{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /ba"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /background/delete."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /settings."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /settings."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 23 (SonarSource scale). Cognitive complexit", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 23."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `crawl_and_check` (dict)", "shortDescription": {"text": "Mutable default argument in `crawl_and_check` (dict)"}, "fullDescription": {"text": "`def crawl_and_check(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "QA001", "name": "[QA001] No Tests Found: No test files or test directories found.", "shortDescription": {"text": "[QA001] No Tests Found: No test files or test directories found."}, "fullDescription": {"text": "Add unit tests. Start with critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-threat-engine", "category": "testing", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "CFG001", "name": "[CFG001] Docker Runs as Root: Container runs as root user. Consider adding a non-root USER directive.", "shortDescription": {"text": "[CFG001] Docker Runs as Root: Container runs as root user. Consider adding a non-root USER directive."}, "fullDescription": {"text": "Add 'USER nonroot' after installing dependencies."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CFG003", "name": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts.", "shortDescription": {"text": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts."}, "fullDescription": {"text": "Use .dockerignore and COPY specific files/directories."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED064] Python Input Call (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/stale` pinned to mutable ref `@v9`", "shortDescription": {"text": "Action `actions/stale` pinned to mutable ref `@v9`"}, "fullDescription": {"text": "`uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.10.14-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.10.14-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.10.14-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.randomvoice` used but never assigned in __init__", "shortDescription": {"text": "`self.randomvoice` used but never assigned in __init__"}, "fullDescription": {"text": "Method `run` of class `OpenAITTS` reads `self.randomvoice`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `time` used but not imported", "shortDescription": {"text": "Missing import: `time` used but not imported"}, "fullDescription": {"text": "The file uses `time.something(...)` but never imports `time`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/5"}, "properties": {"repository": "elebumm/RedditVideoMakerBot", "repoUrl": "https://github.com/elebumm/RedditVideoMakerBot", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 42312, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /background/delete."}, "properties": {"repobilityId": 42309, "scanner": "repobility-access-control", "fingerprint": "2c233d72c28d9446eeb8929568eddc6e6feea5e37ecdd08dfef9048485c1ca01", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/background/delete", "method": "ANY", "scanner": "repobility-access-control", "framework": "Flask", "correlation_key": "code|auth|gui.py|62|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "GUI.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /settings."}, "properties": {"repobilityId": 42308, "scanner": "repobility-access-control", "fingerprint": "d353001a94baea365ea5753a886b6a897a1581925850e15cf753c027cc422586", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings", "method": "ANY", "scanner": "repobility-access-control", "framework": "Flask", "correlation_key": "code|auth|gui.py|70|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "GUI.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 42307, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 9, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 42306, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Flask"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 42304, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10.14-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 42303, "scanner": "repobility-docker", "fingerprint": "683bdd78e15ee8fed62cefd43eb63830d669e862e664b047c022198100419d8b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 8 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 8, "correlation_key": "fp|683bdd78e15ee8fed62cefd43eb63830d669e862e664b047c022198100419d8b", "dependency_install_line": 10}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 42299, "scanner": "repobility-docker", "fingerprint": "e2b10b45f0961043dcba22903229129a78940f99a701f7dd0fb958f7cc7b14f1", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e2b10b45f0961043dcba22903229129a78940f99a701f7dd0fb958f7cc7b14f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 42294, "scanner": "repobility-threat-engine", "fingerprint": "a85d432a142af4194ed250e26146d7165d600c01259aa7ac5e9848133f5b0820", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|utils/settings.py|33|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/settings.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 42293, "scanner": "repobility-threat-engine", "fingerprint": "13ffee536938b72e9ccd5c01b7d8128f90a80306edca41b154a226011bb30a78", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|utils/gui_utils.py|49|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/gui_utils.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 42292, "scanner": "repobility-threat-engine", "fingerprint": "c5c3ddc71725f03d9a2de76e232f036e6f9af5cc1186e7c92b79b65a6970f61b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "(eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|utils/console.py|105|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/console.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, elif=1, else=3, for=2, if=5, nested_bonus=11."}, "properties": {"repobilityId": 42268, "scanner": "repobility-threat-engine", "fingerprint": "4eb7cbd75e6d033cd99b59a8e1e83d0cfb2bacf5a2b2fd66cc05c37a5ef39744", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 23 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 5, "for": 2, "elif": 1, "else": 3, "break": 1, "nested_bonus": 11}, "complexity": 23, "correlation_key": "fp|4eb7cbd75e6d033cd99b59a8e1e83d0cfb2bacf5a2b2fd66cc05c37a5ef39744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42249, "scanner": "repobility-ast-engine", "fingerprint": "6b76018d2fc489c7199846028368864f2b670dca88239743d0c8531d81257287", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b76018d2fc489c7199846028368864f2b670dca88239743d0c8531d81257287"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/settings.py"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42248, "scanner": "repobility-ast-engine", "fingerprint": "1ed0efda49c3f8e861279f99b25aa087bb3437c7209ef9a16fe92716819a7e57", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ed0efda49c3f8e861279f99b25aa087bb3437c7209ef9a16fe92716819a7e57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/settings.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42247, "scanner": "repobility-ast-engine", "fingerprint": "64247178c1714eec38cf2e127f17df5c7219c18985c37d4d7675683c243685cf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64247178c1714eec38cf2e127f17df5c7219c18985c37d4d7675683c243685cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/settings.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42246, "scanner": "repobility-ast-engine", "fingerprint": "c1cb8a2d0e980e7140a677bc8723c316bb2abd32b04cdfb79256de426b394622", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1cb8a2d0e980e7140a677bc8723c316bb2abd32b04cdfb79256de426b394622"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/settings.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `crawl_and_check` (dict)"}, "properties": {"repobilityId": 42245, "scanner": "repobility-ast-engine", "fingerprint": "fecafe088494f2be5ff9c5e63b1f30ec69977148dda99df7cac77bdf1078f958", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fecafe088494f2be5ff9c5e63b1f30ec69977148dda99df7cac77bdf1078f958"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/settings.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42244, "scanner": "repobility-ast-engine", "fingerprint": "34fd734f8d393ddb203f65af3c4563fedf3be02d5512129be536f2a5585dc205", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|34fd734f8d393ddb203f65af3c4563fedf3be02d5512129be536f2a5585dc205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/gui_utils.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42243, "scanner": "repobility-ast-engine", "fingerprint": "fe8201fe7fb3086f21233ee1b9adadb5834ed30b3d9d3f9caa42f0dce338a023", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe8201fe7fb3086f21233ee1b9adadb5834ed30b3d9d3f9caa42f0dce338a023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/console.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42241, "scanner": "repobility-ast-engine", "fingerprint": "20815833674c13121c708cd3acb6b757a07deca664311b084f45f168f0ec82ba", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20815833674c13121c708cd3acb6b757a07deca664311b084f45f168f0ec82ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42240, "scanner": "repobility-ast-engine", "fingerprint": "6e4ce95937903cb95e57fb7d648b83d5363fdfb66b6f2f8d0171502d4192fe03", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e4ce95937903cb95e57fb7d648b83d5363fdfb66b6f2f8d0171502d4192fe03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42239, "scanner": "repobility-ast-engine", "fingerprint": "f1b18106f4c113a9aa69a94595dc7f40c7660518d45e788853d870b8f7a3a0e9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1b18106f4c113a9aa69a94595dc7f40c7660518d45e788853d870b8f7a3a0e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42234, "scanner": "repobility-ast-engine", "fingerprint": "6cdd393e754a577cdb36b00e9694c504809d59dc1992ea25f5c6afc2c2eff5f0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cdd393e754a577cdb36b00e9694c504809d59dc1992ea25f5c6afc2c2eff5f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 42218, "scanner": "repobility-ast-engine", "fingerprint": "02c9497d7e0db30ba20cf3877176f09f2e7c2d3517eb765e51553f3e019daac9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|02c9497d7e0db30ba20cf3877176f09f2e7c2d3517eb765e51553f3e019daac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "reddit/subreddit.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "QA001", "level": "warning", "message": {"text": "[QA001] No Tests Found: No test files or test directories found."}, "properties": {"repobilityId": 2164, "scanner": "repobility-threat-engine", "fingerprint": "0a6c649638a2dd6f8e8dae9bfb49f61b8c9a7baa39c17afd5d6bd2ef26cb0e1f", "category": "testing", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No test files or standard test directories detected", "evidence": {"reason": "No test files or standard test directories detected", "rule_id": "QA001", "scanner": "repobility-threat-engine", "confidence": 0.8}}}, {"ruleId": "CFG001", "level": "warning", "message": {"text": "[CFG001] Docker Runs as Root: Container runs as root user. Consider adding a non-root USER directive."}, "properties": {"repobilityId": 2163, "scanner": "repobility-threat-engine", "fingerprint": "36826dfafc51e571d0c41828bb6bbcf9b08d9735ba1b4058b62cbf4d836c037c", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No USER directive found in Dockerfile", "evidence": {"reason": "No USER directive found in Dockerfile", "rule_id": "CFG001", "scanner": "repobility-threat-engine", "confidence": 0.9}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 2162, "scanner": "repobility-threat-engine", "fingerprint": "c505eb8cad31920a5b53aa8a3f6afd2fc2cb761f441b0ec2d9a0aa727714b190", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|utils/ffmpeg_install.py|37|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 2161, "scanner": "repobility-threat-engine", "fingerprint": "9ecac83f8d8eaec0922c8b5a03fc9d253624212dba9198b5ad263e9654d1248f", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(\n            \"sudo apt install ffmpeg\",\n            shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|utils/ffmpeg_install.py|71|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 2160, "scanner": "repobility-threat-engine", "fingerprint": "088b3410fe6710436a5a4750af3663bf4914ef242d5f34a184f35fccce5c09ed", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "os.system(\n                    \"ffmpeg -f concat -y -hide_banner -loglevel panic -safe 0 \"", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|tts/engine_wrapper.py|130|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 2158, "scanner": "repobility-threat-engine", "fingerprint": "42aeecc53bd7bd59864414cd1ea5f5597700cf825210585551b6d30ac37da582", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "random.choice(list(background_options[mode].key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|71|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "video_creation/background.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 42310, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Flask"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 42305, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 42302, "scanner": "repobility-docker", "fingerprint": "f411bed0c3ed6ccb29b542f513ed592f2779662d1e860b1e507c38cd3c450533", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f411bed0c3ed6ccb29b542f513ed592f2779662d1e860b1e507c38cd3c450533"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 42301, "scanner": "repobility-docker", "fingerprint": "9b98c31c66d05ff92a3082f57028ffbc20d12d3a4071dd10933d751c96b47d7b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9b98c31c66d05ff92a3082f57028ffbc20d12d3a4071dd10933d751c96b47d7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 42300, "scanner": "repobility-docker", "fingerprint": "9dba8b01f1838c10f5baf40a28b5023d73fcddf0605e10270db64ddd89e957ec", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9dba8b01f1838c10f5baf40a28b5023d73fcddf0605e10270db64ddd89e957ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 42296, "scanner": "repobility-threat-engine", "fingerprint": "70d7b222e6c86172f150dd0e156b9ec4ead44a9d854272917ba8014597b18fd4", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(ffmpeg_zip_filename):\n            os.remove(ffmpeg_zip_filename)\n\n        # Download", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70d7b222e6c86172f150dd0e156b9ec4ead44a9d854272917ba8014597b18fd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 42273, "scanner": "repobility-threat-engine", "fingerprint": "4a4a7b259fa07d33c2e6c2187517a5736508e12155f49365911948626a5652a5", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"[blue]Example: \" + str(checks[\"example\"]) + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a4a7b259fa07d33c2e6c2187517a5736508e12155f49365911948626a5652a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/settings.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 42272, "scanner": "repobility-threat-engine", "fingerprint": "d40989af098b9c05a6e71f250ff1f337d5a25fc5fc84881bbb5a866224e9ceed", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "print(\n                    \"[red bold]\"\n                    + err_message\n                    + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d40989af098b9c05a6e71f250ff1f337d5a25fc5fc84881bbb5a866224e9ceed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/console.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 42271, "scanner": "repobility-threat-engine", "fingerprint": "98fc81e063169f8710a620b01ac5e7f6086bcd71a8d213f94672f6d8b8d1633d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" *(((.|\\n){0,\" + str(self.tts_module.max_chars) + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98fc81e063169f8710a620b01ac5e7f6086bcd71a8d213f94672f6d8b8d1633d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `split_post` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, else=1, except=2, for=3, if=1, nested_bonus=3."}, "properties": {"repobilityId": 42269, "scanner": "repobility-threat-engine", "fingerprint": "29ad99b9e8e7c250cbaa58b6d8a1e2489e4816fb2afccb4317a1fae09e6b97a5", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "split_post", "breakdown": {"if": 1, "for": 3, "else": 1, "except": 2, "continue": 1, "nested_bonus": 3}, "complexity": 11, "correlation_key": "fp|29ad99b9e8e7c250cbaa58b6d8a1e2489e4816fb2afccb4317a1fae09e6b97a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, except=2, if=3, nested_bonus=1."}, "properties": {"repobilityId": 42267, "scanner": "repobility-threat-engine", "fingerprint": "e8f5d0ba1229f1637f94e11ed8084bda4b25cdd1c6467b72d4eee44471ad2358", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 3, "else": 2, "except": 2, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|e8f5d0ba1229f1637f94e11ed8084bda4b25cdd1c6467b72d4eee44471ad2358"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/aws_polly.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 42214, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee5d3ce020f0914129aebd5b96ded471245620da7944cf8c230ca35aeb4c34f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "utils/gui_utils.py", "duplicate_line": 48, "correlation_key": "fp|ee5d3ce020f0914129aebd5b96ded471245620da7944cf8c230ca35aeb4c34f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/settings.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 42213, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f368b0313335d43a06390d687597f4f63ee9e6604f7e16f7e857fbd673da0e3c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "TTS/aws_polly.py", "duplicate_line": 6, "correlation_key": "fp|f368b0313335d43a06390d687597f4f63ee9e6604f7e16f7e857fbd673da0e3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/streamlabs_polly.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "CFG003", "level": "note", "message": {"text": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts."}, "properties": {"repobilityId": 2157, "scanner": "repobility-threat-engine", "fingerprint": "8d2deb7a81fbb5c4a1ecdfb5f36c928566b5075d2d85a9b020270e70ff38093c", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ADD .", "reason": "Pattern matched with no mitigating context found", "rule_id": "CFG003", "scanner": "repobility-threat-engine", "confidence": 1.0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 42298, "scanner": "repobility-threat-engine", "fingerprint": "0af6e7a975309a4bbaaa2187306f549757163a718fdd3958192a53252d905629", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0af6e7a975309a4bbaaa2187306f549757163a718fdd3958192a53252d905629"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "video_creation/screenshot_downloader.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 42291, "scanner": "repobility-threat-engine", "fingerprint": "e9bef44272652a5ecb502f14f98158bf299b66a7cb41ba7aeb53e7c0265b59b2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e9bef44272652a5ecb502f14f98158bf299b66a7cb41ba7aeb53e7c0265b59b2", "aggregated_count": 3}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 42290, "scanner": "repobility-threat-engine", "fingerprint": "b62246a96e91562319f7a310f56fc54dccdd281dcaf731c0ce43952ba89e6d93", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b62246a96e91562319f7a310f56fc54dccdd281dcaf731c0ce43952ba89e6d93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 42289, "scanner": "repobility-threat-engine", "fingerprint": "b1e04dae468cb76dcd7fda45e964515c98f9c85dba25eed207e7773d361ab062", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b1e04dae468cb76dcd7fda45e964515c98f9c85dba25eed207e7773d361ab062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/console.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 42288, "scanner": "repobility-threat-engine", "fingerprint": "a39d4279dcd54ae5c3f2bf9a0a23f9b9d9f3e0a42f013a8a4ed231e4b9e45611", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a39d4279dcd54ae5c3f2bf9a0a23f9b9d9f3e0a42f013a8a4ed231e4b9e45611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "reddit/subreddit.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 42286, "scanner": "repobility-threat-engine", "fingerprint": "a98932549a04eeb718529895d1869454506e19fc7a04810044649777392b1070", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a98932549a04eeb718529895d1869454506e19fc7a04810044649777392b1070", "aggregated_count": 1}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 42285, "scanner": "repobility-threat-engine", "fingerprint": "96c7a23e9eb7a2e863f1bb6f12c70cb2bae7694ac95cb2665dccc504f91a1ee5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96c7a23e9eb7a2e863f1bb6f12c70cb2bae7694ac95cb2665dccc504f91a1ee5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 42284, "scanner": "repobility-threat-engine", "fingerprint": "6d861af4f5430e3d88b75edbeadce26b1f6361abf01696cad0d9077fbdf2c7c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d861af4f5430e3d88b75edbeadce26b1f6361abf01696cad0d9077fbdf2c7c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/streamlabs_polly.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 42283, "scanner": "repobility-threat-engine", "fingerprint": "c48c01effcca07db744858555881e194d8162c9713436fc365d57d5a710c7310", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c48c01effcca07db744858555881e194d8162c9713436fc365d57d5a710c7310"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/openai_tts.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 42282, "scanner": "repobility-threat-engine", "fingerprint": "5728b7b83f3bb28a360be3eb40b6cca9adbedafd7cf3ebff8bde153047c91ba9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5728b7b83f3bb28a360be3eb40b6cca9adbedafd7cf3ebff8bde153047c91ba9"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 42270, "scanner": "repobility-threat-engine", "fingerprint": "79d352d73437ebd7dfb28aea2dab6bd7823e8d3a3a6573567ca5ec0771ab478c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 3, "else": 2, "except": 2, "nested_bonus": 1}, "aggregated": true, "complexity": 8, "correlation_key": "fp|79d352d73437ebd7dfb28aea2dab6bd7823e8d3a3a6573567ca5ec0771ab478c", "aggregated_count": 13}}}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 42266, "scanner": "repobility-threat-engine", "fingerprint": "487009a12e710bf92bc32d40e3b84285054c547795620326b8ed86d6c3e51160", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|487009a12e710bf92bc32d40e3b84285054c547795620326b8ed86d6c3e51160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "video_creation/screenshot_downloader.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 42265, "scanner": "repobility-threat-engine", "fingerprint": "f9cd8b0bd7438d82014ab8875cb55bf18569ae0b60287f4b7a076de15b090149", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9cd8b0bd7438d82014ab8875cb55bf18569ae0b60287f4b7a076de15b090149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/aws_polly.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 42262, "scanner": "repobility-threat-engine", "fingerprint": "11698e24bb20173cdcfd3a45d9f7ebd7fdf03339053ffe2dca3364e69347a965", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11698e24bb20173cdcfd3a45d9f7ebd7fdf03339053ffe2dca3364e69347a965"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "GUI.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 2159, "scanner": "repobility-threat-engine", "fingerprint": "3a07336de9cd9196548cb0593d0e59492b5bdd2c4c0b8db8ced29615bb8925b0", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "print(\"Invalid credentials - please check them in config.toml\")", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|reddit/subreddit.py|4|print invalid credentials - please check them in config.toml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "reddit/subreddit.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 42311, "scanner": "repobility-journey-contract", "fingerprint": "8fb005a1bcd120b96c8eeb6c5bfe64d0aff4781ae47b73472179454389c12e73", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|gui/settings.html|56|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "GUI/settings.html"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 42297, "scanner": "repobility-threat-engine", "fingerprint": "418fecb111029d1d20f916a3ca1e7df0dcdc547711a1304e05516af347440e83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|418fecb111029d1d20f916a3ca1e7df0dcdc547711a1304e05516af347440e83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 42295, "scanner": "repobility-threat-engine", "fingerprint": "32a0c27235c25d11bb0cc0fdebbf3c919c6bc997ef8e41f908486981a9e95924", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|32a0c27235c25d11bb0cc0fdebbf3c919c6bc997ef8e41f908486981a9e95924"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 42287, "scanner": "repobility-threat-engine", "fingerprint": "0cc2461dbfc00d8b2f802328be54eb21532170f338807cc83930dd7a492000af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0cc2461dbfc00d8b2f802328be54eb21532170f338807cc83930dd7a492000af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "main.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 42281, "scanner": "repobility-threat-engine", "fingerprint": "b6c9f3d5f50fc9f4173d68c65439f1745ce1356fc0c03674bc0308dc6eb506b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6c9f3d5f50fc9f4173d68c65439f1745ce1356fc0c03674bc0308dc6eb506b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 42280, "scanner": "repobility-threat-engine", "fingerprint": "03cae51cc2cdd30f0b39465d6b55ab365615ba0a235cb0e0a49a816e551e04bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|03cae51cc2cdd30f0b39465d6b55ab365615ba0a235cb0e0a49a816e551e04bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/streamlabs_polly.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 42279, "scanner": "repobility-threat-engine", "fingerprint": "88b860f6fc4a84aeb607f3dbb86635eed473490831d51da3efdfad43d07f94f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|88b860f6fc4a84aeb607f3dbb86635eed473490831d51da3efdfad43d07f94f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/openai_tts.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 42278, "scanner": "repobility-threat-engine", "fingerprint": "b6e91ee4ded19198cafceaa12f9b89ab35b7c8fbb401b6920f250cc39e4ace20", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(ffmpeg_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6e91ee4ded19198cafceaa12f9b89ab35b7c8fbb401b6920f250cc39e4ace20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/ffmpeg_install.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 42277, "scanner": "repobility-threat-engine", "fingerprint": "18dcb81277ff23c4fa1fd0904c72e1622dae9a49b82b80572ac2692f7658ead7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(self.url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18dcb81277ff23c4fa1fd0904c72e1622dae9a49b82b80572ac2692f7658ead7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/streamlabs_polly.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 42276, "scanner": "repobility-threat-engine", "fingerprint": "5204db80ed79ea46eaf0477dc7d7eee23d7a11078c327704258c1dd62b3bf9dd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(self.api_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5204db80ed79ea46eaf0477dc7d7eee23d7a11078c327704258c1dd62b3bf9dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/openai_tts.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 42275, "scanner": "repobility-threat-engine", "fingerprint": "cbc43352f553c6694e315c6b74ecf4f0ec05033bf0655fa015809ec76046995e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cbc43352f553c6694e315c6b74ecf4f0ec05033bf0655fa015809ec76046995e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/posttextparser.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 42274, "scanner": "repobility-threat-engine", "fingerprint": "a9e1a96cf58e83b0183f5597b89332526677a178ec5a79be1acd6fb8b5b22824", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9e1a96cf58e83b0183f5597b89332526677a178ec5a79be1acd6fb8b5b22824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 42264, "scanner": "repobility-threat-engine", "fingerprint": "5a453fac2beeb4b40e2441f9666b91bab89114fb417c689b2a6224ef734a395f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "image.save(f\"assets/temp/{reddit_id}/png/img{idx}.png\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5a453fac2beeb4b40e2441f9666b91bab89114fb417c689b2a6224ef734a395f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/imagenarator.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 42263, "scanner": "repobility-threat-engine", "fingerprint": "bda06152cbe8ca7d31a31fb9ab5f2e2a55fbfbf7ac876099eade709b6b939e8f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tts.save(filepath)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bda06152cbe8ca7d31a31fb9ab5f2e2a55fbfbf7ac876099eade709b6b939e8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/GTTS.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 42261, "scanner": "repobility-threat-engine", "fingerprint": "07388ad459b35e41db924d4f4f1796dee8bfc89fe2ad684f99af88c4ac95b49a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.route(\"/background/add\", methods=[\"POST\"])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07388ad459b35e41db924d4f4f1796dee8bfc89fe2ad684f99af88c4ac95b49a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "GUI.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/stale` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 42260, "scanner": "repobility-supply-chain", "fingerprint": "a3614dadf7eb90ae76399bf061e3296280f8a36b581883f13a04cee7f3a115ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3614dadf7eb90ae76399bf061e3296280f8a36b581883f13a04cee7f3a115ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 42259, "scanner": "repobility-supply-chain", "fingerprint": "47de0b7d500e85a2bb6c16dcc625b35d72558e9101a5883770d37a24868e43ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47de0b7d500e85a2bb6c16dcc625b35d72558e9101a5883770d37a24868e43ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fmt.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 42258, "scanner": "repobility-supply-chain", "fingerprint": "71046383fac9aea16e4d22812cb8c3b0d133b1c539fe14f887cad941bab25823", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71046383fac9aea16e4d22812cb8c3b0d133b1c539fe14f887cad941bab25823"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fmt.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `isort/isort-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 42257, "scanner": "repobility-supply-chain", "fingerprint": "36d422095fd5782b888a0e64689c2e323305e64106496c77c8d9bb3fee2046ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36d422095fd5782b888a0e64689c2e323305e64106496c77c8d9bb3fee2046ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `psf/black` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 42256, "scanner": "repobility-supply-chain", "fingerprint": "590b915dd2c67846f0704b333a7f748716f50246b1f8ba10fd564a1d373158ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|590b915dd2c67846f0704b333a7f748716f50246b1f8ba10fd564a1d373158ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 42255, "scanner": "repobility-supply-chain", "fingerprint": "c6d31ec9a21bd7d6f802477e798337415f0245def9da65989c009d55d052ceee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6d31ec9a21bd7d6f802477e798337415f0245def9da65989c009d55d052ceee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/analyze` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 42254, "scanner": "repobility-supply-chain", "fingerprint": "f475ad8709005aab919c0ac025d21dcbf914ccf26e85750e12c3e6c7747c836e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f475ad8709005aab919c0ac025d21dcbf914ccf26e85750e12c3e6c7747c836e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/autobuild` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 42253, "scanner": "repobility-supply-chain", "fingerprint": "b0e6d2905ac7258f7da2993fcdc7836ef96607ee6c332ade7402966fb31bf872", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0e6d2905ac7258f7da2993fcdc7836ef96607ee6c332ade7402966fb31bf872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/init` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 42252, "scanner": "repobility-supply-chain", "fingerprint": "2723623a390373a6610caccb42d4d24615282b09a36e019baeeaac6311fdafee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2723623a390373a6610caccb42d4d24615282b09a36e019baeeaac6311fdafee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 42251, "scanner": "repobility-supply-chain", "fingerprint": "a30160c625b3cd000c9531f1587b4a9edb5b13658a5834587d1581ed220e9277", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a30160c625b3cd000c9531f1587b4a9edb5b13658a5834587d1581ed220e9277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.10.14-slim` not pinned by digest"}, "properties": {"repobilityId": 42250, "scanner": "repobility-supply-chain", "fingerprint": "98f86a92085829f1cb8fab4d060615bcc1852028b4b1eef7dd52bf001f37d535", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98f86a92085829f1cb8fab4d060615bcc1852028b4b1eef7dd52bf001f37d535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.randomvoice` used but never assigned in __init__"}, "properties": {"repobilityId": 42238, "scanner": "repobility-ast-engine", "fingerprint": "0b1d51c3e6765897f767bbd0964aed247b2680d6afd1172a60080b180687795a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b1d51c3e6765897f767bbd0964aed247b2680d6afd1172a60080b180687795a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/openai_tts.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.run` used but never assigned in __init__"}, "properties": {"repobilityId": 42237, "scanner": "repobility-ast-engine", "fingerprint": "0e55d2f1230032318bc8a3a64a4773da9703f61fe5f5161da3932535e3254ad9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e55d2f1230032318bc8a3a64a4773da9703f61fe5f5161da3932535e3254ad9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/streamlabs_polly.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.randomvoice` used but never assigned in __init__"}, "properties": {"repobilityId": 42236, "scanner": "repobility-ast-engine", "fingerprint": "67d0ad0767a71f3be771dd17539b20b2c3c333889ab568d48819c2dfa2252ba5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67d0ad0767a71f3be771dd17539b20b2c3c333889ab568d48819c2dfa2252ba5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/streamlabs_polly.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.randomvoice` used but never assigned in __init__"}, "properties": {"repobilityId": 42235, "scanner": "repobility-ast-engine", "fingerprint": "8367efea6f010f408480de811ed119001f6606368e435cc7e978d0304122243a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8367efea6f010f408480de811ed119001f6606368e435cc7e978d0304122243a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/aws_polly.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.call_tts` used but never assigned in __init__"}, "properties": {"repobilityId": 42233, "scanner": "repobility-ast-engine", "fingerprint": "19d874903ad7c95d5c62d1ca118897599577b3fdd201b276e74acc8a67cfde00", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|19d874903ad7c95d5c62d1ca118897599577b3fdd201b276e74acc8a67cfde00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.create_silence_mp3` used but never assigned in __init__"}, "properties": {"repobilityId": 42232, "scanner": "repobility-ast-engine", "fingerprint": "5e0a2c23740df4c7155704de72b3bfad0045b7a5d698c3194fbc66d8de44ac2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e0a2c23740df4c7155704de72b3bfad0045b7a5d698c3194fbc66d8de44ac2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.call_tts` used but never assigned in __init__"}, "properties": {"repobilityId": 42231, "scanner": "repobility-ast-engine", "fingerprint": "bffddf1e868eca61fd8528111466cd7ba649e2800d393f418c2ea75e3bd36395", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bffddf1e868eca61fd8528111466cd7ba649e2800d393f418c2ea75e3bd36395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.call_tts` used but never assigned in __init__"}, "properties": {"repobilityId": 42230, "scanner": "repobility-ast-engine", "fingerprint": "0b2cc08a8c3e9a6e43a0e0a14ee6a24b551e9a02af01f6d2ae0013b3f5688b79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b2cc08a8c3e9a6e43a0e0a14ee6a24b551e9a02af01f6d2ae0013b3f5688b79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.split_post` used but never assigned in __init__"}, "properties": {"repobilityId": 42229, "scanner": "repobility-ast-engine", "fingerprint": "8aeb5030118f3fd9019fa3554c82d4adb48744b1de2a951f78ea81b66c478160", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8aeb5030118f3fd9019fa3554c82d4adb48744b1de2a951f78ea81b66c478160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.call_tts` used but never assigned in __init__"}, "properties": {"repobilityId": 42228, "scanner": "repobility-ast-engine", "fingerprint": "80fc02b1fc8f2259f2d1bcb5bd3b08fcfc9fc2e9166fad49888eb37a0346dfef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80fc02b1fc8f2259f2d1bcb5bd3b08fcfc9fc2e9166fad49888eb37a0346dfef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.split_post` used but never assigned in __init__"}, "properties": {"repobilityId": 42227, "scanner": "repobility-ast-engine", "fingerprint": "667f368c47f460e369b50b7a189b1cd6129cc9e97d3135f8384f28b682151a0b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|667f368c47f460e369b50b7a189b1cd6129cc9e97d3135f8384f28b682151a0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.call_tts` used but never assigned in __init__"}, "properties": {"repobilityId": 42226, "scanner": "repobility-ast-engine", "fingerprint": "84379dd2040cfed6a16f0a824383cbf27d1e527939128357d8fca22a76607a4d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84379dd2040cfed6a16f0a824383cbf27d1e527939128357d8fca22a76607a4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.add_periods` used but never assigned in __init__"}, "properties": {"repobilityId": 42225, "scanner": "repobility-ast-engine", "fingerprint": "a72bbeaccf72518cf76406a949d6c2df5589a2d07623f65a9e9444f590530656", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a72bbeaccf72518cf76406a949d6c2df5589a2d07623f65a9e9444f590530656"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/engine_wrapper.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.random_voice` used but never assigned in __init__"}, "properties": {"repobilityId": 42224, "scanner": "repobility-ast-engine", "fingerprint": "058df95dd9784a88ae07eab2dc2c8d13e5b109b5ea2d0d9c16dbc748aaf9d4e5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|058df95dd9784a88ae07eab2dc2c8d13e5b109b5ea2d0d9c16dbc748aaf9d4e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/TikTok.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_voices` used but never assigned in __init__"}, "properties": {"repobilityId": 42223, "scanner": "repobility-ast-engine", "fingerprint": "4ce6e77983cd050a1ee4762caf013d58c6c88adadf346ddd67798a47c6cf168d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ce6e77983cd050a1ee4762caf013d58c6c88adadf346ddd67798a47c6cf168d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/TikTok.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.randomvoice` used but never assigned in __init__"}, "properties": {"repobilityId": 42222, "scanner": "repobility-ast-engine", "fingerprint": "bd3d651a636cb5d08af0e37591e34af33d9ff9ab453cf17e9c527854e4bfff7e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bd3d651a636cb5d08af0e37591e34af33d9ff9ab453cf17e9c527854e4bfff7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/pyttsx.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.initialize` used but never assigned in __init__"}, "properties": {"repobilityId": 42221, "scanner": "repobility-ast-engine", "fingerprint": "c6853afb1a7ff1c189529bf3153745e17f04a7ca719f80243f1ae4a20401d08e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6853afb1a7ff1c189529bf3153745e17f04a7ca719f80243f1ae4a20401d08e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/elevenlabs.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.randomvoice` used but never assigned in __init__"}, "properties": {"repobilityId": 42220, "scanner": "repobility-ast-engine", "fingerprint": "78da57a1b365561fece075e08e4a7354871e121645e46f608b25bc63250a32c4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78da57a1b365561fece075e08e4a7354871e121645e46f608b25bc63250a32c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/elevenlabs.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.initialize` used but never assigned in __init__"}, "properties": {"repobilityId": 42219, "scanner": "repobility-ast-engine", "fingerprint": "2c8179b6cdc968f9eb823dd3df46aab496c43624e8c5d00c7050830e6d2aa41e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2c8179b6cdc968f9eb823dd3df46aab496c43624e8c5d00c7050830e6d2aa41e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TTS/elevenlabs.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.stop` used but never assigned in __init__"}, "properties": {"repobilityId": 42217, "scanner": "repobility-ast-engine", "fingerprint": "4924a513e6e88a5aedee69d8644dc692f2c8fd038ae1991d36add40351d3c5a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4924a513e6e88a5aedee69d8644dc692f2c8fd038ae1991d36add40351d3c5a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "video_creation/final_video.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.start` used but never assigned in __init__"}, "properties": {"repobilityId": 42216, "scanner": "repobility-ast-engine", "fingerprint": "932c27d9e4e1bea82d66273e5b72c64a059db97e72988c89dbf62dfe874dbace", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|932c27d9e4e1bea82d66273e5b72c64a059db97e72988c89dbf62dfe874dbace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "video_creation/final_video.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.get_latest_ms_progress` used but never assigned in __init__"}, "properties": {"repobilityId": 42215, "scanner": "repobility-ast-engine", "fingerprint": "495ee5e1b7ad00709c8feffd79124d06b22437bae6dfcec3ab1a15d3193e302b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|495ee5e1b7ad00709c8feffd79124d06b22437bae6dfcec3ab1a15d3193e302b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "video_creation/final_video.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 2156, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `time` used but not imported"}, "properties": {"repobilityId": 42242, "scanner": "repobility-ast-engine", "fingerprint": "8e64f59a1bcef0a6e0620c1edeb4c891f8d464f7b580e8b5c096e9bba8601e30", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e64f59a1bcef0a6e0620c1edeb4c891f8d464f7b580e8b5c096e9bba8601e30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/voice.py"}, "region": {"startLine": 43}}}]}]}]}