{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /v"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 41.7% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 41.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_infer_form_from_name` has cognitive complexity 11 (SonarSource scale). C", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_infer_form_from_name` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and r"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 11."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED030", "name": "[MINED030] Python Pickle Loads (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED030] Python Pickle Loads (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC081", "name": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data (and 4 more): Same pattern found in 4 additional files. ", "shortDescription": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 3 more): Same pattern found in 3 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images "}, "fullDescription": {"text": "Replace with: `FROM node:22-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /check has no auth: Express route POST /check declared without an auth middleware in its handler", "shortDescription": {"text": "[MINED113] Express POST /check has no auth: Express route POST /check declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "fullDescription": {"text": "Add an auth middleware: app.post('/check', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /generate has no auth: Handler `generate_tts` is registered with router/app.post(...) but no Dep", "shortDescription": {"text": "[MINED112] FastAPI POST /generate has no auth: Handler `generate_tts` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._extract_strength_from_ingredients` used but never assigned in __init__: Method `_parse_openfda_respons", "shortDescription": {"text": "[MINED108] `self._extract_strength_from_ingredients` used but never assigned in __init__: Method `_parse_openfda_response` of class `CommercialMRPScraper` reads `self._extract_strength_from_ingredients`, but no assignment to it exists in __"}, "fullDescription": {"text": "Initialize `self._extract_strength_from_ingredients = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. T", "shortDescription": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import stat` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1100"}, "properties": {"repository": "RatLoopz/sahidawa-india", "repoUrl": "https://github.com/RatLoopz/sahidawa-india", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 108291, "scanner": "repobility-ast-engine", "fingerprint": "0137f5de0eb758a6d342e1eb3ee264c67d0559f056215a94a9ced7e4278560cb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0137f5de0eb758a6d342e1eb3ee264c67d0559f056215a94a9ced7e4278560cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/jan_aushadhi.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 108290, "scanner": "repobility-ast-engine", "fingerprint": "b82c393d1973582e3cb47d94480410e65857cac3d3f958b4e414bd9695da30b7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b82c393d1973582e3cb47d94480410e65857cac3d3f958b4e414bd9695da30b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/scrapers/commercial_mrp.py"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 108279, "scanner": "repobility-ast-engine", "fingerprint": "9932c0f913bbd2d4d9840e20290861f486af00ec77238a91eaa67660c374340f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9932c0f913bbd2d4d9840e20290861f486af00ec77238a91eaa67660c374340f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/services/telemetry.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 108263, "scanner": "repobility-ast-engine", "fingerprint": "90aa73c8cf72a208a7a48ae092bcb5e8651acf118ba14d8ae40e72e42e34d10a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|90aa73c8cf72a208a7a48ae092bcb5e8651acf118ba14d8ae40e72e42e34d10a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/verify.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 108261, "scanner": "repobility-ast-engine", "fingerprint": "9f683204210e8b548bf82d27d9d0f757cebc49d71c967b04cc6f810ce555c287", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9f683204210e8b548bf82d27d9d0f757cebc49d71c967b04cc6f810ce555c287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/scratch_test.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 108260, "scanner": "repobility-ast-engine", "fingerprint": "e8b4ad1b6a679b77cb504646c11211aa3aea1e2bfbcb3de8eceade607f391911", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8b4ad1b6a679b77cb504646c11211aa3aea1e2bfbcb3de8eceade607f391911"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/linkedin_shoutout.py"}, "region": {"startLine": 285}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 108259, "scanner": "repobility-ast-engine", "fingerprint": "26cace3ccb1bbf210c7f90a4e14e205ff35a03a8ff3c33587a97bedfc45fcbfe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|26cace3ccb1bbf210c7f90a4e14e205ff35a03a8ff3c33587a97bedfc45fcbfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/linkedin_shoutout.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 108258, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108254, "scanner": "repobility-journey-contract", "fingerprint": "7ff31ae12034ed17cff394e791a8687cd5a9d521fe2544a376eba7e490b053b0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/verify/batch", "correlation_key": "fp|7ff31ae12034ed17cff394e791a8687cd5a9d521fe2544a376eba7e490b053b0", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/batch.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108253, "scanner": "repobility-journey-contract", "fingerprint": "19d0953607caaef12fc3cfb3d3cb9f73b23c4ea9efec117537dec8da0822cb79", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/verify/batch", "correlation_key": "fp|19d0953607caaef12fc3cfb3d3cb9f73b23c4ea9efec117537dec8da0822cb79", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/batch.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108252, "scanner": "repobility-journey-contract", "fingerprint": "4132349baee593cf0f5e3cc412692da36b62f2837ab6d1f052875e01c90ba4b2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/docs", "correlation_key": "fp|4132349baee593cf0f5e3cc412692da36b62f2837ab6d1f052875e01c90ba4b2", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 209}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108251, "scanner": "repobility-journey-contract", "fingerprint": "a88f01afb979a7875fdb14ad7f2be421401f1867e112656f98106d758cf3d24f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/map", "correlation_key": "fp|a88f01afb979a7875fdb14ad7f2be421401f1867e112656f98106d758cf3d24f", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 205}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108250, "scanner": "repobility-journey-contract", "fingerprint": "91e4933936dc2a3cfbf3e6d0c0aaf034e8b7690208eed1d7957f73384e5b8784", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ml", "correlation_key": "fp|91e4933936dc2a3cfbf3e6d0c0aaf034e8b7690208eed1d7957f73384e5b8784", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108249, "scanner": "repobility-journey-contract", "fingerprint": "b2f8f899d2641e0879eb41f636c798372c5adca3f41a453212e184d2f063e419", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/alerts", "correlation_key": "fp|b2f8f899d2641e0879eb41f636c798372c5adca3f41a453212e184d2f063e419", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108248, "scanner": "repobility-journey-contract", "fingerprint": "1e5528058576297ef2f723f69bdeff326e58df3e21ad2accfa0829b98f0ac36e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/lasa", "correlation_key": "fp|1e5528058576297ef2f723f69bdeff326e58df3e21ad2accfa0829b98f0ac36e", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108247, "scanner": "repobility-journey-contract", "fingerprint": "5a92d66b14b67ce0cf204671e3b630ea845e4c9be52e5fdc4a164fa78bbd2ac1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/scan", "correlation_key": "fp|5a92d66b14b67ce0cf204671e3b630ea845e4c9be52e5fdc4a164fa78bbd2ac1", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108246, "scanner": "repobility-journey-contract", "fingerprint": "0bcceaa4089b47a0be0c279a2d6b35ca30c80942682b9d895bdf0c5f15719654", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/notifications", "correlation_key": "fp|0bcceaa4089b47a0be0c279a2d6b35ca30c80942682b9d895bdf0c5f15719654", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108245, "scanner": "repobility-journey-contract", "fingerprint": "a1e43da91045bd343daac8da587d8cb3b1a82a00e117229c91a76068a953a630", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/analytics", "correlation_key": "fp|a1e43da91045bd343daac8da587d8cb3b1a82a00e117229c91a76068a953a630", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 199}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108244, "scanner": "repobility-journey-contract", "fingerprint": "0cdba477325cca5d404c819f005a740c026c983719565acec8c456558a1372b9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/verify", "correlation_key": "fp|0cdba477325cca5d404c819f005a740c026c983719565acec8c456558a1372b9", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 198}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108243, "scanner": "repobility-journey-contract", "fingerprint": "87d0be77fd5fa285c032b4d4133287c17167ae45fef57e7d3e9d5919411e11c4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/verify/batch", "correlation_key": "fp|87d0be77fd5fa285c032b4d4133287c17167ae45fef57e7d3e9d5919411e11c4", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108242, "scanner": "repobility-journey-contract", "fingerprint": "23eb9017cd3ce702b87600a0f203b535d58c331d4a33d52c43d62328c3735d6f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/pharmacies", "correlation_key": "fp|23eb9017cd3ce702b87600a0f203b535d58c331d4a33d52c43d62328c3735d6f", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 196}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108241, "scanner": "repobility-journey-contract", "fingerprint": "bdd9f97b2bce570321a0da040eba3b7b1d2cc0bd16cdff01fa735e90cf3ba0ec", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/admin", "correlation_key": "fp|bdd9f97b2bce570321a0da040eba3b7b1d2cc0bd16cdff01fa735e90cf3ba0ec", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 108240, "scanner": "repobility-journey-contract", "fingerprint": "abc9b7979268cf2be3429480631e47fc7d2c68d123afe95d73372171691c2051", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/docs", "correlation_key": "fp|abc9b7979268cf2be3429480631e47fc7d2c68d123afe95d73372171691c2051", "backend_endpoint_count": 36}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108239, "scanner": "repobility-journey-contract", "fingerprint": "ff41440497cc1806254944ffb785f77659f5e5df504c25e36bb9ba796b0bddda", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|33|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/AuthSync.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108238, "scanner": "repobility-journey-contract", "fingerprint": "e23fc07b787c29a746e345cc7d109875e3fd5a04537e0fd946f990373726748d", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|22|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/AuthSync.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108237, "scanner": "repobility-journey-contract", "fingerprint": "3a224197d35ff7577d54ccfdbeedf5e392273ef68879640e68512ababd4706da", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|63|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/alerts/RecallPushSubscriber.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108236, "scanner": "repobility-journey-contract", "fingerprint": "b7713b8c85a60f273eb9001f819ebf384dfd15f066a252aa270966b64ccc469b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|apps/web/app/ locale /reports/me/page.tsx|46|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/reports/me/page.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108235, "scanner": "repobility-journey-contract", "fingerprint": "bf616aeb1deb336ded65e5efa5ce6e22094961e0e62d1b208c89503537c94ab0", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|apps/web/app/ locale /profile/page.tsx|95|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/profile/page.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108234, "scanner": "repobility-journey-contract", "fingerprint": "69dd288df3b8f9d4811add4635a0c2915b5fba28425cd2527bf71fe0c98a068d", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|apps/web/app/ locale /admin/dashboard/page.tsx|68|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/admin/dashboard/page.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 108233, "scanner": "repobility-journey-contract", "fingerprint": "013e279739d5dbc80e0458180bd57f3707d13310336e860b4ed1fcbe3a0960ab", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|apps/web/app/ locale /admin/analytics/page.tsx|54|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/admin/analytics/page.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /voice/tts/route."}, "properties": {"repobilityId": 108232, "scanner": "repobility-access-control", "fingerprint": "5dd37420bd5869744bd2ee4bc6bb481515e3958d801de1e352418b31b3a7db48", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/voice/tts/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|22|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/voice/tts/route.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /voice/transcribe/route."}, "properties": {"repobilityId": 108231, "scanner": "repobility-access-control", "fingerprint": "d78eb8ad19078c5d9c532bc6daa1f784887d6af42706a194974a8d45f33b7625", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/voice/transcribe/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|20|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/voice/transcribe/route.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /upload/route."}, "properties": {"repobilityId": 108230, "scanner": "repobility-access-control", "fingerprint": "5de0faf9f1a6845ab3bfcbec1c2446528027b6821667067e7484707de7419134", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/upload/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|6|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/upload/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/route."}, "properties": {"repobilityId": 108229, "scanner": "repobility-access-control", "fingerprint": "49259898aae5e2ab72c2e83d1776b9edfc9efbcf6e169f215e6c5fd9a2d69a62", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|145|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/chat/route.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /overpass/route."}, "properties": {"repobilityId": 108228, "scanner": "repobility-access-control", "fingerprint": "cf9398e221210577fbdc9bf443cfa613c2d2ccd0d9af1fed67059aface354188", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/overpass/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|11|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/overpass/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /extract."}, "properties": {"repobilityId": 108227, "scanner": "repobility-access-control", "fingerprint": "746855d32e331460eed9cb4cdb703b3aa69163db62f407052a2b28b50291e2cb", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/extract", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|apps/api/src/routes/scan.ts|203|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/scan.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /subscriptions."}, "properties": {"repobilityId": 108226, "scanner": "repobility-access-control", "fingerprint": "370ff6821d63243d12280ec6a2f7110b99cded92f010403e6d2861412885e75a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/subscriptions", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|51|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/notifications.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/csrf-token."}, "properties": {"repobilityId": 108225, "scanner": "repobility-access-control", "fingerprint": "0c52b4348583c3e21744d3b213cbe20d59b6db762049af8b70b2fa90fa70d8bd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/csrf-token", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|apps/api/src/app.ts|91|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /."}, "properties": {"repobilityId": 108224, "scanner": "repobility-access-control", "fingerprint": "c14bc842ffa75195a557ca62d20d4a0abae35ba7253eccab34c40173222b513d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|137|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/reports.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /mine."}, "properties": {"repobilityId": 108223, "scanner": "repobility-access-control", "fingerprint": "d0176a4ec9b9b284d4d44fbd69bc0eb0c6df05cd76af6dc1b74342a47d19f754", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mine", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|109|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/reports.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /logs."}, "properties": {"repobilityId": 108222, "scanner": "repobility-access-control", "fingerprint": "146ef49877b51b090dac3b5894e15aefaed997095c3e3142fb0479427b808e99", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/logs", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|19|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/admin.routes.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /medicines."}, "properties": {"repobilityId": 108221, "scanner": "repobility-access-control", "fingerprint": "82f01b8d5ea76011064819237232f02db2ceb5433b18efdf4db4162e45fe7560", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/medicines", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|18|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/admin.routes.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /medicines."}, "properties": {"repobilityId": 108220, "scanner": "repobility-access-control", "fingerprint": "64dda3b218457dd05be2e6808e27efee9fb0654c9161a2fc3785a859f7dc7da0", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/medicines", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|17|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/admin.routes.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PATCH /reports/:id/status."}, "properties": {"repobilityId": 108219, "scanner": "repobility-access-control", "fingerprint": "ed9791d41434c35696b5fe850714d416e83ee1cc545c525a4524bc3c27bd84b7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/reports/:id/status", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|16|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/admin.routes.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /reports."}, "properties": {"repobilityId": 108218, "scanner": "repobility-access-control", "fingerprint": "9c30bf9ec344595ec9189dc72e309ee83a7e9fed0ea329f8e1d52298e90a3918", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/reports", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|15|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/admin.routes.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /recalls/mock/trigger."}, "properties": {"repobilityId": 108217, "scanner": "repobility-access-control", "fingerprint": "66bf5cec90a77592b4085702864c28639034c4eedcd30bb4eac592ae5e196645", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/recalls/mock/trigger", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|70|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/notifications.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /recalls/mock."}, "properties": {"repobilityId": 108216, "scanner": "repobility-access-control", "fingerprint": "ce9c7212876a93687bd0d48fd453230d55dc165f9b787456f8488ea4c78e871e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/recalls/mock", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|66|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/notifications.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /health."}, "properties": {"repobilityId": 108215, "scanner": "repobility-access-control", "fingerprint": "7d2efdf9116101f1fd810670dde3617aac7a86d5ff3372effff6f9e046210c8a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/health", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|apps/api/src/app.ts|140|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 41.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 108214, "scanner": "repobility-access-control", "fingerprint": "361e1b70dfadcbc3057eb58f0af036e9f2959d20e4419e951fbcc27c2cb18eaa", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 36, "correlation_key": "fp|361e1b70dfadcbc3057eb58f0af036e9f2959d20e4419e951fbcc27c2cb18eaa", "auth_visible_percent": 41.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 108213, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 108211, "scanner": "repobility-docker", "fingerprint": "7a0e8ef67d98a786089e8857bd12d84b7a0de78d5d051030e8aaba53e56e0d4d", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7a0e8ef67d98a786089e8857bd12d84b7a0de78d5d051030e8aaba53e56e0d4d", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 108204, "scanner": "repobility-docker", "fingerprint": "96988ac77376f9b8fa66c450c14a528855541ca7cab0973d410ae0c09c7af41b", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|96988ac77376f9b8fa66c450c14a528855541ca7cab0973d410ae0c09c7af41b", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 108203, "scanner": "repobility-docker", "fingerprint": "9623c5071f3db11873499ee2fbe04234354404edff414a91088d18a39a1ed414", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9623c5071f3db11873499ee2fbe04234354404edff414a91088d18a39a1ed414", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 108202, "scanner": "repobility-docker", "fingerprint": "93283801d20f984c213fef3a04dc6314a256a43114d837f8cee01ab59a78de5d", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|93283801d20f984c213fef3a04dc6314a256a43114d837f8cee01ab59a78de5d", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/Dockerfile"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 108200, "scanner": "repobility-docker", "fingerprint": "74cb9c38697e07dadf6f5113b541dcc9190df55d4be5dffbb2f0cd26da38a988", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|74cb9c38697e07dadf6f5113b541dcc9190df55d4be5dffbb2f0cd26da38a988", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 108199, "scanner": "repobility-docker", "fingerprint": "353937d699d99b43f187782e9eded6a63b2eb91e30da60770eef16defd755a16", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|353937d699d99b43f187782e9eded6a63b2eb91e30da60770eef16defd755a16", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 108198, "scanner": "repobility-agent-runtime", "fingerprint": "ccc3c64bd18e5dad0a2d051fd5d4102debb5c2fbb26bda83a744d43d45753d98", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ccc3c64bd18e5dad0a2d051fd5d4102debb5c2fbb26bda83a744d43d45753d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/MedicineSearchSelect.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 108197, "scanner": "repobility-agent-runtime", "fingerprint": "e56a54ce8e2dcbd5e10362d1f2f6cd8c363d726498dfe4d4ebb22297425eaaa3", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|e56a54ce8e2dcbd5e10362d1f2f6cd8c363d726498dfe4d4ebb22297425eaaa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/voice/page.tsx"}, "region": {"startLine": 1223}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 108196, "scanner": "repobility-agent-runtime", "fingerprint": "d70a2de8da54717e9cb67dbff3d1669c321191f5aecc471f35a637cc8ea42ce3", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d70a2de8da54717e9cb67dbff3d1669c321191f5aecc471f35a637cc8ea42ce3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/jan_aushadhi.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 108167, "scanner": "repobility-threat-engine", "fingerprint": "0be7bff4c63428a3769db339f50f45e8ae6619e8d1b7cf73da460f5f692cafef", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|99|sec007", "duplicate_count": 2, "duplicate_rule_ids": ["SEC007"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["0be7bff4c63428a3769db339f50f45e8ae6619e8d1b7cf73da460f5f692cafef", "aaa8d0a36438ab37e86c13a3679164833096a3b350dcc87bfee21a452c3d5aed", "f65fa9660729a4810f4f1bf873d36e9e86c16ab860acd06b4b92587529e6183f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/advanced_cache_manager.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 108166, "scanner": "repobility-threat-engine", "fingerprint": "21b93d7a22c6ea0eb0a04c179f4ad0fdfef111e71af5637a64e7fa6d4b053e3d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def load_model():\n    raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21b93d7a22c6ea0eb0a04c179f4ad0fdfef111e71af5637a64e7fa6d4b053e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ml_model_dev_pipeline/fine_tune_cloud.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 108162, "scanner": "repobility-threat-engine", "fingerprint": "de09e2102cc08f3e0d6b555bf0f664689aeb098dd78544108bef56579c41ccf2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/check-migrations.js|100|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-migrations.js"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 108159, "scanner": "repobility-threat-engine", "fingerprint": "f92b3e23964f72c5cceb78b190b72f94e6bbf810f03af95aad59192b0074e6ce", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\n                                        `https://maps.google.com?q=${pharmacy.coordinat", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|249|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/components/Map.tsx"}, "region": {"startLine": 249}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 108158, "scanner": "repobility-threat-engine", "fingerprint": "bc256fb5b05941fee3ce4aef5e2d497ab9a3a2dc6a9ee5fa73d5676a0ee5fe7a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bc256fb5b05941fee3ce4aef5e2d497ab9a3a2dc6a9ee5fa73d5676a0ee5fe7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/ServiceWorkerProvider.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 108157, "scanner": "repobility-threat-engine", "fingerprint": "cd9b36b1ffb14cf343e14572465b0c6a878f69005fea64b3625709f09b254a8a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd9b36b1ffb14cf343e14572465b0c6a878f69005fea64b3625709f09b254a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/layout.tsx"}, "region": {"startLine": 99}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 108150, "scanner": "repobility-threat-engine", "fingerprint": "326eece51cac5671902ba4b27a3f71eed471c47a1336ec4c31a62f64a583599d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|326eece51cac5671902ba4b27a3f71eed471c47a1336ec4c31a62f64a583599d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/services/telemetry.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 108149, "scanner": "repobility-threat-engine", "fingerprint": "c7769875f10a55f65c915b6d810cbe903cb05b9f03f43f94f3d6878703022b9f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7769875f10a55f65c915b6d810cbe903cb05b9f03f43f94f3d6878703022b9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/verify.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 108257, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 108256, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 108212, "scanner": "repobility-docker", "fingerprint": "e0969f0052d4a93e5f954d85cecee8115e17a7257d811ad49b20759deeadb947", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|e0969f0052d4a93e5f954d85cecee8115e17a7257d811ad49b20759deeadb947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 108209, "scanner": "repobility-docker", "fingerprint": "8a3cec843940d18475b620b1892bf2e2247fed908840717eae16e2ab64fc197a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ml", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8a3cec843940d18475b620b1892bf2e2247fed908840717eae16e2ab64fc197a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 108208, "scanner": "repobility-docker", "fingerprint": "f02a23465eed7d9336ae96ed787aefa719e173dd2198afc4f9752acaad99da17", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ml", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f02a23465eed7d9336ae96ed787aefa719e173dd2198afc4f9752acaad99da17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 108207, "scanner": "repobility-docker", "fingerprint": "a6dd24991eab438b4eb37145a104475375f851201e42f2e3c5df5e4f4fdb331d", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "api", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a6dd24991eab438b4eb37145a104475375f851201e42f2e3c5df5e4f4fdb331d", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 108206, "scanner": "repobility-docker", "fingerprint": "a9802bf3cddadad48ff0bc4ae970a9287371defb43ff460f2fbf2dd31207c115", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a9802bf3cddadad48ff0bc4ae970a9287371defb43ff460f2fbf2dd31207c115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 108205, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 108201, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108195, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35f20c7dea0962c12c59b9470d9d43eb5206787d80f30aaeacd53da757dfaeff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/distributed_lock_manager.py", "duplicate_line": 29, "correlation_key": "fp|35f20c7dea0962c12c59b9470d9d43eb5206787d80f30aaeacd53da757dfaeff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/user_notifications_8.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108194, "scanner": "repobility-ai-code-hygiene", "fingerprint": "215673dadbaf8fc2d492507eae307831895050ddf7db6a23760cf2cd706699b6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/advanced_cache_manager.py", "duplicate_line": 4, "correlation_key": "fp|215673dadbaf8fc2d492507eae307831895050ddf7db6a23760cf2cd706699b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/user_notifications_8.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108193, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a78d6a44bfccedddff54b9a9f259806ad2cae8a7beee1adf59d980e74262026", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/distributed_lock_manager.py", "duplicate_line": 29, "correlation_key": "fp|6a78d6a44bfccedddff54b9a9f259806ad2cae8a7beee1adf59d980e74262026"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/user_notifications.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108192, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dde95062fd7ebc2c3cc0b80f8a5bf85e55aec359d024f35b26ee34223efb90b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/advanced_cache_manager.py", "duplicate_line": 4, "correlation_key": "fp|dde95062fd7ebc2c3cc0b80f8a5bf85e55aec359d024f35b26ee34223efb90b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/user_notifications.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108191, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d418318fd6d45832108464c102d8b247efc8781c3502799a89aced379847206", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/distributed_lock_manager.py", "duplicate_line": 29, "correlation_key": "fp|7d418318fd6d45832108464c102d8b247efc8781c3502799a89aced379847206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/user_auth_dashboard.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108190, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72f96819981ef2b2c878a0ce66252acfc4b6f486724a56faaee0bf073486841e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/advanced_cache_manager.py", "duplicate_line": 4, "correlation_key": "fp|72f96819981ef2b2c878a0ce66252acfc4b6f486724a56faaee0bf073486841e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/user_auth_dashboard.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108189, "scanner": "repobility-ai-code-hygiene", "fingerprint": "86470b759e18279ef7da4f8b3d878c7bee64d2628985a68c6bbff38275a3416d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/advanced_cache_manager.py", "duplicate_line": 4, "correlation_key": "fp|86470b759e18279ef7da4f8b3d878c7bee64d2628985a68c6bbff38275a3416d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager_5.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108188, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69dc83590289fc595cc9f83f6b9d068f32e8d5e05817c9d39c8889385d1f25b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/advanced_cache_manager.py", "duplicate_line": 4, "correlation_key": "fp|69dc83590289fc595cc9f83f6b9d068f32e8d5e05817c9d39c8889385d1f25b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager_4.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108187, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0da45ec4696e71117f28d95f2a3d03f0c38e18dd21cb3ef8f1a40445e05700ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/services/advanced_cache_manager.py", "duplicate_line": 4, "correlation_key": "fp|0da45ec4696e71117f28d95f2a3d03f0c38e18dd21cb3ef8f1a40445e05700ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108186, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0fa03d0ae6e17ea74211a81c5f4004e79401440f604e55579342756df3ea5961", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/routes/scan.ts", "duplicate_line": 164, "correlation_key": "fp|0fa03d0ae6e17ea74211a81c5f4004e79401440f604e55579342756df3ea5961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/utils/medicineParser.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108185, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6efc953370c68eb45786e02d2fca718d6bca4f48b606155bbd76b0b5ae83327", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/lib/imageEnhancer.shared.ts", "duplicate_line": 64, "correlation_key": "fp|b6efc953370c68eb45786e02d2fca718d6bca4f48b606155bbd76b0b5ae83327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/public/workers/imageEnhancer.worker.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "952161147476a0832ea12145222ab8c02742d20bfe97c1c58ea5ed5fc81ed6f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/api/voice/transcribe/route.ts", "duplicate_line": 5, "correlation_key": "fp|952161147476a0832ea12145222ab8c02742d20bfe97c1c58ea5ed5fc81ed6f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/voice/tts/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46f6e5fb51fceaa617862121dc97bc364ae475c0e8b4146676637ce2251c1efe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/[locale]/map/overpassApi.ts", "duplicate_line": 20, "correlation_key": "fp|46f6e5fb51fceaa617862121dc97bc364ae475c0e8b4146676637ce2251c1efe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/overpass/route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ded7c79d43bdf2295c0713d8fe22e9a9e681d8d11b8d632613f5d907fb000fa6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/[locale]/alerts/page.tsx", "duplicate_line": 10, "correlation_key": "fp|ded7c79d43bdf2295c0713d8fe22e9a9e681d8d11b8d632613f5d907fb000fa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/page.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 108181, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d935eebc9dbb9dd11e55e51bc00712909625331598c977ec672e0feff6fee75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/routes/scan.ts", "duplicate_line": 521, "correlation_key": "fp|9d935eebc9dbb9dd11e55e51bc00712909625331598c977ec672e0feff6fee75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/verify.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_infer_form_from_name` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: if=11."}, "properties": {"repobilityId": 108132, "scanner": "repobility-threat-engine", "fingerprint": "3d4a3a4e4ad942cb26a1a52e01fa6e7826564e3284c3dad4a9c3208417290510", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_infer_form_from_name", "breakdown": {"if": 11}, "complexity": 11, "correlation_key": "fp|3d4a3a4e4ad942cb26a1a52e01fa6e7826564e3284c3dad4a9c3208417290510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/jan_aushadhi.py"}, "region": {"startLine": 263}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_infer_dosage_form` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: if=9."}, "properties": {"repobilityId": 108131, "scanner": "repobility-threat-engine", "fingerprint": "7aa452e082a611a8871e93062b6230a63b5b4350ce01a2b38530f98e4565b383", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_infer_dosage_form", "breakdown": {"if": 9}, "complexity": 9, "correlation_key": "fp|7aa452e082a611a8871e93062b6230a63b5b4350ce01a2b38530f98e4565b383"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/commercial_medicine.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED030", "level": "none", "message": {"text": "[MINED030] Python Pickle Loads (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 108180, "scanner": "repobility-threat-engine", "fingerprint": "3597b0c70a86c07395b8feb1e523b3798f4fa89b7c7a75bf24590b8e6d6b3585", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3597b0c70a86c07395b8feb1e523b3798f4fa89b7c7a75bf24590b8e6d6b3585", "aggregated_count": 4}}}, {"ruleId": "MINED018", "level": "none", "message": {"text": "[MINED018] Unsafe Deserialization Pickle (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 108176, "scanner": "repobility-threat-engine", "fingerprint": "e1b9798c912e66a374afd6bbef62963cfcb7c6bd83e05060ee3a6445d5724671", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e1b9798c912e66a374afd6bbef62963cfcb7c6bd83e05060ee3a6445d5724671", "aggregated_count": 4}}}, {"ruleId": "SEC081", "level": "none", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 108172, "scanner": "repobility-threat-engine", "fingerprint": "52e5ef968d849dac15706ccd8a81266f98543bc97938fd6232df33e071ff017c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|52e5ef968d849dac15706ccd8a81266f98543bc97938fd6232df33e071ff017c"}}}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 108168, "scanner": "repobility-threat-engine", "fingerprint": "6b9012b015659a27ec0bbe8afd468bee08a378d979c58fbaddfe79ffff5aaca6", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6b9012b015659a27ec0bbe8afd468bee08a378d979c58fbaddfe79ffff5aaca6"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 108165, "scanner": "repobility-threat-engine", "fingerprint": "63244cf72e9832dfd4c2a1000ee4935779a07aed212d25d0dc423ca184052033", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|63244cf72e9832dfd4c2a1000ee4935779a07aed212d25d0dc423ca184052033"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "nginx/nginx.conf"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 108164, "scanner": "repobility-threat-engine", "fingerprint": "7dfb612ac2cf7057bf07f97996ca285d81f79c3420b2d3ea2e3f57150df5917c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7dfb612ac2cf7057bf07f97996ca285d81f79c3420b2d3ea2e3f57150df5917c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 108161, "scanner": "repobility-threat-engine", "fingerprint": "fa081efb98a458d806155c242d251b41c3c962edce1ed94180bc03499330c1d5", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|84|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/voice-a11y-audit.mjs"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 108156, "scanner": "repobility-threat-engine", "fingerprint": "28cbc5c603b153782ac441bec3735176bbba4a8c9388e623ae0f6c7823f92716", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28cbc5c603b153782ac441bec3735176bbba4a8c9388e623ae0f6c7823f92716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/layout.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 108155, "scanner": "repobility-threat-engine", "fingerprint": "6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "aggregated_count": 3}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 108154, "scanner": "repobility-threat-engine", "fingerprint": "b89a91ddb973291c52166cbffaf4d27148fe7475990c11566bb51a99168ef98d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b89a91ddb973291c52166cbffaf4d27148fe7475990c11566bb51a99168ef98d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/map/loading.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 108153, "scanner": "repobility-threat-engine", "fingerprint": "c1163e87483df8f0730306bd62a94ce78df615b0de6e5d98237d8637fdb8d88f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c1163e87483df8f0730306bd62a94ce78df615b0de6e5d98237d8637fdb8d88f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/faq/page.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 108152, "scanner": "repobility-threat-engine", "fingerprint": "89e27bbff39fe2708dae8fd7d4181c74aa5b7efd27b06d5e19c2b663465c2700", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|89e27bbff39fe2708dae8fd7d4181c74aa5b7efd27b06d5e19c2b663465c2700"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/components/Chatbot.tsx"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 108148, "scanner": "repobility-threat-engine", "fingerprint": "f8213289a38e342c56cfd272f7b190cb2b74eaa6959268b1df9deb21bc160adf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f8213289a38e342c56cfd272f7b190cb2b74eaa6959268b1df9deb21bc160adf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ml_model_dev_pipeline/fine_tune_cloud.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 108147, "scanner": "repobility-threat-engine", "fingerprint": "2f39e13eeee73e64dca573a37d4821ec7ba64ae44c90269f8f50cc791b8dce8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f39e13eeee73e64dca573a37d4821ec7ba64ae44c90269f8f50cc791b8dce8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/services/telemetry.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 108146, "scanner": "repobility-threat-engine", "fingerprint": "dadc8530a77cbea6d9d7f2789859d35c9490f1bc5eb0be9f2853676249ecc509", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dadc8530a77cbea6d9d7f2789859d35c9490f1bc5eb0be9f2853676249ecc509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/verify.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 108141, "scanner": "repobility-threat-engine", "fingerprint": "1361ffa9c3e6bba8c756f3d556d7d430ee765c8d57ea666109adf6c3be4e2cb1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1361ffa9c3e6bba8c756f3d556d7d430ee765c8d57ea666109adf6c3be4e2cb1", "aggregated_count": 2}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 108140, "scanner": "repobility-threat-engine", "fingerprint": "b4543d88c1ab7d6d0e3d99103f5e3ce1791ba7ba6cb6327b1e0c8d3dd220bae0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b4543d88c1ab7d6d0e3d99103f5e3ce1791ba7ba6cb6327b1e0c8d3dd220bae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/agent/cdsco_alert_agent.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 108139, "scanner": "repobility-threat-engine", "fingerprint": "fcdc328466e5a8bfe5b777aebcf497e7f63d7a730b29340ae92f04a16751ff46", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fcdc328466e5a8bfe5b777aebcf497e7f63d7a730b29340ae92f04a16751ff46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/commercial_medicine.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 108138, "scanner": "repobility-threat-engine", "fingerprint": "4f44cfd87726b73a27a4cf77b764968a5c6d27d4db90efabf38a3a24bc30c68f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f44cfd87726b73a27a4cf77b764968a5c6d27d4db90efabf38a3a24bc30c68f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/cdsco.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 108137, "scanner": "repobility-threat-engine", "fingerprint": "130c5045baecd0b9524abd6870aed08fddb81812daa325ac97b261216d6966ee", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|130c5045baecd0b9524abd6870aed08fddb81812daa325ac97b261216d6966ee"}}}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 108136, "scanner": "repobility-threat-engine", "fingerprint": "c9912c457e49a015a4f2f06f7eddb7054defb7bb2d53569c25f3cfc26bdccefd", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|c9912c457e49a015a4f2f06f7eddb7054defb7bb2d53569c25f3cfc26bdccefd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/agent/cdsco_alert_agent.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 108135, "scanner": "repobility-threat-engine", "fingerprint": "e18daa9d4f20db69eaa4ff062afc34c1fb40a7eaf66c11efe390c6c21a86bb10", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|e18daa9d4f20db69eaa4ff062afc34c1fb40a7eaf66c11efe390c6c21a86bb10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/commercial_medicine.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 108134, "scanner": "repobility-threat-engine", "fingerprint": "60f4f0f685d3faf8a3244d555dd6178cd6ac86e8f96b634c87ca1da560b5d90d", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|60f4f0f685d3faf8a3244d555dd6178cd6ac86e8f96b634c87ca1da560b5d90d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/cdsco.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 108133, "scanner": "repobility-threat-engine", "fingerprint": "49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 12, "for": 2, "elif": 2, "else": 3, "except": 1, "ternary": 5, "nested_bonus": 11}, "aggregated": true, "complexity": 36, "correlation_key": "fp|49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "aggregated_count": 15}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 108129, "scanner": "repobility-threat-engine", "fingerprint": "82f7c612ad5577e8367615fb946c1d14272b43eed4530a872d1485a0b5495e89", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|82f7c612ad5577e8367615fb946c1d14272b43eed4530a872d1485a0b5495e89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/run_all.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 108128, "scanner": "repobility-threat-engine", "fingerprint": "a76cbdc98f8dde1c3c34a513671d88e9a2f08a24d770d40bc43612ccd004bada", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a76cbdc98f8dde1c3c34a513671d88e9a2f08a24d770d40bc43612ccd004bada", "aggregated_count": 3}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 108127, "scanner": "repobility-threat-engine", "fingerprint": "e0ad130b5d66e9abcf17157c5cb03283d9625e701dce31cd17c432843b253fa9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0ad130b5d66e9abcf17157c5cb03283d9625e701dce31cd17c432843b253fa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/components/Map.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 108126, "scanner": "repobility-threat-engine", "fingerprint": "d75f122cc449de8135ca968f74bbc4269c95af44e2760bd0a7ea8185d8df7235", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d75f122cc449de8135ca968f74bbc4269c95af44e2760bd0a7ea8185d8df7235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/layout.tsx"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 108125, "scanner": "repobility-threat-engine", "fingerprint": "26b5a53264b0bc6e5ea62cb9aeda26b256e934904d7fd30a0692f26f6fcbae31", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|26b5a53264b0bc6e5ea62cb9aeda26b256e934904d7fd30a0692f26f6fcbae31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/validators/medicine.validator.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 108124, "scanner": "repobility-threat-engine", "fingerprint": "8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8"}}}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 108120, "scanner": "repobility-threat-engine", "fingerprint": "b25ee310249da2ffc6da99e224bbd8d1769f7974ef7e6622c105e71bd7dd26fa", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b25ee310249da2ffc6da99e224bbd8d1769f7974ef7e6622c105e71bd7dd26fa"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 108116, "scanner": "repobility-threat-engine", "fingerprint": "976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "aggregated_count": 1}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 108115, "scanner": "repobility-threat-engine", "fingerprint": "293588cef6b7ee77858366cb20838de877a58eaad81825d2381a328310387b6e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|293588cef6b7ee77858366cb20838de877a58eaad81825d2381a328310387b6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/components/Chatbot.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 108114, "scanner": "repobility-threat-engine", "fingerprint": "4155d0c73d8c9484e1e9dc9aa9778b156cb93b8ca6cc2a83c470343cecd99c39", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4155d0c73d8c9484e1e9dc9aa9778b156cb93b8ca6cc2a83c470343cecd99c39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/services/lasa.service.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 108113, "scanner": "repobility-threat-engine", "fingerprint": "f6bb6b585a353340ceb35c7c093d92efea747ff66b79696e81ee69a7adad5fcf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6bb6b585a353340ceb35c7c093d92efea747ff66b79696e81ee69a7adad5fcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/controllers/admin.controller.ts"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 108112, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 108111, "scanner": "repobility-threat-engine", "fingerprint": "413363a5241581e4192c24aeecb7cfbeee0ebdf18085702126c75a4428287cd1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|413363a5241581e4192c24aeecb7cfbeee0ebdf18085702126c75a4428287cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/layout.tsx"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 108110, "scanner": "repobility-threat-engine", "fingerprint": "fea3882a6ceb00ba5665c73dedd25673adb6a7f4c3864fda904cea9e13c3a74f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fea3882a6ceb00ba5665c73dedd25673adb6a7f4c3864fda904cea9e13c3a74f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/notifications.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 108109, "scanner": "repobility-threat-engine", "fingerprint": "8bca5a1383fe4b9797acd3bedead1a6fc4c00850a9757eb1eee1455cc90e3510", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8bca5a1383fe4b9797acd3bedead1a6fc4c00850a9757eb1eee1455cc90e3510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/controllers/admin.controller.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 108108, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 108102, "scanner": "repobility-threat-engine", "fingerprint": "9d7350027374ebe62f4d747e478eca80ef54bedb43dadb56de7cb7e0ed9e40a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9d7350027374ebe62f4d747e478eca80ef54bedb43dadb56de7cb7e0ed9e40a8", "aggregated_count": 17}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 108101, "scanner": "repobility-threat-engine", "fingerprint": "2bbc27232bfd8c74cf559e5b28c4b177ac082b136d12f3e89ca92d82ee041445", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2bbc27232bfd8c74cf559e5b28c4b177ac082b136d12f3e89ca92d82ee041445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/score-impact.mjs"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 108100, "scanner": "repobility-threat-engine", "fingerprint": "c62e5631c2eb8c9f8d11049ab309d9eaf2c3f08983337da727b33f8fc5dd3433", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c62e5631c2eb8c9f8d11049ab309d9eaf2c3f08983337da727b33f8fc5dd3433"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/manage-labels.mjs"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 108099, "scanner": "repobility-threat-engine", "fingerprint": "af49f3dfca5e9084bb4e15ef02b899fd5a264efa5946190ce39f9348045ca246", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af49f3dfca5e9084bb4e15ef02b899fd5a264efa5946190ce39f9348045ca246"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/generate-doc.mjs"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 108098, "scanner": "repobility-threat-engine", "fingerprint": "6bc921b1f0519ea2b00472c53454cec2f5f45e63edfe9fe7194bde3cdfa63498", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error(\"Server Configuration Error: API_SECRET_KEY is not configured.\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|console.error server configuration error: api_secret_key is not configured."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/alerts.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 108097, "scanner": "repobility-threat-engine", "fingerprint": "48efb2df2a17d66e359cb34778fa6336e3a43d8ff83b949e7be48002ffeb2398", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error(\"\u274c GEMINI_API_KEY is not set. Add it as a GitHub Actions secret named GEMINI_API_KEY.\"", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|3|console.error gemini_api_key is not set. add it as a github actions secret named gemini_api_key."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/generate-doc.mjs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108338, "scanner": "repobility-supply-chain", "fingerprint": "716b22177ac95b1a1154caeb5dd0019b88edb4d49dd07e14914605a093f931a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|716b22177ac95b1a1154caeb5dd0019b88edb4d49dd07e14914605a093f931a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtrack.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108337, "scanner": "repobility-supply-chain", "fingerprint": "8fb66b382f6fca6f54f2014ac553f1a2fb3104a1af4b14684402ff2d5f17f10a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fb66b382f6fca6f54f2014ac553f1a2fb3104a1af4b14684402ff2d5f17f10a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-assign.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108336, "scanner": "repobility-supply-chain", "fingerprint": "b7a56a07a6774e3ba9ab17388ff11066f00922f9729ad43ae1c2c71f54531111", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b7a56a07a6774e3ba9ab17388ff11066f00922f9729ad43ae1c2c71f54531111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/welcome-onboarding.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108335, "scanner": "repobility-supply-chain", "fingerprint": "4fb6a76e62d45b48e34273028d87472f9251ac16c9a8339ae596cd1151d319c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fb6a76e62d45b48e34273028d87472f9251ac16c9a8339ae596cd1151d319c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/welcome-onboarding.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108334, "scanner": "repobility-supply-chain", "fingerprint": "dc65f8f19376dc4cab04c6428c9ed1f27afdd838fd8ae6f7b78df885f198bca9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc65f8f19376dc4cab04c6428c9ed1f27afdd838fd8ae6f7b78df885f198bca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/close-conflicting-prs.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108333, "scanner": "repobility-supply-chain", "fingerprint": "6092aa255c334037b3d0cca87574bcaa37db1a0f4ba9a1c8d379236a30a752aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6092aa255c334037b3d0cca87574bcaa37db1a0f4ba9a1c8d379236a30a752aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/labeler.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108332, "scanner": "repobility-supply-chain", "fingerprint": "6dd18e4f93d2b6d2b659dd6590054ab7d5cc2122131d39c21fcb393c7211745b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6dd18e4f93d2b6d2b659dd6590054ab7d5cc2122131d39c21fcb393c7211745b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/labeler.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/labeler` pinned to mutable ref `@v6`: `uses: actions/labeler@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108331, "scanner": "repobility-supply-chain", "fingerprint": "9c78af04bcf5c326da03336ccb36524123f7fbbe36bd24daf3abda6e487ee424", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c78af04bcf5c326da03336ccb36524123f7fbbe36bd24daf3abda6e487ee424"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/labeler.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `release-drafter/release-drafter` pinned to mutable ref `@v7`: `uses: release-drafter/release-drafter@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108330, "scanner": "repobility-supply-chain", "fingerprint": "1418778205984567bc8f7042113112cae688c191e95ff95a48bfd1fbd6314501", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1418778205984567bc8f7042113112cae688c191e95ff95a48bfd1fbd6314501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-drafter.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108329, "scanner": "repobility-supply-chain", "fingerprint": "16148a10d8be26d8a57d6d66e0b67e80a9e79ae10d5f0e9181c9c10577d6731f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16148a10d8be26d8a57d6d66e0b67e80a9e79ae10d5f0e9181c9c10577d6731f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/detect-duplicate-issue.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v10`: `uses: actions/stale@v10` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108328, "scanner": "repobility-supply-chain", "fingerprint": "125a3567ffe1b21debe0288a9c21614e3270a200c0e91b807d87a5efd60e8968", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|125a3567ffe1b21debe0288a9c21614e3270a200c0e91b807d87a5efd60e8968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/close-stale.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108327, "scanner": "repobility-supply-chain", "fingerprint": "57ce5cfd55cff86ebcdbcef10f84148e09cc050077234f2aa2edec9bc7bf0061", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57ce5cfd55cff86ebcdbcef10f84148e09cc050077234f2aa2edec9bc7bf0061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/anti-ping-spam.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peakoss/anti-slop` pinned to mutable ref `@v0`: `uses: peakoss/anti-slop@v0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108326, "scanner": "repobility-supply-chain", "fingerprint": "4bb5ce23a63112cec68b831fd327aca3fe85aadf40781489cb933da639424cfd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4bb5ce23a63112cec68b831fd327aca3fe85aadf40781489cb933da639424cfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-quality-check.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108325, "scanner": "repobility-supply-chain", "fingerprint": "4afc0d7b956fc7d81645321975ba4f39153effe8d2d5475d655be50be517e235", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4afc0d7b956fc7d81645321975ba4f39153effe8d2d5475d655be50be517e235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/enforce-assignment.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108324, "scanner": "repobility-supply-chain", "fingerprint": "9798a6fa63c683ac8d75bd592b939b1a887bfbe86d99ff7a5391c5edaacd4239", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9798a6fa63c683ac8d75bd592b939b1a887bfbe86d99ff7a5391c5edaacd4239"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/label-guard.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108323, "scanner": "repobility-supply-chain", "fingerprint": "25618cc9a882867c75a7e97829e7a8f4633b9a71ac6241adb86a6014113cb984", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25618cc9a882867c75a7e97829e7a8f4633b9a71ac6241adb86a6014113cb984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-opened-autoflow.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108322, "scanner": "repobility-supply-chain", "fingerprint": "7d564652ff01eba420edb9c39458a5e28b431b97eeabdc6fae7b56ed775de5b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d564652ff01eba420edb9c39458a5e28b431b97eeabdc6fae7b56ed775de5b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108321, "scanner": "repobility-supply-chain", "fingerprint": "d769ef91b3aaccfef6bdba899fff58e7354c915245d4af5f6b9a946f8fe0e340", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d769ef91b3aaccfef6bdba899fff58e7354c915245d4af5f6b9a946f8fe0e340"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108320, "scanner": "repobility-supply-chain", "fingerprint": "3c9590adfa3e064d1f529f1496ac92eba59ae4d350f9b2994baa5858a8fb8d3b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c9590adfa3e064d1f529f1496ac92eba59ae4d350f9b2994baa5858a8fb8d3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108319, "scanner": "repobility-supply-chain", "fingerprint": "04f292b83a928c28089d967ffc4421fcce1f6048282064b5a2e8099b02f39942", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04f292b83a928c28089d967ffc4421fcce1f6048282064b5a2e8099b02f39942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108318, "scanner": "repobility-supply-chain", "fingerprint": "2200b9a2b6ff7ce42996792829c0acd43468b425ec0a520a1fb30db0dabe7e8b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2200b9a2b6ff7ce42996792829c0acd43468b425ec0a520a1fb30db0dabe7e8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-unassign.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108317, "scanner": "repobility-supply-chain", "fingerprint": "bf3c24ac153f6164f5f5b93949f1911c8301c9c4b5edd9dbd251ed34f2b53343", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf3c24ac153f6164f5f5b93949f1911c8301c9c4b5edd9dbd251ed34f2b53343"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v4`: `uses: github/codeql-action/autobuild@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108316, "scanner": "repobility-supply-chain", "fingerprint": "85c1efee5adae72c0c0ab5efac67987c677b1730878c520c97ff0d2febe6df5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85c1efee5adae72c0c0ab5efac67987c677b1730878c520c97ff0d2febe6df5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108315, "scanner": "repobility-supply-chain", "fingerprint": "06aa95418e09443fc9b0597b6e5d3b1563e34df1083e5a36c3b233394b354552", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06aa95418e09443fc9b0597b6e5d3b1563e34df1083e5a36c3b233394b354552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 108314, "scanner": "repobility-supply-chain", "fingerprint": "78b74c043cd163668f9cd148d3cb83aac75fbfc082491dad4a96c0a31b81a607", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78b74c043cd163668f9cd148d3cb83aac75fbfc082491dad4a96c0a31b81a607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 108313, "scanner": "repobility-supply-chain", "fingerprint": "e37cc041327d2cf1ec39c0c38a7dfc6a729ef7b1e4211a357adab6a1de68acd5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e37cc041327d2cf1ec39c0c38a7dfc6a729ef7b1e4211a357adab6a1de68acd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/Dockerfile"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 108312, "scanner": "repobility-supply-chain", "fingerprint": "9a1f8234121f07ddb9158cce0dde6c98bd92c1552a0ee3ba0378b55e7d07f8c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a1f8234121f07ddb9158cce0dde6c98bd92c1552a0ee3ba0378b55e7d07f8c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 108311, "scanner": "repobility-supply-chain", "fingerprint": "83509d3587f541490455826037b799db97a96d6f011f74628b26e00a165656e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83509d3587f541490455826037b799db97a96d6f011f74628b26e00a165656e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 108310, "scanner": "repobility-supply-chain", "fingerprint": "c65fb78d782abfb4534a3efd87711ca2f72792fc15c5fb86e13ec06270391963", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c65fb78d782abfb4534a3efd87711ca2f72792fc15c5fb86e13ec06270391963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 108309, "scanner": "repobility-supply-chain", "fingerprint": "7f4ecf8f5d22c1c5ca37115757ae023b45c20d28df6ab0a9e91ad53b95b263df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7f4ecf8f5d22c1c5ca37115757ae023b45c20d28df6ab0a9e91ad53b95b263df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 108308, "scanner": "repobility-supply-chain", "fingerprint": "baed18599e155b23b302f6f3ac26c58ffd9047ef84d2ab32be0d4a410654accf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|baed18599e155b23b302f6f3ac26c58ffd9047ef84d2ab32be0d4a410654accf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /check has no auth: Express route POST /check declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108307, "scanner": "repobility-route-auth", "fingerprint": "a179a56f105997d3099de1efcf72b7f32709b1114a017f68bd816cae9f51a2ac", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a179a56f105997d3099de1efcf72b7f32709b1114a017f68bd816cae9f51a2ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/lasa.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108306, "scanner": "repobility-route-auth", "fingerprint": "7480556e16073b5f3e475181ca6407831ff774f1a07b6404105a4d6c4fe57897", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7480556e16073b5f3e475181ca6407831ff774f1a07b6404105a4d6c4fe57897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/verify.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /report has no auth: Express route POST /report declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108305, "scanner": "repobility-route-auth", "fingerprint": "be665eee8e291a5bf8823d457731fe9debdfa619563a2eaa915e87495dfb03e5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|be665eee8e291a5bf8823d457731fe9debdfa619563a2eaa915e87495dfb03e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/batch.ts"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /verify-brand has no auth: Express route POST /verify-brand declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108304, "scanner": "repobility-route-auth", "fingerprint": "74b592b56e98b47eff49550fbfab896f1dc1e90d3b037da7187c8f0271872d9b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|74b592b56e98b47eff49550fbfab896f1dc1e90d3b037da7187c8f0271872d9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/scan.ts"}, "region": {"startLine": 720}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /match has no auth: Express route POST /match declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108303, "scanner": "repobility-route-auth", "fingerprint": "1ff432aeb0dbbd62aed980440c70dc944c51cda01783d1c495c0471b6275e171", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1ff432aeb0dbbd62aed980440c70dc944c51cda01783d1c495c0471b6275e171"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/scan.ts"}, "region": {"startLine": 649}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /extract has no auth: Express route POST /extract declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108302, "scanner": "repobility-route-auth", "fingerprint": "0c9bad465c2fa716b01a42a32cd4218c4c6ef6a736377f87574c3d6962d0b7a6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0c9bad465c2fa716b01a42a32cd4218c4c6ef6a736377f87574c3d6962d0b7a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/scan.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /analyze has no auth: Express route POST /analyze declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108301, "scanner": "repobility-route-auth", "fingerprint": "fabd7363c3b6eb54856ffd2988ff8760a849ab57849ba2f15eef486ac4ed0144", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|fabd7363c3b6eb54856ffd2988ff8760a849ab57849ba2f15eef486ac4ed0144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/ml.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108300, "scanner": "repobility-route-auth", "fingerprint": "6ce7ce2db10fb4a3313c9499f6e90fc0d3acfb458af29120512194d970174ce0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6ce7ce2db10fb4a3313c9499f6e90fc0d3acfb458af29120512194d970174ce0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/pharmacies.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /medicines has no auth: Express route POST /medicines declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108299, "scanner": "repobility-route-auth", "fingerprint": "f008f35207379669776787e747c8017d7d05f9640a8fe01d388e28d06239a8f9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f008f35207379669776787e747c8017d7d05f9640a8fe01d388e28d06239a8f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/admin.routes.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /reports/:id/status has no auth: Express route PATCH /reports/:id/status declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 108298, "scanner": "repobility-route-auth", "fingerprint": "2f51b2d22d7ca1a7b15766ca22be94d7a458c92c434f88ae2b1662d53aa21336", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2f51b2d22d7ca1a7b15766ca22be94d7a458c92c434f88ae2b1662d53aa21336"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/admin.routes.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /generate has no auth: Handler `generate_tts` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 108297, "scanner": "repobility-route-auth", "fingerprint": "46179b6618cf80cfda27e53ebc6f7ed5adb5f4530198ab8c7bac09750519134e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|46179b6618cf80cfda27e53ebc6f7ed5adb5f4530198ab8c7bac09750519134e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/tts.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /transcribe has no auth: Handler `transcribe_audio` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 108296, "scanner": "repobility-route-auth", "fingerprint": "da180ac0463a3e3521909e4224d952e12f1b491a8ff40fc1378c202d3acd4be9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|da180ac0463a3e3521909e4224d952e12f1b491a8ff40fc1378c202d3acd4be9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 723}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /batch has no auth: Handler `verify_batch` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 108295, "scanner": "repobility-route-auth", "fingerprint": "4edd47baeb479c35f6c7275ef370fe325dc05bccf9b24c85df231f17c60fe98f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4edd47baeb479c35f6c7275ef370fe325dc05bccf9b24c85df231f17c60fe98f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/verify.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /match has no auth: Handler `match_medicine` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 108294, "scanner": "repobility-route-auth", "fingerprint": "b0db8f1c2f97f7d26892729af1fe77559354c96134a68bcf7747cee812a9a3f8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|b0db8f1c2f97f7d26892729af1fe77559354c96134a68bcf7747cee812a9a3f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/ocr.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /extract has no auth: Handler `extract_text` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 108293, "scanner": "repobility-route-auth", "fingerprint": "45cbe3963e16704db06c2cc5de0806fa0e741719773aa574642e7b1bb7cb7770", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|45cbe3963e16704db06c2cc5de0806fa0e741719773aa574642e7b1bb7cb7770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/ocr.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST (unknown path) has no auth: Handler `analyze_image` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 108292, "scanner": "repobility-route-auth", "fingerprint": "94356fe502953832e80c67a4184db9011112ada12664d0e6af53379ad35ccf4b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|94356fe502953832e80c67a4184db9011112ada12664d0e6af53379ad35ccf4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/analyze.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._extract_strength_from_ingredients` used but never assigned in __init__: Method `_parse_openfda_response` of class `CommercialMRPScraper` reads `self._extract_strength_from_ingredients`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108289, "scanner": "repobility-ast-engine", "fingerprint": "60078c66353dff02fa38cc99df9cbb6a875a0dc3b7ba6a6f203a6caf87bf4519", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60078c66353dff02fa38cc99df9cbb6a875a0dc3b7ba6a6f203a6caf87bf4519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/scrapers/commercial_mrp.py"}, "region": {"startLine": 304}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._lookup_mrp` used but never assigned in __init__: Method `_parse_openfda_response` of class `CommercialMRPScraper` reads `self._lookup_mrp`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108288, "scanner": "repobility-ast-engine", "fingerprint": "8020b5c5290d9878fff4115f470f006c1b2082ea40db09341a7f08c79808d3d1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8020b5c5290d9878fff4115f470f006c1b2082ea40db09341a7f08c79808d3d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/scrapers/commercial_mrp.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._parse_openfda_response` used but never assigned in __init__: Method `_fetch_openfda` of class `CommercialMRPScraper` reads `self._parse_openfda_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108287, "scanner": "repobility-ast-engine", "fingerprint": "ce7337958691a3a75e11032b901ca5ee6b9cada1d5c3a4f7719147338444133e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce7337958691a3a75e11032b901ca5ee6b9cada1d5c3a4f7719147338444133e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/scrapers/commercial_mrp.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._sleep` used but never assigned in __init__: Method `scrape` of class `CommercialMRPScraper` reads `self._sleep`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108286, "scanner": "repobility-ast-engine", "fingerprint": "9461d9b786f9775eaf3cfa10a2694df3eaef0f5d08330fa8d8f543ed2cf3ae00", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9461d9b786f9775eaf3cfa10a2694df3eaef0f5d08330fa8d8f543ed2cf3ae00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/scrapers/commercial_mrp.py"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._fetch_openfda` used but never assigned in __init__: Method `scrape` of class `CommercialMRPScraper` reads `self._fetch_openfda`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108285, "scanner": "repobility-ast-engine", "fingerprint": "2ce83ab9817b45157d83715a947327e39f8f5031bb06a37bde6f1f52abba0878", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ce83ab9817b45157d83715a947327e39f8f5031bb06a37bde6f1f52abba0878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/scrapers/commercial_mrp.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._save_csv` used but never assigned in __init__: Method `scrape` of class `CommercialMRPScraper` reads `self._save_csv`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108284, "scanner": "repobility-ast-engine", "fingerprint": "a2f6ad4808ff16326c000551d967018ec6162bb5be5ee35512dbec711fa5c4fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2f6ad4808ff16326c000551d967018ec6162bb5be5ee35512dbec711fa5c4fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/scrapers/commercial_mrp.py"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.client` used but never assigned in __init__: Method `transcribe_symptom_recording` of class `ASRTranscriptionUser` reads `self.client`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108283, "scanner": "repobility-ast-engine", "fingerprint": "a6ac7470b1e9007721c324120578350af39d132216e302f7a5f2ccca5a91ec72", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6ac7470b1e9007721c324120578350af39d132216e302f7a5f2ccca5a91ec72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/tests/locustfile.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sample_wav` used but never assigned in __init__: Method `transcribe_symptom_recording` of class `ASRTranscriptionUser` reads `self.sample_wav`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108282, "scanner": "repobility-ast-engine", "fingerprint": "9c395d9bdc3aec93ddf3bd04b2f6b4b0e5b4de40425f1050549be372000f950c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9c395d9bdc3aec93ddf3bd04b2f6b4b0e5b4de40425f1050549be372000f950c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/tests/locustfile.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sample_wav` used but never assigned in __init__: Method `on_start` of class `ASRTranscriptionUser` reads `self.sample_wav`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108281, "scanner": "repobility-ast-engine", "fingerprint": "a859ad49c880ee6ac1ce68c2b2a7a6207cad94b1c84b0859aa4648797b576bfe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a859ad49c880ee6ac1ce68c2b2a7a6207cad94b1c84b0859aa4648797b576bfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/tests/locustfile.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.take_audio` used but never assigned in __init__: Method `finish` of class `FakeDecoder` reads `self.take_audio`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108280, "scanner": "repobility-ast-engine", "fingerprint": "21a00a42a75f4ff17596f570c7c77d7ac1eb8f784ca3a5afbcc5f09f5551ed64", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21a00a42a75f4ff17596f570c7c77d7ac1eb8f784ca3a5afbcc5f09f5551ed64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/tests/test_asr_stream.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.close` used but never assigned in __init__: Method `finalize` of class `StreamingAsrSession` reads `self.close`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108278, "scanner": "repobility-ast-engine", "fingerprint": "2eb37eab93b771d1dc7d4bd511c5a6e689bf3a502dbc1ac94460e722a693cf37", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2eb37eab93b771d1dc7d4bd511c5a6e689bf3a502dbc1ac94460e722a693cf37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 712}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._run_transcription` used but never assigned in __init__: Method `finalize` of class `StreamingAsrSession` reads `self._run_transcription`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108277, "scanner": "repobility-ast-engine", "fingerprint": "e6bb724496fac2eb484c4592e5acbe9b3e03d090856100bfa48773db29e11c8b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6bb724496fac2eb484c4592e5acbe9b3e03d090856100bfa48773db29e11c8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 710}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._append_audio` used but never assigned in __init__: Method `finalize` of class `StreamingAsrSession` reads `self._append_audio`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108276, "scanner": "repobility-ast-engine", "fingerprint": "78d09a1c39df629bbb19f2c497e9d9261c8192343ee31ad5df8b17ca475d3b7b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78d09a1c39df629bbb19f2c497e9d9261c8192343ee31ad5df8b17ca475d3b7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 708}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._run_transcription` used but never assigned in __init__: Method `append_and_maybe_transcribe` of class `StreamingAsrSession` reads `self._run_transcription`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108275, "scanner": "repobility-ast-engine", "fingerprint": "7e6dd07214f5d32648130b22d5f2397b3491db7f2702b287b8f1b605efe630fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e6dd07214f5d32648130b22d5f2397b3491db7f2702b287b8f1b605efe630fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 692}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._append_audio` used but never assigned in __init__: Method `append_and_maybe_transcribe` of class `StreamingAsrSession` reads `self._append_audio`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108274, "scanner": "repobility-ast-engine", "fingerprint": "923d18a54263ec10b507a34083870a508ed1dcbf2008ebecf9c4a080f6942d95", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|923d18a54263ec10b507a34083870a508ed1dcbf2008ebecf9c4a080f6942d95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 675}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_decoder` used but never assigned in __init__: Method `append_and_maybe_transcribe` of class `StreamingAsrSession` reads `self._get_decoder`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108273, "scanner": "repobility-ast-engine", "fingerprint": "47c432f628dccd9ac8d4a81d5d6e899d64f0888ff07f86eafd397a0404166380", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|47c432f628dccd9ac8d4a81d5d6e899d64f0888ff07f86eafd397a0404166380"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 673}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._build_response` used but never assigned in __init__: Method `_run_transcription` of class `StreamingAsrSession` reads `self._build_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108272, "scanner": "repobility-ast-engine", "fingerprint": "5d34f8d9190ffa933e8c99292c192afdd5e2d2c8fa0049fdb357ff10c38b8ce7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d34f8d9190ffa933e8c99292c192afdd5e2d2c8fa0049fdb357ff10c38b8ce7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 656}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._trim_audio_buffer` used but never assigned in __init__: Method `_run_transcription` of class `StreamingAsrSession` reads `self._trim_audio_buffer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108271, "scanner": "repobility-ast-engine", "fingerprint": "a494d33e16c8ff8c1dce6e2b51a5b17dc464340fe68f8e9c924bcb865021903d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a494d33e16c8ff8c1dce6e2b51a5b17dc464340fe68f8e9c924bcb865021903d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 655}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._build_response` used but never assigned in __init__: Method `_run_transcription` of class `StreamingAsrSession` reads `self._build_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108270, "scanner": "repobility-ast-engine", "fingerprint": "e82eb20a76c7474107c3a3b7dfa2f2122510bff98b74894dbfef16d1d64c82b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e82eb20a76c7474107c3a3b7dfa2f2122510bff98b74894dbfef16d1d64c82b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 601}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._trim_audio_buffer` used but never assigned in __init__: Method `_append_audio` of class `StreamingAsrSession` reads `self._trim_audio_buffer`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108269, "scanner": "repobility-ast-engine", "fingerprint": "346fc773adfbc47619de94923d85ab848a55de94f5c87af17274a36e27043bcc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|346fc773adfbc47619de94923d85ab848a55de94f5c87af17274a36e27043bcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 569}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._wait_for_process_exit` used but never assigned in __init__: Method `close` of class `StreamingAudioDecoder` reads `self._wait_for_process_exit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108268, "scanner": "repobility-ast-engine", "fingerprint": "792c6c053755bfd6f160c7223417fc342e7b42668c630e5d930d356a421d04a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|792c6c053755bfd6f160c7223417fc342e7b42668c630e5d930d356a421d04a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 517}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.take_audio` used but never assigned in __init__: Method `finish` of class `StreamingAudioDecoder` reads `self.take_audio`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108267, "scanner": "repobility-ast-engine", "fingerprint": "aae7ffc801fd98e5a9a0304cd72d866aaa5f09fb1564edae42ff5173a5f54ed4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aae7ffc801fd98e5a9a0304cd72d866aaa5f09fb1564edae42ff5173a5f54ed4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 513}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._wait_for_process_exit` used but never assigned in __init__: Method `finish` of class `StreamingAudioDecoder` reads `self._wait_for_process_exit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108266, "scanner": "repobility-ast-engine", "fingerprint": "d80fb43ff679cb679dc2417c57b080994150d62ba41debef61de82d8a2e130ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d80fb43ff679cb679dc2417c57b080994150d62ba41debef61de82d8a2e130ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 511}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._decoder_error` used but never assigned in __init__: Method `push` of class `StreamingAudioDecoder` reads `self._decoder_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108265, "scanner": "repobility-ast-engine", "fingerprint": "f98b43212edbd36917243abf0855072be748c2f36c1e102f0e4e0c021059ca2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f98b43212edbd36917243abf0855072be748c2f36c1e102f0e4e0c021059ca2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 464}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._decoder_error` used but never assigned in __init__: Method `push` of class `StreamingAudioDecoder` reads `self._decoder_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 108264, "scanner": "repobility-ast-engine", "fingerprint": "0583b2c38727505370b621aeec4fccc7b9a32447acac40055f33cd2a301db8ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0583b2c38727505370b621aeec4fccc7b9a32447acac40055f33cd2a301db8ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/asr.py"}, "region": {"startLine": 458}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 108255, "scanner": "repobility-journey-contract", "fingerprint": "2b08a1b29fa4b5d211fb2cd5ca2eed8f226fd6674e12d1e83f36cafa5d7ce18e", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|apps/web/app/ locale /login/page.tsx|188|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/[locale]/login/page.tsx"}, "region": {"startLine": 188}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 108210, "scanner": "repobility-docker", "fingerprint": "36e8f82a3eb27336a9d8501f9421528ae0c1fdbc8aac3016764ccbdeba2ef7eb", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|36e8f82a3eb27336a9d8501f9421528ae0c1fdbc8aac3016764ccbdeba2ef7eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 108160, "scanner": "repobility-threat-engine", "fingerprint": "006bf51308bbf11a73eb62114ed95aa44b8c462c437456529f90b04b050fb39a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((violation) => `${violation.id}: ${violation.help}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|006bf51308bbf11a73eb62114ed95aa44b8c462c437456529f90b04b050fb39a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/voice-a11y-audit.mjs"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 108151, "scanner": "repobility-threat-engine", "fingerprint": "02dc44c935270b15b63ad950884aee1a2a87405a599fcdf321b8f28bded8b68f", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"No module named '([^']+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|19|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/services/router_loader.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 108145, "scanner": "repobility-threat-engine", "fingerprint": "20a43f9ed60485a81af53b5a65895ecf3a20cdb6030e5f7bfaa5cfea701f2183", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20a43f9ed60485a81af53b5a65895ecf3a20cdb6030e5f7bfaa5cfea701f2183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/services/telemetry.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 108144, "scanner": "repobility-threat-engine", "fingerprint": "3b9ebd549e1f0701b0287f83d35b4e3211a813af1a1f8d50b0e4eca91c64face", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b9ebd549e1f0701b0287f83d35b4e3211a813af1a1f8d50b0e4eca91c64face"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/verify.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 108143, "scanner": "repobility-threat-engine", "fingerprint": "555d98265fd8d2c0ea47a384c81f010e15b04cd0c12b64e94e101bdf823bdc6e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|555d98265fd8d2c0ea47a384c81f010e15b04cd0c12b64e94e101bdf823bdc6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/tts.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 108142, "scanner": "repobility-threat-engine", "fingerprint": "4d213a5cde46577a68c4a56f4fc2822f060ada0ced7ff8e242ae75e2f2876627", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d213a5cde46577a68c4a56f4fc2822f060ada0ced7ff8e242ae75e2f2876627"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/scrapers/commercial_medicine.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 36 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=3, except=1, for=2, if=12, nested_bonus=11, ternary=5."}, "properties": {"repobilityId": 108130, "scanner": "repobility-threat-engine", "fingerprint": "96c96dc75013a7c7ed1ecb69c94086ac1b5c1f419ba5a5a5926d8e89164f3141", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 36 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 12, "for": 2, "elif": 2, "else": 3, "except": 1, "ternary": 5, "nested_bonus": 11}, "complexity": 36, "correlation_key": "fp|96c96dc75013a7c7ed1ecb69c94086ac1b5c1f419ba5a5a5926d8e89164f3141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/run_all.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 108123, "scanner": "repobility-threat-engine", "fingerprint": "23278bc979bd9f54c51ccffd77ca6161cd19778fb3895b568f1471c7115cd7be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "row_dict.update(val_res)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23278bc979bd9f54c51ccffd77ca6161cd19778fb3895b568f1471c7115cd7be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/etl/src/validators/cdsco_validator.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 108122, "scanner": "repobility-threat-engine", "fingerprint": "4c802ce60b7bf255a1cc95b3b35880211468018044332898fd88cd9c59fbb111", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "memorySubscriptions.delete(endpoint);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c802ce60b7bf255a1cc95b3b35880211468018044332898fd88cd9c59fbb111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/services/notifications.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 108121, "scanner": "repobility-threat-engine", "fingerprint": "673042c59dc9e61c897c0dc708a058b3ec2d77a6017e7a6c139d053d6d9ed378", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cache.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|673042c59dc9e61c897c0dc708a058b3ec2d77a6017e7a6c139d053d6d9ed378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/services/lasa.service.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 108119, "scanner": "repobility-threat-engine", "fingerprint": "5ba6ee5248b99f281373354622d58bb6c0aa8b8621945473572e7454952a6e1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"\", response_model=AnalyzeImageResponse)\ndef analyze_image(payload: AnalyzeImageRequest", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5ba6ee5248b99f281373354622d58bb6c0aa8b8621945473572e7454952a6e1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/analyze.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 108118, "scanner": "repobility-threat-engine", "fingerprint": "813293b440542ce39cb86bc38cac6f7d9ce0ea4b5051063d430d0011355add78", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post(\"/analyze\", async (req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|813293b440542ce39cb86bc38cac6f7d9ce0ea4b5051063d430d0011355add78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/ml.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 108117, "scanner": "repobility-threat-engine", "fingerprint": "411b8a47900c4c4d98808a5e8bafbcb666ea0fc464bca273b2610d4f8fe7e95b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Router.post(\"/ingest\", async (req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|411b8a47900c4c4d98808a5e8bafbcb666ea0fc464bca273b2610d4f8fe7e95b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/alerts.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 108107, "scanner": "repobility-threat-engine", "fingerprint": "7edc706b9e485fd9de8733096a1611f85ddf848824bf0dd394edf2e218715f7f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7edc706b9e485fd9de8733096a1611f85ddf848824bf0dd394edf2e218715f7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/routes/reports.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 108106, "scanner": "repobility-threat-engine", "fingerprint": "74a14466ee3eb7edb7f41c27664bd37ad963ff3d3d09fd60745651b44d5dc697", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|74a14466ee3eb7edb7f41c27664bd37ad963ff3d3d09fd60745651b44d5dc697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/config/mlService.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 108105, "scanner": "repobility-threat-engine", "fingerprint": "d0c0d98d72179c9490ac87f03f9908a72d6e5fe2f6debfa44628e3b826f77e0c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d0c0d98d72179c9490ac87f03f9908a72d6e5fe2f6debfa44628e3b826f77e0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 108104, "scanner": "repobility-threat-engine", "fingerprint": "faf2ca206773d2bd8970baf5cf605a8dd58e717f3a26987a935c50eeb4e76304", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(sql", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|faf2ca206773d2bd8970baf5cf605a8dd58e717f3a26987a935c50eeb4e76304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-migrations.js"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 108103, "scanner": "repobility-threat-engine", "fingerprint": "c737bf4aa535ff873126c7f8e2e40885a790d377bb9bd1472d46ec406c5e639d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c737bf4aa535ff873126c7f8e2e40885a790d377bb9bd1472d46ec406c5e639d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/manage-labels.mjs"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 108262, "scanner": "repobility-ast-engine", "fingerprint": "3837f1119cfd430d154caf0f661b74b2e662429bb07650a3625ce1e57100c645", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3837f1119cfd430d154caf0f661b74b2e662429bb07650a3625ce1e57100c645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ml/routers/analyze.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 108179, "scanner": "repobility-threat-engine", "fingerprint": "ee23a1a717b0a932264d6f177eab04ae9503b5835b4a05ca11c131b8ee1cb356", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee23a1a717b0a932264d6f177eab04ae9503b5835b4a05ca11c131b8ee1cb356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager_4.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 108178, "scanner": "repobility-threat-engine", "fingerprint": "d2af701ce192dd80b2e7973ae1415f619bbb3c5a989015987f739d3b28cea8c4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2af701ce192dd80b2e7973ae1415f619bbb3c5a989015987f739d3b28cea8c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 108177, "scanner": "repobility-threat-engine", "fingerprint": "f0c0e7908d78ca8c2cd2785f70c54487378eab806c24bba75bd16eb4955bf69d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0c0e7908d78ca8c2cd2785f70c54487378eab806c24bba75bd16eb4955bf69d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/advanced_cache_manager.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 108175, "scanner": "repobility-threat-engine", "fingerprint": "dc7f95804b0da4d42717f1dde741d7dc154caafe3c5b4d4c86e72ae88e865fe2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc7f95804b0da4d42717f1dde741d7dc154caafe3c5b4d4c86e72ae88e865fe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager_4.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 108174, "scanner": "repobility-threat-engine", "fingerprint": "4b26939cd99aa5d0102c5e466d6689dd5c1978afddfabda46680aac9f4486aba", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b26939cd99aa5d0102c5e466d6689dd5c1978afddfabda46680aac9f4486aba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 108173, "scanner": "repobility-threat-engine", "fingerprint": "6eb8bea402c55d52e5965d20b097b2156072537cde617a8be2d84f88e59d2048", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6eb8bea402c55d52e5965d20b097b2156072537cde617a8be2d84f88e59d2048"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/advanced_cache_manager.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 108171, "scanner": "repobility-threat-engine", "fingerprint": "c8bace566982254fe1e720b698470ed299baf848de1de8d0d732182f5a44ca49", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c8bace566982254fe1e720b698470ed299baf848de1de8d0d732182f5a44ca49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager_4.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 108170, "scanner": "repobility-threat-engine", "fingerprint": "7c1f87eadd88aae5eda6aebece37be2f75b3450d55f7ddad837f53db5af04068", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c1f87eadd88aae5eda6aebece37be2f75b3450d55f7ddad837f53db5af04068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/distributed_lock_manager.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 108169, "scanner": "repobility-threat-engine", "fingerprint": "3020d67a7e05639600be22e4f712ea40132b6b188766feed225e37aacdf35e74", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3020d67a7e05639600be22e4f712ea40132b6b188766feed225e37aacdf35e74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/advanced_cache_manager.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 108163, "scanner": "repobility-threat-engine", "fingerprint": "c9a7d275ce41761d711096865cc97f4d515dd88a4e830b0067bcdf4dc04abdea", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9a7d275ce41761d711096865cc97f4d515dd88a4e830b0067bcdf4dc04abdea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/voice-a11y-audit.mjs"}, "region": {"startLine": 84}}}]}]}]}