64607, "scanner": "repobility-threat-engine", "fingerprint": "ef9e5141228270ec2277cb6fcd77f8540b12550659692a2c686a200e65133e00", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef9e5141228270ec2277cb6fcd77f8540b12550659692a2c686a200e65133e00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/index/components/BannerRecommends.tsx"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 64606, "scanner": "repobility-threat-engine", "fingerprint": "53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "aggregated_count": 7}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 64605, "scanner": "repobility-threat-engine", "fingerprint": "81303d65396818b9f8ee0ceaa1e863479141a057eae82c6b45917e949fbdb80d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|81303d65396818b9f8ee0ceaa1e863479141a057eae82c6b45917e949fbdb80d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/ThemeSwitch/index.tsx"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 64604, "scanner": "repobility-threat-engine", "fingerprint": "31e84a14fcc7a51e974335d873843f706ab5ce5e3b930592fc356e2f5482deed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|31e84a14fcc7a51e974335d873843f706ab5ce5e3b930592fc356e2f5482deed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/rehypeAntd.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 64603, "scanner": "repobility-threat-engine", "fingerprint": "c02b1ddc7bb73fb35858d882f91b80e7520af76d0730660136b409b4111a87ab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c02b1ddc7bb73fb35858d882f91b80e7520af76d0730660136b409b4111a87ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/hooks/useThemeAnimation.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 64602, "scanner": "repobility-threat-engine", "fingerprint": "4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4b3d1f5da7bc76208217d4630f94b5c604a37c1b24cbe552082771023e8fad2d", "aggregated_count": 3}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 64601, "scanner": "repobility-threat-engine", "fingerprint": "9138514eb7e6b6a3c52037b5f3f4594918835ad3a11a221c9b86efbed755826b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9138514eb7e6b6a3c52037b5f3f4594918835ad3a11a221c9b86efbed755826b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/ThemeSwitch/usePromptRecommend.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 64600, "scanner": "repobility-threat-engine", "fingerprint": "89015d3350b2f1baed69ed4d5e9af39bc09d78da4a62adb7ec5ac7c7c0706d8a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89015d3350b2f1baed69ed4d5e9af39bc09d78da4a62adb7ec5ac7c7c0706d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/scripts/mirror-notify.js"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 64599, "scanner": "repobility-threat-engine", "fingerprint": "2bccb36116b25e4d06fcbb9fe61a8434378f70b4d7de80936178865970874d8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2bccb36116b25e4d06fcbb9fe61a8434378f70b4d7de80936178865970874d8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/hooks/useThemeAnimation.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 64598, "scanner": "repobility-threat-engine", "fingerprint": "4c8764b5b26e37415a284cc3a005af3288cf252e855ab51befa2ed42c04aeec8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4c8764b5b26e37415a284cc3a005af3288cf252e855ab51befa2ed42c04aeec8", "aggregated_count": 13}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 64597, "scanner": "repobility-threat-engine", "fingerprint": "aa90a7464aad6ee280452b4a4846c6283c892d83a7869dcc571cbb56d9588f87", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa90a7464aad6ee280452b4a4846c6283c892d83a7869dcc571cbb56d9588f87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/index/components/PreviewBanner/Tilt.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 64596, "scanner": "repobility-threat-engine", "fingerprint": "07c7fd1eceadeaf622a90d48eb46af41ee792a03024f8df3d2bdefb754167e80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|07c7fd1eceadeaf622a90d48eb46af41ee792a03024f8df3d2bdefb754167e80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/404/index.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 64595, "scanner": "repobility-threat-engine", "fingerprint": "d88ea308357658ecba2cca48a432bee4d3149129a60e8a4af5743ae7d75ea8c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d88ea308357658ecba2cca48a432bee4d3149129a60e8a4af5743ae7d75ea8c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/hooks/useMenu.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 64594, "scanner": "repobility-threat-engine", "fingerprint": "2ed9b94f7dd1b61b76d610969b9861b23098ba6813748318276c670aeb343b3b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2ed9b94f7dd1b61b76d610969b9861b23098ba6813748318276c670aeb343b3b", "aggregated_count": 17}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 64593, "scanner": "repobility-threat-engine", "fingerprint": "52fcb2e7268e548493e16f4396de35dd787d43d89c12fc47a62aacb452d10663", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52fcb2e7268e548493e16f4396de35dd787d43d89c12fc47a62aacb452d10663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/remarkAnchor.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 64592, "scanner": "repobility-threat-engine", "fingerprint": "664fe942ab8027cb7290f4d46b0929d36fd28d80dccccb4a51efb38d5127b858", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|664fe942ab8027cb7290f4d46b0929d36fd28d80dccccb4a51efb38d5127b858"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/rehypeChangelog.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 64591, "scanner": "repobility-threat-engine", "fingerprint": "3e1a96b179d180c68a24001173ed605a818470f5b63b5df467dae9f8c6b55842", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e1a96b179d180c68a24001173ed605a818470f5b63b5df467dae9f8c6b55842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/hooks/useIssueCount.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 64590, "scanner": "repobility-threat-engine", "fingerprint": "e6b12850e54eb1ffa424becfb0f6a8e7a5c6d257d13b26934f0112681066c89f", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e6b12850e54eb1ffa424becfb0f6a8e7a5c6d257d13b26934f0112681066c89f"}}}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 64630, "scanner": "repobility-threat-engine", "fingerprint": "55ab248f1f0aa90d73310e71063751739b37a0cfa793d99b657eb3aaefe5656e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55ab248f1f0aa90d73310e71063751739b37a0cfa793d99b657eb3aaefe5656e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/plugins/build-assets.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 64629, "scanner": "repobility-threat-engine", "fingerprint": "bb06596c8df2276f135ca63174a7b4195759bbbdab38147ab3e8ca6db7ada85a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "subscribers.delete(paramToken);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb06596c8df2276f135ca63174a7b4195759bbbdab38147ab3e8ca6db7ada85a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/_util/responsiveObserver.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 64628, "scanner": "repobility-threat-engine", "fingerprint": "b1133e46a322e732c47216ebf42fef51451168cda8f65e61eb4461f4dfafde7e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "selectedKeys.delete(item);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1133e46a322e732c47216ebf42fef51451168cda8f65e61eb4461f4dfafde7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "components/_util/hooks/useMultipleSelect.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 64627, "scanner": "repobility-threat-engine", "fingerprint": "35af2024a460c05d6805e34476a73738f6fe09c401c734e2bfd162fe6ad99edb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "nextSearchParams.delete('direction');", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|35af2024a460c05d6805e34476a73738f6fe09c401c734e2bfd162fe6ad99edb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/layouts/GlobalLayout.tsx"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 64626, "scanner": "repobility-threat-engine", "fingerprint": "2e4c75c5cb238d81de6bc6653f7a6c575eded558e0bb0d65dcd093cfb00623e0", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e4c75c5cb238d81de6bc6653f7a6c575eded558e0bb0d65dcd093cfb00623e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/ComponentChangelog/ComponentChangelog.tsx"}, "region": {"startLine": 191}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 64625, "scanner": "repobility-threat-engine", "fingerprint": "ea303ad3c043ed0f5473a5dc7b84f7146e2a374cda52725225a859b5dc27ba1f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea303ad3c043ed0f5473a5dc7b84f7146e2a374cda52725225a859b5dc27ba1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/theme/common/BezierVisualizer/index.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 64613, "scanner": "repobility-threat-engine", "fingerprint": "8a7136728f07926068245b8ea6274395023e3fb39f71e7fa0f2a706cf099f4bf", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8a7136728f07926068245b8ea6274395023e3fb39f71e7fa0f2a706cf099f4bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/scripts/mirror-notify.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 64612, "scanner": "repobility-threat-engine", "fingerprint": "6a9b727c9a57ce834ca3817e323f4f78b5899984fac01f4ed0f0ef94970e1bc2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a9b727c9a57ce834ca3817e323f4f78b5899984fac01f4ed0f0ef94970e1bc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/index/components/Theme/colorUtil.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 64611, "scanner": "repobility-threat-engine", "fingerprint": "c42e7eb1bb05145beb491a05821eaa62cadfd0dc37d3fefb557bca3cceb1954b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c42e7eb1bb05145beb491a05821eaa62cadfd0dc37d3fefb557bca3cceb1954b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dumi/pages/index/components/BannerSponsors.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any