{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `app` image uses the latest tag", "shortDescription": {"text": "Compose service `app` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 83 more): Same pattern found in 83 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 83 more): Same pattern found in 83 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED046", "name": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger.", "shortDescription": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED002", "name": "[MINED002] Dart Null Bang (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED002] Dart Null Bang (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `archlinux/archlinux (no tag)` not pinned by digest: `FROM archlinux/archlinux (no tag)` reso", "shortDescription": {"text": "[MINED118] Dockerfile FROM `archlinux/archlinux (no tag)` not pinned by digest: `FROM archlinux/archlinux (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially d"}, "fullDescription": {"text": "Replace with: `FROM archlinux/archlinux (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC009", "name": "Compose service bind-mounts a sensitive host path", "shortDescription": {"text": "Compose service bind-mounts a sensitive host path"}, "fullDescription": {"text": "Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC002", "name": "Compose service uses host networking", "shortDescription": {"text": "Compose service uses host networking"}, "fullDescription": {"text": "Use the default bridge network and explicit ports, or document and isolate the exceptional host requirement."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/831"}, "properties": {"repository": "AppFlowy-IO/AppFlowy", "repoUrl": "https://github.com/AppFlowy-IO/AppFlowy", "branch": "main"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `app` image uses the latest tag"}, "properties": {"repobilityId": 73953, "scanner": "repobility-docker", "fingerprint": "6b6aff19d517dd5649cb8ec2eb514628201bea2f523d97c6c554678aa3558563", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "appflowy/appflowy:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6b6aff19d517dd5649cb8ec2eb514628201bea2f523d97c6c554678aa3558563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 73951, "scanner": "repobility-docker", "fingerprint": "343bfe226b529cda5164075526b727fe07bcb7cde6d54d04e17ffc6407e2f6d4", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "archlinux/archlinux", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|343bfe226b529cda5164075526b727fe07bcb7cde6d54d04e17ffc6407e2f6d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/Dockerfile"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 73950, "scanner": "repobility-docker", "fingerprint": "6fc00f1bdbb833ca5ece3e6e24bb4fb5f0c8495154b1602b700ffe0f3c745d38", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|6fc00f1bdbb833ca5ece3e6e24bb4fb5f0c8495154b1602b700ffe0f3c745d38", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/Dockerfile"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 73948, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "frontend/rust-lib/flowy-sqlite/migrations/2024-01-07-041005_recreate_snapshot_table/up.sql", "size_mb": 0.0}, {"path": "frontend/rust-lib/flowy-sqlite/migrations/2024-01-07-041005_recreate_snapshot_table/down.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 73947, "scanner": "repobility-agent-runtime", "fingerprint": "a1e6dbe1f78726156266c315a065c87f1aa5ae3dc2fa944d59d97ad2426d71d2", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a1e6dbe1f78726156266c315a065c87f1aa5ae3dc2fa944d59d97ad2426d71d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/makefile/env.toml"}, "region": {"startLine": 126}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 73946, "scanner": "repobility-agent-runtime", "fingerprint": "edd1a884e9f4dcee128d70c96cc07f2fe7843b7bf17537faf1121ad45b842a64", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|edd1a884e9f4dcee128d70c96cc07f2fe7843b7bf17537faf1121ad45b842a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/install_dev_env/install_linux.sh"}, "region": {"startLine": 30}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 73945, "scanner": "repobility-agent-runtime", "fingerprint": "3ae22af9e52eedeacf9d5409af716725bc4a07677ea42608c8a14749fc4142fb", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3ae22af9e52eedeacf9d5409af716725bc4a07677ea42608c8a14749fc4142fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codemagic.yaml"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 73912, "scanner": "repobility-threat-engine", "fingerprint": "2cf086c93fe668bf50e9b886c02da3f6c50c2429fc32d9abebde3f223a7edc1c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|32|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/flowy-sqlite/src/sqlite_impl/pragma.rs"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 73911, "scanner": "repobility-threat-engine", "fingerprint": "cc6cb5d5df02fb9e60a682a3d2485ac4ab70051fa6c4e35da5203e0885a9d6d2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|14|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/flowy-sqlite/src/sqlite_impl/conn_ext.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73956, "scanner": "repobility-docker", "fingerprint": "e20f20a02f8107a203fa491bd3024cc6616d302c26a6d698df24bb0165223c1d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e20f20a02f8107a203fa491bd3024cc6616d302c26a6d698df24bb0165223c1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 73952, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48cb3a9ac922d0935e54e41e6fe2cfafd15d0df725607c84ac7a1e2bf9d64ccc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/home/tab/_tab_bar.dart", "duplicate_line": 17, "correlation_key": "fp|48cb3a9ac922d0935e54e41e6fe2cfafd15d0df725607c84ac7a1e2bf9d64ccc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/notifications/widgets/tab_bar.dart"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a0f47f75a786bca65111b86225eb6a582175be5951016ce34b4e60110d0109d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/home/setting/settings_popup_menu.dart", "duplicate_line": 89, "correlation_key": "fp|3a0f47f75a786bca65111b86225eb6a582175be5951016ce34b4e60110d0109d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/notifications/widgets/settings_popup_menu.dart"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73942, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d03591b19b06dc70acd9e7e6b2da090d5025196d12d1bb486fdb78bf108003ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/notifications/widgets/multi_select_notification_item.dart", "duplicate_line": 15, "correlation_key": "fp|d03591b19b06dc70acd9e7e6b2da090d5025196d12d1bb486fdb78bf108003ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/notifications/widgets/notification_item.dart"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73941, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ca59aa0f2f989e04ae2c02efb39afa21ad9a8dacda36559a1c521af11cc9d36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/home/space/space_menu_bottom_sheet.dart", "duplicate_line": 16, "correlation_key": "fp|6ca59aa0f2f989e04ae2c02efb39afa21ad9a8dacda36559a1c521af11cc9d36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/home/workspaces/workspace_more_options.dart"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73940, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5eb9237a1f57e8b7cde32b86f9f5fdec404a077f24355cbcd5692449b1915c6a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/home/space/mobile_space_menu.dart", "duplicate_line": 238, "correlation_key": "fp|5eb9237a1f57e8b7cde32b86f9f5fdec404a077f24355cbcd5692449b1915c6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/home/workspaces/workspace_menu_bottom_sheet.dart"}, "region": {"startLine": 278}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73939, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b239892b0dce2e6cd6f8a4a92cd12369db34e6aa9c3073baa9d78976e6e1b726", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/home/section_folder/mobile_home_section_folder.dart", "duplicate_line": 94, "correlation_key": "fp|b239892b0dce2e6cd6f8a4a92cd12369db34e6aa9c3073baa9d78976e6e1b726"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/home/space/mobile_space.dart"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73938, "scanner": "repobility-ai-code-hygiene", "fingerprint": "08995894d277676f96144f621c1373fe9a73062fa86041d7064868175c1e8a4d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/home/recent_folder/mobile_recent_view.dart", "duplicate_line": 134, "correlation_key": "fp|08995894d277676f96144f621c1373fe9a73062fa86041d7064868175c1e8a4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/home/shared/mobile_page_card.dart"}, "region": {"startLine": 312}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73937, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06cb811f7de901590c02e9d55073bd1f2f2814a664987bdea88742c4c04b9654", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/favorite/mobile_favorite_folder.dart", "duplicate_line": 30, "correlation_key": "fp|06cb811f7de901590c02e9d55073bd1f2f2814a664987bdea88742c4c04b9654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/home/favorite_folder/favorite_space.dart"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73936, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6c43923f2ac3724ebd56a42e4674d4ee51ed5286907e1d542edfc8a73788f7c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/mobile/presentation/database/card/card_detail/widgets/mobile_create_field_button.dart", "duplicate_line": 23, "correlation_key": "fp|d6c43923f2ac3724ebd56a42e4674d4ee51ed5286907e1d542edfc8a73788f7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/mobile/presentation/database/card/card_detail/widgets/row_page_button.dart"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73935, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25e539e581290fa8a5685e368b0ee605d6181e70f7614f628deafea6b04b2eaa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/features/shared_section/presentation/m_shared_section.dart", "duplicate_line": 24, "correlation_key": "fp|25e539e581290fa8a5685e368b0ee605d6181e70f7614f628deafea6b04b2eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/features/shared_section/presentation/shared_section.dart"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73934, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4831ee2c25de27b6d879f57d1b43577ea92d1b888157119f6050e22786b246f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/ai/widgets/prompt_input/select_sources_bottom_sheet.dart", "duplicate_line": 46, "correlation_key": "fp|4831ee2c25de27b6d879f57d1b43577ea92d1b888157119f6050e22786b246f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/ai/widgets/prompt_input/select_sources_menu.dart"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73933, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e55426b03cedcc3a929f4b84f3559b88f69eeac0927135a07188ae6c9eb22e30", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/ai/widgets/prompt_input/mention_page_bottom_sheet.dart", "duplicate_line": 70, "correlation_key": "fp|e55426b03cedcc3a929f4b84f3559b88f69eeac0927135a07188ae6c9eb22e30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/ai/widgets/prompt_input/select_sources_bottom_sheet.dart"}, "region": {"startLine": 185}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73932, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df241576522746e67175b8ab9b89689040fe68b4ffdbc370aa658c5387560f69", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/lib/ai/widgets/ai_prompt_modal/ai_prompt_database_modal.dart", "duplicate_line": 91, "correlation_key": "fp|df241576522746e67175b8ab9b89689040fe68b4ffdbc370aa658c5387560f69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/ai/widgets/ai_prompt_modal/ai_prompt_modal.dart"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73931, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c38463b256735586e636c1753e06a533d49d2ff0e2787af05cf25c3645eed6d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/shared/mock/mock_ai.dart", "duplicate_line": 77, "correlation_key": "fp|c38463b256735586e636c1753e06a533d49d2ff0e2787af05cf25c3645eed6d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/lib/ai/service/appflowy_ai_service.dart"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73930, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2087660484fa55ad5a6d9ec19c82c33ac75b46ee5612e685afbae4e4c091fdaf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/database/database_icon_test.dart", "duplicate_line": 15, "correlation_key": "fp|2087660484fa55ad5a6d9ec19c82c33ac75b46ee5612e685afbae4e4c091fdaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/mobile/document/page_style_test.dart"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73929, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3276be6037b72dd5bb707e7fb893338a53c3c243ba8179a151d886f8ce972b38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/database/database_icon_test.dart", "duplicate_line": 15, "correlation_key": "fp|3276be6037b72dd5bb707e7fb893338a53c3c243ba8179a151d886f8ce972b38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/sidebar/sidebar_view_item_test.dart"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73928, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d289930d03915356315c49328e8d5b4ff01c4939bfbb951c5b7bc0bb27c4777f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/grid/grid_edit_row_test.dart", "duplicate_line": 12, "correlation_key": "fp|d289930d03915356315c49328e8d5b4ff01c4939bfbb951c5b7bc0bb27c4777f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/grid/grid_row_test.dart"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73927, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d90623766599a71891e7fce2071f68c15ebe1631e8a5861a08a829ec048705bd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/grid/grid_edit_row_test.dart", "duplicate_line": 62, "correlation_key": "fp|d90623766599a71891e7fce2071f68c15ebe1631e8a5861a08a829ec048705bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/grid/grid_reorder_row_test.dart"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73926, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a0e487051eedbf3fa8474708dd199cd631226aaccb8b5f31ae50e8c3fd2ae61", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/grid/grid_filter_and_sort_test.dart", "duplicate_line": 10, "correlation_key": "fp|7a0e487051eedbf3fa8474708dd199cd631226aaccb8b5f31ae50e8c3fd2ae61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/grid/grid_reopen_test.dart"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73925, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c40a6973b56c5ad81044d5f78efd788aa0ec98e08491aa78e3aac3b26de6321", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/grid/grid_edit_row_test.dart", "duplicate_line": 11, "correlation_key": "fp|1c40a6973b56c5ad81044d5f78efd788aa0ec98e08491aa78e3aac3b26de6321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/grid/grid_reopen_test.dart"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73924, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a69a682686591cc87fcd260c9bc419a013006e85e9dbbe3c5ffff27cbe014ba0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/database/database_media_test.dart", "duplicate_line": 71, "correlation_key": "fp|a69a682686591cc87fcd260c9bc419a013006e85e9dbbe3c5ffff27cbe014ba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/document/document_with_multi_image_block_test.dart"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73923, "scanner": "repobility-ai-code-hygiene", "fingerprint": "020c5598d68b5f530d8ca5270d33b1b343a67c56dcca738b876a944283ff37f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/document/document_with_image_block_test.dart", "duplicate_line": 85, "correlation_key": "fp|020c5598d68b5f530d8ca5270d33b1b343a67c56dcca738b876a944283ff37f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/document/document_with_multi_image_block_test.dart"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73922, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffb1fbfffaf6861fe0904aa3d2b669444ead660961dfaf771633a74a823a7fdc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/database/database_media_test.dart", "duplicate_line": 71, "correlation_key": "fp|ffb1fbfffaf6861fe0904aa3d2b669444ead660961dfaf771633a74a823a7fdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/document/document_with_image_block_test.dart"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73921, "scanner": "repobility-ai-code-hygiene", "fingerprint": "164d03b916b1a3909d5c0e60abb1a5a53d4f538a2b9a60b9b7f4aecbc77db8fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/cloud/database/database_image_test.dart", "duplicate_line": 44, "correlation_key": "fp|164d03b916b1a3909d5c0e60abb1a5a53d4f538a2b9a60b9b7f4aecbc77db8fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/document/document_with_image_block_test.dart"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73920, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4d5a7dcbd2b1fe5c2b52163d1336ee0e2ae197add4f4b628b70430b3871c9d16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/document/document_inline_sub_page_test.dart", "duplicate_line": 211, "correlation_key": "fp|4d5a7dcbd2b1fe5c2b52163d1336ee0e2ae197add4f4b628b70430b3871c9d16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/document/document_with_date_reminder_test.dart"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73919, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c549e70c6a56e0be47c4dd871da16500b76a728d546c5fbef254d1bcc5ac5e74", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/document/document_deletion_test.dart", "duplicate_line": 14, "correlation_key": "fp|c549e70c6a56e0be47c4dd871da16500b76a728d546c5fbef254d1bcc5ac5e74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/document/document_inline_page_reference_test.dart"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73918, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e627bb0dc331655488aae20d25645c0a41216df27e3ad6aed3f90d8ddcd42d72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/database/database_icon_test.dart", "duplicate_line": 14, "correlation_key": "fp|e627bb0dc331655488aae20d25645c0a41216df27e3ad6aed3f90d8ddcd42d72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/document/document_callout_test.dart"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73917, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0480ca0699d704653f4307350ca7494448b1f0e25911488d44db03cb4c09ada4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/database/database_calendar_test.dart", "duplicate_line": 6, "correlation_key": "fp|0480ca0699d704653f4307350ca7494448b1f0e25911488d44db03cb4c09ada4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/database/database_field_test.dart"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73916, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06bdad3200bdb1f69499b3658ebfd5a7492384e19c4d5943da4cdc89f814e8f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/cloud/document/document_publish_test.dart", "duplicate_line": 18, "correlation_key": "fp|06bdad3200bdb1f69499b3658ebfd5a7492384e19c4d5943da4cdc89f814e8f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/cloud/workspace/workspace_settings_test.dart"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73915, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f75aad41563b4e731f46b4d3b8aaba68174348a16bac625043bca3144b312ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/appflowy_flutter/integration_test/desktop/cloud/sidebar/sidebar_move_page_test.dart", "duplicate_line": 15, "correlation_key": "fp|3f75aad41563b4e731f46b4d3b8aaba68174348a16bac625043bca3144b312ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/cloud/workspace/workspace_settings_test.dart"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 73909, "scanner": "repobility-threat-engine", "fingerprint": "97d3d6a352e89cf23e228893764b2995ed1eee69879c981cc85d581616ab6a64", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|97d3d6a352e89cf23e228893764b2995ed1eee69879c981cc85d581616ab6a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/flowy-ai/src/local_ai/database/translate.rs"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 73908, "scanner": "repobility-threat-engine", "fingerprint": "b984b5e3e8aab1f9fa93348d2bd5eb461069f94a9958632910080282a62e96da", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b984b5e3e8aab1f9fa93348d2bd5eb461069f94a9958632910080282a62e96da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.sh"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 73907, "scanner": "repobility-threat-engine", "fingerprint": "7f60a6a76ca5b69b36d4989fd120d2f24dd5b6d387327a15378f6acf36220ecd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f60a6a76ca5b69b36d4989fd120d2f24dd5b6d387327a15378f6acf36220ecd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/event-integration-test/src/folder_event.rs"}, "region": {"startLine": 371}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 73906, "scanner": "repobility-threat-engine", "fingerprint": "f9d07b0c7ffad02db1f740a230b292fea409ad3be0b2aa27fc089cb7ccf130eb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f9d07b0c7ffad02db1f740a230b292fea409ad3be0b2aa27fc089cb7ccf130eb", "aggregated_count": 4}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 73905, "scanner": "repobility-threat-engine", "fingerprint": "59cdb9f801a1b1f2da851fb9dcb3d8a1e060001cb65eff6798051b2ed9f2dee4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59cdb9f801a1b1f2da851fb9dcb3d8a1e060001cb65eff6798051b2ed9f2dee4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/dart-ffi/src/lib.rs"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 73904, "scanner": "repobility-threat-engine", "fingerprint": "6d588c8f985b78baf29874d3f0bcfbf77f171a15bb5a9caf25179ea7247859e9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d588c8f985b78baf29874d3f0bcfbf77f171a15bb5a9caf25179ea7247859e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/dart-ffi/src/c.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 73903, "scanner": "repobility-threat-engine", "fingerprint": "e2e7416594ff0bac404df2f9da275f69218e35ba8f9258eeca0ce5383b4be2cd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2e7416594ff0bac404df2f9da275f69218e35ba8f9258eeca0ce5383b4be2cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/collab-integrate/src/config.rs"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 73902, "scanner": "repobility-threat-engine", "fingerprint": "e927f12b033e03c4349e7f79ee95ac2789482e181969a09e588da4b23ab9a911", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e927f12b033e03c4349e7f79ee95ac2789482e181969a09e588da4b23ab9a911", "aggregated_count": 9}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 73901, "scanner": "repobility-threat-engine", "fingerprint": "1ee25e3b7af3956051b285f5018a968723da541ab14a59d29e7489654b8ad743", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ee25e3b7af3956051b285f5018a968723da541ab14a59d29e7489654b8ad743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-codegen/src/ts_event/mod.rs"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 73900, "scanner": "repobility-threat-engine", "fingerprint": "495f6aeda4ca39c10de7677b7b787293a8e97b9b52a4815270cac3f6967ad3ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|495f6aeda4ca39c10de7677b7b787293a8e97b9b52a4815270cac3f6967ad3ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-codegen/src/protobuf_file/mod.rs"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 73899, "scanner": "repobility-threat-engine", "fingerprint": "2490b7a59dd3f50f4035830328e5f29615fe60ec6f886c6d9e522716bc1a650b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2490b7a59dd3f50f4035830328e5f29615fe60ec6f886c6d9e522716bc1a650b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-codegen/src/dart_event/dart_event.rs"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 73897, "scanner": "repobility-threat-engine", "fingerprint": "2b7af641333437aa657e5de62638d8fda2f9d10f4627e5657f6d3e455b2fddab", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2b7af641333437aa657e5de62638d8fda2f9d10f4627e5657f6d3e455b2fddab", "aggregated_count": 15}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 73896, "scanner": "repobility-threat-engine", "fingerprint": "0a9a49ca084f9b155458d3173ea96312541de3f79f87182ca82bba8ba149d297", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a9a49ca084f9b155458d3173ea96312541de3f79f87182ca82bba8ba149d297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-codegen/src/ast.rs"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 73895, "scanner": "repobility-threat-engine", "fingerprint": "8a74f91dc832219b1a99086d697096fb1685251b3144c5c99e910e553cadb7ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a74f91dc832219b1a99086d697096fb1685251b3144c5c99e910e553cadb7ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-ast/src/ty_ext.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 73894, "scanner": "repobility-threat-engine", "fingerprint": "d993c41cb9c95ff1c84dce822a91a6d3d32fa1ff98f187769a0f1eedf9a2c9d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d993c41cb9c95ff1c84dce822a91a6d3d32fa1ff98f187769a0f1eedf9a2c9d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-ast/src/ctxt.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 83 more): Same pattern found in 83 additional files. Review if needed."}, "properties": {"repobilityId": 73893, "scanner": "repobility-threat-engine", "fingerprint": "0ec2df7b9840e0b54f2e3e5b9da71c97c26b1545e71f011b2a67447ceb09db1e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 83 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0ec2df7b9840e0b54f2e3e5b9da71c97c26b1545e71f011b2a67447ceb09db1e", "aggregated_count": 83}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 73889, "scanner": "repobility-threat-engine", "fingerprint": "b8f6476b40c6b0c117c62705cc8affa9b98ac771199163ac6db926e38da22eac", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b8f6476b40c6b0c117c62705cc8affa9b98ac771199163ac6db926e38da22eac", "aggregated_count": 1}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 73888, "scanner": "repobility-threat-engine", "fingerprint": "4cd5953ac43229140a542fdf333d82b1b95bf8ca1a6380aceb988afb6f788b58", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4cd5953ac43229140a542fdf333d82b1b95bf8ca1a6380aceb988afb6f788b58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/packages/flowy_infra_ui/example/windows/runner/win32_window.cpp"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 73887, "scanner": "repobility-threat-engine", "fingerprint": "a7db2ad364c1873ed9aae8b6266b7b5b4f2c8df7d3858e8deebab314f4b649b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7db2ad364c1873ed9aae8b6266b7b5b4f2c8df7d3858e8deebab314f4b649b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/packages/appflowy_popover/example/windows/runner/win32_window.cpp"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 73886, "scanner": "repobility-threat-engine", "fingerprint": "556e6d3f73487a9a3787ef2d4709edbf4a21a5e7f1feab3198854198b2c877c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|556e6d3f73487a9a3787ef2d4709edbf4a21a5e7f1feab3198854198b2c877c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/packages/appflowy_backend/example/windows/runner/win32_window.cpp"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 73885, "scanner": "repobility-threat-engine", "fingerprint": "6da04c3f6ec92949f4d3904d145b01d6d7c7c4d2258222ca0ad9dda5cf312950", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6da04c3f6ec92949f4d3904d145b01d6d7c7c4d2258222ca0ad9dda5cf312950"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/packages/appflowy_ui/script/generate_theme.dart"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 73884, "scanner": "repobility-threat-engine", "fingerprint": "e34b374219be2cc1548d0edc346f43e084e47bed1feb28746521dde29dd7a563", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e34b374219be2cc1548d0edc346f43e084e47bed1feb28746521dde29dd7a563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/shared/dir.dart"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 73883, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "MINED002", "level": "none", "message": {"text": "[MINED002] Dart Null Bang (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 73879, "scanner": "repobility-threat-engine", "fingerprint": "51d1b9d4755be4c59d4fe05a38c14c87a509ce5789a7ccd44b17135a3657deac", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|51d1b9d4755be4c59d4fe05a38c14c87a509ce5789a7ccd44b17135a3657deac", "aggregated_count": 17}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73983, "scanner": "repobility-supply-chain", "fingerprint": "47e823a23eeb89802e9c8f06827c07a480c5ff43983d652e80fae4ee672b05b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47e823a23eeb89802e9c8f06827c07a480c5ff43983d652e80fae4ee672b05b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73982, "scanner": "repobility-supply-chain", "fingerprint": "8bf7dd4b8fada5543a88c13abc997e57f2fcef1225bed768d89c7d98da933892", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bf7dd4b8fada5543a88c13abc997e57f2fcef1225bed768d89c7d98da933892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `taiki-e/install-action` pinned to mutable ref `@v2`: `uses: taiki-e/install-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73981, "scanner": "repobility-supply-chain", "fingerprint": "4c0b454bf609aba74214418861bcae73d2fa07b1c85d44a87e7c1557e7643208", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c0b454bf609aba74214418861bcae73d2fa07b1c85d44a87e7c1557e7643208"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `subosito/flutter-action` pinned to mutable ref `@v2`: `uses: subosito/flutter-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73980, "scanner": "repobility-supply-chain", "fingerprint": "64ee3ee894cde061ae0679c51e68113b598f913675e68d461704f6ff6abbdac0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64ee3ee894cde061ae0679c51e68113b598f913675e68d461704f6ff6abbdac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 295}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73979, "scanner": "repobility-supply-chain", "fingerprint": "7bb57b142232d633cb844623fad3133904a703157520c8d69e76eb0b0100cf11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7bb57b142232d633cb844623fad3133904a703157520c8d69e76eb0b0100cf11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73978, "scanner": "repobility-supply-chain", "fingerprint": "d9b9a4f802f627b4d1b150f0ba6700d4e82630f22001f90ca4bafe7bf4f6c216", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9b9a4f802f627b4d1b150f0ba6700d4e82630f22001f90ca4bafe7bf4f6c216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73977, "scanner": "repobility-supply-chain", "fingerprint": "ead1669766a3b53ffe5aa263b0a2ed74154d7ea2d7acca29f03bdf543824478f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ead1669766a3b53ffe5aa263b0a2ed74154d7ea2d7acca29f03bdf543824478f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `taiki-e/install-action` pinned to mutable ref `@v2`: `uses: taiki-e/install-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73976, "scanner": "repobility-supply-chain", "fingerprint": "5d397bbe294578c60ed8ccb1e39ce03722187cedd81b2b683611b8967fd3276d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d397bbe294578c60ed8ccb1e39ce03722187cedd81b2b683611b8967fd3276d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73975, "scanner": "repobility-supply-chain", "fingerprint": "d80d3dbd455e42338cd2141c6ce0de48a5507cb06404d598616e899fdc923dc5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d80d3dbd455e42338cd2141c6ce0de48a5507cb06404d598616e899fdc923dc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `subosito/flutter-action` pinned to mutable ref `@v2`: `uses: subosito/flutter-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73974, "scanner": "repobility-supply-chain", "fingerprint": "ccbfc4058b67dc5a29bc9e9de330eb1154409f6c0292138b35f497c2ddf6d0d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ccbfc4058b67dc5a29bc9e9de330eb1154409f6c0292138b35f497c2ddf6d0d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rs/toolchain` pinned to mutable ref `@v1`: `uses: actions-rs/toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73973, "scanner": "repobility-supply-chain", "fingerprint": "0d4d89ca1415ca70cbb7a2a0d3467232f4f17af821ad2319b7861dd97e562215", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d4d89ca1415ca70cbb7a2a0d3467232f4f17af821ad2319b7861dd97e562215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73972, "scanner": "repobility-supply-chain", "fingerprint": "0e96f2bae194525585ad3cec9524232e533bb46de61bacd6e04c0f6f19686c94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e96f2bae194525585ad3cec9524232e533bb46de61bacd6e04c0f6f19686c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73971, "scanner": "repobility-supply-chain", "fingerprint": "bc8be0e10ada6d81e6c97d6715bdd255367d52db22fd3d7e4023dba6f3fc32ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc8be0e10ada6d81e6c97d6715bdd255367d52db22fd3d7e4023dba6f3fc32ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73970, "scanner": "repobility-supply-chain", "fingerprint": "90f7c8b1bdd03b38dd44296190e190608bbff6cb32c4ee42b7aa2fab8d668f11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90f7c8b1bdd03b38dd44296190e190608bbff6cb32c4ee42b7aa2fab8d668f11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73969, "scanner": "repobility-supply-chain", "fingerprint": "df1223f4e2ccd5d05a3c5399fcd2b716a7a556e38636390d460a325081da6371", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df1223f4e2ccd5d05a3c5399fcd2b716a7a556e38636390d460a325081da6371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flutter_ci.yaml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73968, "scanner": "repobility-supply-chain", "fingerprint": "3176a08f7866adb0d753156e18fdff3b3e8950773593911d38dc1ca90f00e608", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3176a08f7866adb0d753156e18fdff3b3e8950773593911d38dc1ca90f00e608"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker_ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73967, "scanner": "repobility-supply-chain", "fingerprint": "6ea1a0d32aec1caf49f53f8a8cb2ecb530dfae4678b26cdf692ee28bb13564bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ea1a0d32aec1caf49f53f8a8cb2ecb530dfae4678b26cdf692ee28bb13564bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust_coverage.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `subosito/flutter-action` pinned to mutable ref `@v2`: `uses: subosito/flutter-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73966, "scanner": "repobility-supply-chain", "fingerprint": "d5d662e8724ba0efa0734cddcf9216f2f713152404ed62c1cc7d5bf11b96c77c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5d662e8724ba0efa0734cddcf9216f2f713152404ed62c1cc7d5bf11b96c77c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust_coverage.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rs/toolchain` pinned to mutable ref `@v1`: `uses: actions-rs/toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73965, "scanner": "repobility-supply-chain", "fingerprint": "d6312382c35e92cd775b77c698e4ced00b74e2304dcd8637c0d09cbb71ad9424", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6312382c35e92cd775b77c698e4ced00b74e2304dcd8637c0d09cbb71ad9424"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust_coverage.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73964, "scanner": "repobility-supply-chain", "fingerprint": "0e5006680cbf413273f28df7d2cab1bde1dd25e371df4c4c108516040018324b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e5006680cbf413273f28df7d2cab1bde1dd25e371df4c4c108516040018324b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust_coverage.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `opral/ninja-i18n-action` pinned to mutable ref `@main`: `uses: opral/ninja-i18n-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73963, "scanner": "repobility-supply-chain", "fingerprint": "c76affde40b643b5dec1e9f2f6af7984d6b598c7c5197d799fadbeb292f94324", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c76affde40b643b5dec1e9f2f6af7984d6b598c7c5197d799fadbeb292f94324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ninja_i18n.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73962, "scanner": "repobility-supply-chain", "fingerprint": "82258cb7dd18ce2902337297882077e469876bd93d4f715a1fd2b22331d31b5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82258cb7dd18ce2902337297882077e469876bd93d4f715a1fd2b22331d31b5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ninja_i18n.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `VeryGoodOpenSource/very_good_workflows/.github/workflows/flutter_package.yml` pinned to mutable ref `@v1`: `uses: VeryGoodOpenSource/very_good_workflows/.github/workflows/flutter_package.yml@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73961, "scanner": "repobility-supply-chain", "fingerprint": "8028ce83cf5036277b5c91fd23bf3e9655df887bac6099e7d65a106161ac5831", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8028ce83cf5036277b5c91fd23bf3e9655df887bac6099e7d65a106161ac5831"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/packages/flowy_svg/.github/workflows/main.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `VeryGoodOpenSource/very_good_workflows/.github/workflows/spell_check.yml` pinned to mutable ref `@v1`: `uses: VeryGoodOpenSource/very_good_workflows/.github/workflows/spell_check.yml@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73960, "scanner": "repobility-supply-chain", "fingerprint": "4db43a89160b6d0352f2ed8e127fd9959fbcfb42a51328b19f62a43c88f69d2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4db43a89160b6d0352f2ed8e127fd9959fbcfb42a51328b19f62a43c88f69d2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/packages/flowy_svg/.github/workflows/main.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `VeryGoodOpenSource/very_good_workflows/.github/workflows/semantic_pull_request.yml` pinned to mutable ref `@v1`: `uses: VeryGoodOpenSource/very_good_workflows/.github/workflows/semantic_pull_request.yml@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 73959, "scanner": "repobility-supply-chain", "fingerprint": "7b67c4a3fd72f8e22deb334586b88e1124bb49f834b3fa54408945c3ea557188", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b67c4a3fd72f8e22deb334586b88e1124bb49f834b3fa54408945c3ea557188"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/packages/flowy_svg/.github/workflows/main.yaml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `archlinux/archlinux (no tag)` not pinned by digest: `FROM archlinux/archlinux (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73958, "scanner": "repobility-supply-chain", "fingerprint": "ed1ec382d47e256a0916d4883ad046ea727bb18344860b40d2ed78ca4a4432dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed1ec382d47e256a0916d4883ad046ea727bb18344860b40d2ed78ca4a4432dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/Dockerfile"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `archlinux/archlinux:base-devel` not pinned by digest: `FROM archlinux/archlinux:base-devel` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73957, "scanner": "repobility-supply-chain", "fingerprint": "e79d8e85a4e7e97f8b6e034e944582959382919c0cf3fda475879f6f574cace3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e79d8e85a4e7e97f8b6e034e944582959382919c0cf3fda475879f6f574cace3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 73955, "scanner": "repobility-docker", "fingerprint": "1209dc71ebaef9df8f69de97e7ae0a7a1e6a905828af02095cd71312b59b3b25", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/var/run/dbus/system_bus_socket", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1209dc71ebaef9df8f69de97e7ae0a7a1e6a905828af02095cd71312b59b3b25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 73954, "scanner": "repobility-docker", "fingerprint": "5e082b9ecd96a6f39dfe0566a414dbb297ea1354ce7af86810bafdcfa21d303e", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5e082b9ecd96a6f39dfe0566a414dbb297ea1354ce7af86810bafdcfa21d303e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 73949, "scanner": "repobility-docker", "fingerprint": "c25d464eb492da018dd4fa10e156dc4cec1ebca7ece7c584a7bdbadfe55fdb7e", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c25d464eb492da018dd4fa10e156dc4cec1ebca7ece7c584a7bdbadfe55fdb7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/docker-buildfiles/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 73914, "scanner": "repobility-threat-engine", "fingerprint": "afe6308341aeaa25d306c7d42c70d213a9486666febcbd47a7d41f2e0f6878c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|afe6308341aeaa25d306c7d42c70d213a9486666febcbd47a7d41f2e0f6878c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/install_dev_env/install_linux.sh"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 73913, "scanner": "repobility-threat-engine", "fingerprint": "5aab120aa2bdbc990fa40ea032d83146e3e67edbfc856a07b25c0a3a4557cd9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5aab120aa2bdbc990fa40ea032d83146e3e67edbfc856a07b25c0a3a4557cd9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/lib-infra/src/util.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 73910, "scanner": "repobility-threat-engine", "fingerprint": "c33438e4789aa665f98f3c0190b93fbdd1bb9f8c4ddab4402f475774cae7c3b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(&buffer[..bytes_read]);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c33438e4789aa665f98f3c0190b93fbdd1bb9f8c4ddab4402f475774cae7c3b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/flowy-ai/src/local_ai/request.rs"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 73898, "scanner": "repobility-threat-engine", "fingerprint": "9889b5a6ddfaf640511f2852a4f5bec386c90e72bbfdb4adff0da4fabc37fac8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9889b5a6ddfaf640511f2852a4f5bec386c90e72bbfdb4adff0da4fabc37fac8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-ast/src/event_attrs.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 73892, "scanner": "repobility-threat-engine", "fingerprint": "e98fb8fe1748cd8b290f422785f725b15b3bba34fd7c095e1d4f49199d7cf54d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e98fb8fe1748cd8b290f422785f725b15b3bba34fd7c095e1d4f49199d7cf54d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-ast/src/event_attrs.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 73891, "scanner": "repobility-threat-engine", "fingerprint": "f0c9ede2b885722710f33b86037743cdfe60a39f7b8a0874b185de3246e2b8d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0c9ede2b885722710f33b86037743cdfe60a39f7b8a0874b185de3246e2b8d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-ast/src/ctxt.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 73890, "scanner": "repobility-threat-engine", "fingerprint": "6439e311b2885d5a41b61d73f88383c86da4438619b13383d4965a199d8a597b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6439e311b2885d5a41b61d73f88383c86da4438619b13383d4965a199d8a597b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/rust-lib/build-tool/flowy-ast/src/ast.rs"}, "region": {"startLine": 202}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73882, "scanner": "repobility-threat-engine", "fingerprint": "2f9b5f19ccf8d0e2a992ed1c058b4295b99bf7307ffd9a75a8f844c9b9288b26", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f9b5f19ccf8d0e2a992ed1c058b4295b99bf7307ffd9a75a8f844c9b9288b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/shared/mock/mock_url_launcher.dart"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73881, "scanner": "repobility-threat-engine", "fingerprint": "d692066b3a3af384010ec79de38a751d7aad12ad1ac361bade73928e2e14ce7c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d692066b3a3af384010ec79de38a751d7aad12ad1ac361bade73928e2e14ce7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/shared/expectation.dart"}, "region": {"startLine": 255}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73880, "scanner": "repobility-threat-engine", "fingerprint": "dd4e44864217db69bbcf1e2d511262029c0f9e1ff404721f22fd268ec2e7c5d9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(\n        k", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd4e44864217db69bbcf1e2d511262029c0f9e1ff404721f22fd268ec2e7c5d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/settings/sign_in_page_settings_test.dart"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED002", "level": "error", "message": {"text": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check."}, "properties": {"repobilityId": 73878, "scanner": "repobility-threat-engine", "fingerprint": "2443e178891345b71fbe99f87225a26e39a5fd469888fadec77654885d7b46b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2443e178891345b71fbe99f87225a26e39a5fd469888fadec77654885d7b46b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/cloud/workspace/share_menu_test.dart"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED002", "level": "error", "message": {"text": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check."}, "properties": {"repobilityId": 73877, "scanner": "repobility-threat-engine", "fingerprint": "ca8ce350424b4feaa98814a999975510492ff7cd9c0306cdf67fa99c1db238b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca8ce350424b4feaa98814a999975510492ff7cd9c0306cdf67fa99c1db238b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/cloud/sidebar/sidebar_rename_untitled_test.dart"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED002", "level": "error", "message": {"text": "[MINED002] Dart Null Bang: value! throws on null. Use ?. or null check."}, "properties": {"repobilityId": 73876, "scanner": "repobility-threat-engine", "fingerprint": "ba452460c3483f3848d0655a646185ee91c2d79af7721f081909d1d569cdc3d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347899+00:00", "triaged_in_corpus": 15, "observations_count": 1434931, "ai_coder_pattern_id": 167}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba452460c3483f3848d0655a646185ee91c2d79af7721f081909d1d569cdc3d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/appflowy_flutter/integration_test/desktop/cloud/document/document_ai_writer_test.dart"}, "region": {"startLine": 91}}}]}]}]}