{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC005] Command Injection Risk (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 73 more): Same pattern found in 73 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 73 more): Same pattern found in 73 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.", "shortDescription": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/751"}, "properties": {"repository": "mrdoob/three.js", "repoUrl": "https://github.com/mrdoob/three.js", "branch": "dev"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 62714, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 62713, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 62712, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 62649, "scanner": "repobility-threat-engine", "fingerprint": "4b92efd60f081606ab31d7a3ae56fdebdf686e456ecd5f9de43b38c5d6def10c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"$1\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|manual/resources/lesson.js|57|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manual/resources/lesson.js"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 62648, "scanner": "repobility-threat-engine", "fingerprint": "2deb63db55eb1c5f2e151457689a31353dfa37fbfbce870f3cd05c25dec3fb16", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open( 'https://github.com/mrdoob/three.js/tree/master/editor', '_blank' )", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|editor/js/menubar.help.js|26|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Menubar.Help.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 62642, "scanner": "repobility-threat-engine", "fingerprint": "cc5ec9773eba137c56fbd890fa79dc1de8cb7cc9640f7be3a7d5c28bdecac559", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|editor/js/storage.js|73|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Storage.js"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 62641, "scanner": "repobility-threat-engine", "fingerprint": "a0fe0873a64839d53134ae4ff5250a3a6e5c2d95a18b89df9e9e15ab56ab51bc", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|editor/js/script.js|250|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Script.js"}, "region": {"startLine": 250}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 62640, "scanner": "repobility-threat-engine", "fingerprint": "6588a0d15c32a788e481082b3098971943a1fcff62e457d1f255c3e414a61c95", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|editor/js/config.js|68|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Config.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 62711, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 62710, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 62709, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4508f0eaa21049ef18fd0017bf178d96c36bad0ac912ae3f2897618fc1dcbad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/materials/MeshLambertMaterial.js", "duplicate_line": 13, "correlation_key": "fp|e4508f0eaa21049ef18fd0017bf178d96c36bad0ac912ae3f2897618fc1dcbad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/materials/MeshToonMaterial.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d856cc82f8be9383a6fefe4494a587c61f3eecdbc45490cbe8510225d664f8c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/materials/MeshLambertMaterial.js", "duplicate_line": 12, "correlation_key": "fp|5d856cc82f8be9383a6fefe4494a587c61f3eecdbc45490cbe8510225d664f8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/materials/MeshStandardMaterial.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b13e70ea8d1e0f84b2e059ce41728527a4740801770284c3e04e44c22740bd90", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/materials/MeshLambertMaterial.js", "duplicate_line": 12, "correlation_key": "fp|b13e70ea8d1e0f84b2e059ce41728527a4740801770284c3e04e44c22740bd90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/materials/MeshPhongMaterial.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "168056c593925666d21d335dc5a302f2d521986843270c0c4ee5443ed44c0b7c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/loaders/MaterialLoader.js", "duplicate_line": 4, "correlation_key": "fp|168056c593925666d21d335dc5a302f2d521986843270c0c4ee5443ed44c0b7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/materials/Materials.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8f19992bcfbd01036062dca32b57bb8bd5d7b7b03902fe24e4c7f46d241a1cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/loaders/AnimationLoader.js", "duplicate_line": 15, "correlation_key": "fp|f8f19992bcfbd01036062dca32b57bb8bd5d7b7b03902fe24e4c7f46d241a1cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/loaders/MaterialLoader.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1905ffbc4531a317850f3e95d4e03af3ffd11baf21d515cb23102dac649dd618", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/loaders/BufferGeometryLoader.js", "duplicate_line": 14, "correlation_key": "fp|1905ffbc4531a317850f3e95d4e03af3ffd11baf21d515cb23102dac649dd618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/loaders/MaterialLoader.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a33db6732a6e3a4a44f5554c7a069a24c529ababbc5902fbdb3714244e917d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/loaders/AnimationLoader.js", "duplicate_line": 15, "correlation_key": "fp|0a33db6732a6e3a4a44f5554c7a069a24c529ababbc5902fbdb3714244e917d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/loaders/BufferGeometryLoader.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1cbed7d8176ec1bbe323266c947c100c4b93d6f38d614113875ee2616debbfc8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/geometries/CapsuleGeometry.js", "duplicate_line": 94, "correlation_key": "fp|1cbed7d8176ec1bbe323266c947c100c4b93d6f38d614113875ee2616debbfc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/geometries/TorusGeometry.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8ccc3e21eeaa38bc09b35e338d02a3359f2f41378ffabad7724ab293cb0ad01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/geometries/PlaneGeometry.js", "duplicate_line": 41, "correlation_key": "fp|f8ccc3e21eeaa38bc09b35e338d02a3359f2f41378ffabad7724ab293cb0ad01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/geometries/TorusGeometry.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7bf4b7309a3fe797e6089241e7cc7df97810be0ad6620abf6f67cf4fe415200a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/geometries/CapsuleGeometry.js", "duplicate_line": 94, "correlation_key": "fp|7bf4b7309a3fe797e6089241e7cc7df97810be0ad6620abf6f67cf4fe415200a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/geometries/SphereGeometry.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9c140e22968625b72a9c68e4a2255cc9abc21bc2abeb7203c8f214e5d38539e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/geometries/CapsuleGeometry.js", "duplicate_line": 94, "correlation_key": "fp|d9c140e22968625b72a9c68e4a2255cc9abc21bc2abeb7203c8f214e5d38539e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/geometries/RingGeometry.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7ad156869cc982bebe0772eb56b0d78fcd5fe071d2a7de51ecd91881a3b7490", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/geometries/PlaneGeometry.js", "duplicate_line": 41, "correlation_key": "fp|f7ad156869cc982bebe0772eb56b0d78fcd5fe071d2a7de51ecd91881a3b7490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/geometries/RingGeometry.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7922123632fdf1e5843b76d96810b6229a877949e9c7ab3f0a6538568bb843d0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/geometries/CapsuleGeometry.js", "duplicate_line": 94, "correlation_key": "fp|7922123632fdf1e5843b76d96810b6229a877949e9c7ab3f0a6538568bb843d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/geometries/PlaneGeometry.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40de5125e355e3dad4ec8096bd1e8b497a7358b319d08200fef619d111fcac18", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/geometries/CapsuleGeometry.js", "duplicate_line": 95, "correlation_key": "fp|40de5125e355e3dad4ec8096bd1e8b497a7358b319d08200fef619d111fcac18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/geometries/CircleGeometry.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bb984d8735772f277383389ffa62f19b7ac9eaf94c9f49874eb9b1efcc635a56", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/extras/curves/QuadraticBezierCurve.js", "duplicate_line": 19, "correlation_key": "fp|bb984d8735772f277383389ffa62f19b7ac9eaf94c9f49874eb9b1efcc635a56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extras/curves/QuadraticBezierCurve3.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a3c846fd562af13b5532518363c7d24032ca25c657ae35b31525abbb09e3c6a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/extras/curves/LineCurve.js", "duplicate_line": 12, "correlation_key": "fp|9a3c846fd562af13b5532518363c7d24032ca25c657ae35b31525abbb09e3c6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extras/curves/LineCurve3.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69c0ca2179704ab10a88ec4b4bebf0b05e7f534595c5fce88a15b5de3f25e000", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/extras/curves/CubicBezierCurve.js", "duplicate_line": 20, "correlation_key": "fp|69c0ca2179704ab10a88ec4b4bebf0b05e7f534595c5fce88a15b5de3f25e000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/extras/curves/CubicBezierCurve3.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9c020745501b32ba9473bb1291916574a0d91c0ce92fd8e42c7745a74bb376db", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/core/BufferAttribute.js", "duplicate_line": 82, "correlation_key": "fp|9c020745501b32ba9473bb1291916574a0d91c0ce92fd8e42c7745a74bb376db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/InterleavedBufferAttribute.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "59c11ee6a99781ac247703288099be93b995325d4de0efda02452ba51c9f6bfb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/core/BufferAttribute.js", "duplicate_line": 27, "correlation_key": "fp|59c11ee6a99781ac247703288099be93b995325d4de0efda02452ba51c9f6bfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/core/InterleavedBuffer.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "684781cf951a3531ee498b909485b95e40abcf6855fced4c33924e3f30a889f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cameras/OrthographicCamera.js", "duplicate_line": 30, "correlation_key": "fp|684781cf951a3531ee498b909485b95e40abcf6855fced4c33924e3f30a889f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cameras/PerspectiveCamera.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ce25f7885aaee921559950c03680ff8c6ec533be7b311e51648c71e6e08c822", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "manual/resources/threejs-align-html-elements-to-3d.js", "duplicate_line": 57, "correlation_key": "fp|4ce25f7885aaee921559950c03680ff8c6ec533be7b311e51648c71e6e08c822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manual/resources/threejs-lots-of-objects.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a80060f1e3802c59f2e52093aa501b2453118edac33671ba0e722153856f67c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/commands/SetColorCommand.js", "duplicate_line": 19, "correlation_key": "fp|a80060f1e3802c59f2e52093aa501b2453118edac33671ba0e722153856f67c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/commands/SetValueCommand.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4a82fb89912c5f930a77acadb0c6973da2c39fc3cd06a240eefa51118e6bfd5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/commands/SetColorCommand.js", "duplicate_line": 19, "correlation_key": "fp|a4a82fb89912c5f930a77acadb0c6973da2c39fc3cd06a240eefa51118e6bfd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/commands/SetShadowValueCommand.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6a397ee07c5580cfbf096cbc347cbdc019d071c4d1a4c7f2a3c36829754e8fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/commands/MultiCmdsCommand.js", "duplicate_line": 8, "correlation_key": "fp|b6a397ee07c5580cfbf096cbc347cbdc019d071c4d1a4c7f2a3c36829754e8fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/commands/SetSceneCommand.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "151c1414cf3efeef0c13f7ae2da083cfb7752b46df76aae8ed70f7847d6fb9cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/commands/SetMaterialColorCommand.js", "duplicate_line": 23, "correlation_key": "fp|151c1414cf3efeef0c13f7ae2da083cfb7752b46df76aae8ed70f7847d6fb9cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/commands/SetMaterialVectorCommand.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88e6d6fb10e6445df877a1206381d74f7e65d6f2e91f5226d15ac82e2e097a1e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/commands/SetMaterialColorCommand.js", "duplicate_line": 23, "correlation_key": "fp|88e6d6fb10e6445df877a1206381d74f7e65d6f2e91f5226d15ac82e2e097a1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/commands/SetMaterialValueCommand.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5913a5d64457f2ed97ca348b70ba8c64555906b9d873059e43c55a0fb9ee146", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/commands/SetColorCommand.js", "duplicate_line": 23, "correlation_key": "fp|d5913a5d64457f2ed97ca348b70ba8c64555906b9d873059e43c55a0fb9ee146"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/commands/SetGeometryValueCommand.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62681, "scanner": "repobility-ai-code-hygiene", "fingerprint": "353424f5414c3f41a1fb16ee542b00255dfe444adbc88452f3e4a53dded3075d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/Sidebar.Geometry.DodecahedronGeometry.js", "duplicate_line": 18, "correlation_key": "fp|353424f5414c3f41a1fb16ee542b00255dfe444adbc88452f3e4a53dded3075d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Sidebar.Geometry.TetrahedronGeometry.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62680, "scanner": "repobility-ai-code-hygiene", "fingerprint": "275a7d77e5d6ecfcb4f0a75ba5c9f50ffc07a0c597d5805f02f055954d1cabda", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/Sidebar.Geometry.DodecahedronGeometry.js", "duplicate_line": 18, "correlation_key": "fp|275a7d77e5d6ecfcb4f0a75ba5c9f50ffc07a0c597d5805f02f055954d1cabda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Sidebar.Geometry.OctahedronGeometry.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 62679, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a5970428b59e7770bec59ce8433cebb7bb015383030194a1db65ff9f1ddc4a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "editor/js/Sidebar.Geometry.DodecahedronGeometry.js", "duplicate_line": 18, "correlation_key": "fp|9a5970428b59e7770bec59ce8433cebb7bb015383030194a1db65ff9f1ddc4a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Sidebar.Geometry.IcosahedronGeometry.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 62678, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 62667, "scanner": "repobility-threat-engine", "fingerprint": "f46fc6830d059454629a107783a400ab19d5423b491d401d43c50430f2ef3e46", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'THREE.MorphBlendMesh: animation[' + name + '] undefined in .playAnimation()'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f46fc6830d059454629a107783a400ab19d5423b491d401d43c50430f2ef3e46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/misc/MorphBlendMesh.js"}, "region": {"startLine": 319}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 62666, "scanner": "repobility-threat-engine", "fingerprint": "b79fd5dd5dab0a1121af4d3f4350f83649b4781e2642418dfa61edd927df42f6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'THREE.MorphAnimMesh: animations[' + label + '] undefined in .playAnimation()'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b79fd5dd5dab0a1121af4d3f4350f83649b4781e2642418dfa61edd927df42f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/misc/MorphAnimMesh.js"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 62665, "scanner": "repobility-threat-engine", "fingerprint": "da0e2acff9191c567c52d418bdc3bb4404a29389241373971c4184d8cdcd22e6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'number of faces expected' + facesExpected + ', but found '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da0e2acff9191c567c52d418bdc3bb4404a29389241373971c4184d8cdcd22e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/loaders/KTXLoader.js"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 62656, "scanner": "repobility-threat-engine", "fingerprint": "0694ab6c82312b7124495521f1dde5db35a0aea25dc84d404a564d6d29253596", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = m", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|50|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/capabilities/WebGPU.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 62655, "scanner": "repobility-threat-engine", "fingerprint": "355e5e6d5612998fa7a64caa84e49773fe705c3bc2794cf09310775ea95b8e1a", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = m", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|105|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/capabilities/WebGL.js"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 62654, "scanner": "repobility-threat-engine", "fingerprint": "f8d74845e1cdf364602909348d59315e37fc76737702f8a7097072d88558526b", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = '&nbsp;' + o", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|97|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Sidebar.Settings.History.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 62675, "scanner": "repobility-threat-engine", "fingerprint": "fcb8f9c59666a00a52fafb92dc14db18d8784372b25152777f1f8f253291cf7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fcb8f9c59666a00a52fafb92dc14db18d8784372b25152777f1f8f253291cf7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Three.Core.js"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 62674, "scanner": "repobility-threat-engine", "fingerprint": "3f8e509d14bf7930d203b9c267f4125668dc36c2a0297431a87ffed6c41e9d47", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f8e509d14bf7930d203b9c267f4125668dc36c2a0297431a87ffed6c41e9d47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manual/resources/threejs-lesson-utils.js"}, "region": {"startLine": 349}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 62673, "scanner": "repobility-threat-engine", "fingerprint": "e45068ac327a81d27507cbfeec30d508cac7e481031bdd2ca3b1dde86b8ef64b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e45068ac327a81d27507cbfeec30d508cac7e481031bdd2ca3b1dde86b8ef64b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/misc/ProgressiveLightMapGPU.js"}, "region": {"startLine": 208}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 62672, "scanner": "repobility-threat-engine", "fingerprint": "1ec183c5587b0294626eea573239a67d50c9c28a5ce594bf1f3d522841fe9bfb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1ec183c5587b0294626eea573239a67d50c9c28a5ce594bf1f3d522841fe9bfb"}}}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 62671, "scanner": "repobility-threat-engine", "fingerprint": "430376af255c0cbb427cf374b582d198711f01c312520175bb4ba2498cf0bb25", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": "exec( input", "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|28|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/nodes/parsers/GLSLNodeFunction.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 62670, "scanner": "repobility-threat-engine", "fingerprint": "f5cbf20978c5e6ee5392b51c8f7ef20d6e07c902455704fe853228f016a02f04", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": "exec( input", "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|114|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/loaders/LUTCubeLoader.js"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 62669, "scanner": "repobility-threat-engine", "fingerprint": "63d5b51f5fa206d4845607133a49bb72747e6963e41ce0f855ecfba3579666ae", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": "exec( input", "reason": "Line contains 'regex' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|113|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/loaders/LUT3dlLoader.js"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 62668, "scanner": "repobility-threat-engine", "fingerprint": "0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 62664, "scanner": "repobility-threat-engine", "fingerprint": "ab3d98a25f6bd7089b8dc925e1d806719b33e02220bd6db5da42d46eaed1438d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error( 'THREE.BVHLoader: Expected OFFSET but got: ' + tokens[ 0 ] )", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|29|console.error three.bvhloader: expected offset but got: + tokens 0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/loaders/BVHLoader.js"}, "region": {"startLine": 295}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 62657, "scanner": "repobility-threat-engine", "fingerprint": "8ee200be9cf52fbf51817588dba3eaf54f0d07f928eb29d9f45b55c0c661c51d", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8ee200be9cf52fbf51817588dba3eaf54f0d07f928eb29d9f45b55c0c661c51d"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 62653, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 62652, "scanner": "repobility-threat-engine", "fingerprint": "e086f7ec1df8740648cc82cb7e827e85901f6bdc0ad17da40162440983400683", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e086f7ec1df8740648cc82cb7e827e85901f6bdc0ad17da40162440983400683"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/inspector/ui/Graph.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 62651, "scanner": "repobility-threat-engine", "fingerprint": "96868355cd7fad4d31faf332c89bc630a39d9e27dc92c27630a5143d8f6e7d39", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96868355cd7fad4d31faf332c89bc630a39d9e27dc92c27630a5143d8f6e7d39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/capabilities/WebGL.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 62650, "scanner": "repobility-threat-engine", "fingerprint": "f441c1fd82b576618cc17d9bcde4b3b06c30f95abcf485ecfc27605971839831", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f441c1fd82b576618cc17d9bcde4b3b06c30f95abcf485ecfc27605971839831"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Script.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 62647, "scanner": "repobility-threat-engine", "fingerprint": "5523e60b1dc8a944defadff18fd27285ca7823b9184972b5126e133bf66244aa", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5523e60b1dc8a944defadff18fd27285ca7823b9184972b5126e133bf66244aa"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 62643, "scanner": "repobility-threat-engine", "fingerprint": "4888a7f2d95e1334850750ba0611e2c2a23c368ce50109969c246a2c925d3677", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4888a7f2d95e1334850750ba0611e2c2a23c368ce50109969c246a2c925d3677"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 62639, "scanner": "repobility-threat-engine", "fingerprint": "6e6b1fa9aa37cd5353c53477b8935ccc1c8f42b61f420ebd0ceb44871ba243eb", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6e6b1fa9aa37cd5353c53477b8935ccc1c8f42b61f420ebd0ceb44871ba243eb"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed."}, "properties": {"repobilityId": 62635, "scanner": "repobility-threat-engine", "fingerprint": "50743162ae68ec504cadc8e301d04020227776683b1a5df9f482e4eafc0d70de", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 66 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|50743162ae68ec504cadc8e301d04020227776683b1a5df9f482e4eafc0d70de", "aggregated_count": 66}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62634, "scanner": "repobility-threat-engine", "fingerprint": "7160f0113ffd6aaf7f42c1b14c6065f53639644d277bed2d87ab7df7300563d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7160f0113ffd6aaf7f42c1b14c6065f53639644d277bed2d87ab7df7300563d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "devtools/devtools.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62633, "scanner": "repobility-threat-engine", "fingerprint": "9f963fa5c75c9c8f932dd6cad7c225f72ad05fb9df0633d0aa50e000cfc34f68", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f963fa5c75c9c8f932dd6cad7c225f72ad05fb9df0633d0aa50e000cfc34f68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "devtools/content-script.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 62632, "scanner": "repobility-threat-engine", "fingerprint": "04586f9b4dd2cdb72a5035c135d4ed80728d239d7a509754c041ab657c85ceb4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04586f9b4dd2cdb72a5035c135d4ed80728d239d7a509754c041ab657c85ceb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "devtools/background.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 73 more): Same pattern found in 73 additional files. Review if needed."}, "properties": {"repobilityId": 62631, "scanner": "repobility-threat-engine", "fingerprint": "be9ad5a17445c1081d9034368d25f211638c231c48bb9ce50ebf60aef5447a7a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 73 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 73 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|be9ad5a17445c1081d9034368d25f211638c231c48bb9ce50ebf60aef5447a7a"}}}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 62677, "scanner": "repobility-threat-engine", "fingerprint": "54b8c5ac768d55da36dc8f7b5c0af05356d5e2b77158d4a4e5a3e42e27c50d0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54b8c5ac768d55da36dc8f7b5c0af05356d5e2b77158d4a4e5a3e42e27c50d0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/nodes/materialx/MaterialXNodes.js"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 62676, "scanner": "repobility-threat-engine", "fingerprint": "f586aa62e1e271dbdb056b50b45c12752d14e639b4d97a13d6d236b4cffc39ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f586aa62e1e271dbdb056b50b45c12752d14e639b4d97a13d6d236b4cffc39ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/tsl/display/CRT.js"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 62663, "scanner": "repobility-threat-engine", "fingerprint": "fcbec2854f083e9ff26508b49576178c71624b8ba8510a3c5448dedab9fa66aa", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fcbec2854f083e9ff26508b49576178c71624b8ba8510a3c5448dedab9fa66aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/loaders/FileLoader.js"}, "region": {"startLine": 242}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 62662, "scanner": "repobility-threat-engine", "fingerprint": "558b42e18b3aa1786b13e9d6ce40d074b1a69a875a8b93eb2d58cd3de27a81f8", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|558b42e18b3aa1786b13e9d6ce40d074b1a69a875a8b93eb2d58cd3de27a81f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/loaders/KMZLoader.js"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 62661, "scanner": "repobility-threat-engine", "fingerprint": "53db304845e1f6ff90a263f57fe5e3044c54961f6ca2b9fc9e3384c5b1088631", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53db304845e1f6ff90a263f57fe5e3044c54961f6ca2b9fc9e3384c5b1088631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/loaders/AMFLoader.js"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 62659, "scanner": "repobility-threat-engine", "fingerprint": "4694808b10b6e91ba12f5e57d6a751bf5c666ced2929968151ffe3c4a4b355ac", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `<tr><td style=\"display:block;width:${width}px;height:${height}px;overflow:hidden\">${st", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4694808b10b6e91ba12f5e57d6a751bf5c666ced2929968151ffe3c4a4b355ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/effects/AsciiEffect.js"}, "region": {"startLine": 298}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 62658, "scanner": "repobility-threat-engine", "fingerprint": "5e5474d3b721662b8f4bc4e111e0dc7b8b55ca204a8962a84f2482b1a77bf630", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = '&nbsp;' + o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5e5474d3b721662b8f4bc4e111e0dc7b8b55ca204a8962a84f2482b1a77bf630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Sidebar.Settings.History.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 62646, "scanner": "repobility-threat-engine", "fingerprint": "b0d0fc7bc717bcb70106a7d7d59c378a1bceef769e72c90864010f373f86513a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec( new", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b0d0fc7bc717bcb70106a7d7d59c378a1bceef769e72c90864010f373f86513a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Storage.js"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 62645, "scanner": "repobility-threat-engine", "fingerprint": "502a6e55e7f7860e735907ed31eaf110eecd57e485093eec8cf7f26fc0da45b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec( shaderInfo", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|502a6e55e7f7860e735907ed31eaf110eecd57e485093eec8cf7f26fc0da45b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Script.js"}, "region": {"startLine": 250}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 62644, "scanner": "repobility-threat-engine", "fingerprint": "8d13e77306e8d33bb6f26c7501c6c5b021fd16ae797634a60f15532bcb05e1c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec( new", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d13e77306e8d33bb6f26c7501c6c5b021fd16ae797634a60f15532bcb05e1c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/Config.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62638, "scanner": "repobility-threat-engine", "fingerprint": "0976b50b263a8aa35dbb168e275db77d66920210379f7b106ce44f08bc16f333", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL( b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0976b50b263a8aa35dbb168e275db77d66920210379f7b106ce44f08bc16f333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/loaders/KMZLoader.js"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62637, "scanner": "repobility-threat-engine", "fingerprint": "0f8305ea78ba8b79de062a3d8e92c44acf1a09af41b83c022dc5b5a0196fd149", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL( e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f8305ea78ba8b79de062a3d8e92c44acf1a09af41b83c022dc5b5a0196fd149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/inspector/tabs/Settings.js"}, "region": {"startLine": 264}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 62636, "scanner": "repobility-threat-engine", "fingerprint": "7c03019a56ea222b82e0e37cfa5eeb5de20039b200d7f37848e05f4243d664c8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL( w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c03019a56ea222b82e0e37cfa5eeb5de20039b200d7f37848e05f4243d664c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/page.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62630, "scanner": "repobility-threat-engine", "fingerprint": "aca2f25fe19319a8983c9621050a2cc1271d30eb0aae9a9f90ad9e15761f6552", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.update();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aca2f25fe19319a8983c9621050a2cc1271d30eb0aae9a9f90ad9e15761f6552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/controls/MapControls.js"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62629, "scanner": "repobility-threat-engine", "fingerprint": "104e49d2d3a5d4fe68bfa03f0b8207734201ae1cc6fdc27f0ef7b30b86827a81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "lastCmd.update( cmd );", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|104e49d2d3a5d4fe68bfa03f0b8207734201ae1cc6fdc27f0ef7b30b86827a81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "editor/js/History.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 62628, "scanner": "repobility-threat-engine", "fingerprint": "5d5cfb21682dfcd419f02e4824469b2d6c3955af7d40714410133fb65a094cd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "connections.delete( tabId );", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d5cfb21682dfcd419f02e4824469b2d6c3955af7d40714410133fb65a094cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "devtools/background.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 62660, "scanner": "repobility-threat-engine", "fingerprint": "9d8b26445f355969750ee332653426dd510aaaba277fb0212c6e84e10b34a2a4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d8b26445f355969750ee332653426dd510aaaba277fb0212c6e84e10b34a2a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/jsm/inspector/extensions/tsl-graph/TSLGraphLoader.js"}, "region": {"startLine": 93}}}]}]}]}