{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 1 more): Same pattern found in 1 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`.mvn/wrapper/maven-wrapper.jar` is a .jar binary (63,093 bytes) committed to a repo that otherwise has 1183 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `foundationdb/foundationdb:7.3.62` unpinned", "shortDescription": {"text": "Workflow container/services image `foundationdb/foundationdb:7.3.62` unpinned"}, "fullDescription": {"text": "`container/services image: foundationdb/foundationdb:7.3.62` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "pkcs12-file", "name": "Found a PKCS #12 file, which commonly contain bundled private keys.", "shortDescription": {"text": "Found a PKCS #12 file, which commonly contain bundled private keys."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1263"}, "properties": {"repository": "signalapp/Signal-Server", "repoUrl": "https://github.com/signalapp/Signal-Server", "branch": "main"}, "results": [{"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 128315, "scanner": "repobility-threat-engine", "fingerprint": "d9cac22bc10171b50cb1c40fbce0c3566d59711c81f7fc377b9711a4ba514630", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Unknown format: \" + format + \", must be \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9cac22bc10171b50cb1c40fbce0c3566d59711c81f7fc377b9711a4ba514630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/storage/KEMPreKeyPage.java"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 128314, "scanner": "repobility-threat-engine", "fingerprint": "a50e6609ad8566b214cf194db0484d08557956cdc44e8219c8860d0a85ef83e9", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\", expiration=\" + expiration +\n \", visible=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a50e6609ad8566b214cf194db0484d08557956cdc44e8219c8860d0a85ef83e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/entities/SelfBadge.java"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 128313, "scanner": "repobility-threat-engine", "fingerprint": "7aac43d17d67f0c11b731e8108fdd32bd9c9853bce617735b58840c52d7732d7", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\", sprites6=\" + sprites6 +\n \", svg='", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7aac43d17d67f0c11b731e8108fdd32bd9c9853bce617735b58840c52d7732d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/entities/Badge.java"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128302, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d244b6c67e8de9852a4e1ff629329c1d63134014443ca05083e0f45dda01d32d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "service/src/main/java/org/whispersystems/textsecuregcm/grpc/MessagesAnonymousGrpcService.java", "duplicate_line": 170, "correlation_key": "fp|d244b6c67e8de9852a4e1ff629329c1d63134014443ca05083e0f45dda01d32d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/grpc/MessagesGrpcService.java"}, "region": {"startLine": 140}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128301, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f05c3c3bc2070b3043e03ea4f08a6cbcef731cb924155cbdedb139fa86eac2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "service/src/main/java/org/whispersystems/textsecuregcm/entities/PurchasableBadge.java", "duplicate_line": 39, "correlation_key": "fp|4f05c3c3bc2070b3043e03ea4f08a6cbcef731cb924155cbdedb139fa86eac2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/entities/SelfBadge.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff770d172148336ae5def2ae14014e6330e5f2848f3abc80ed01a7866143334f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "service/src/main/java/org/whispersystems/textsecuregcm/entities/ECPreKey.java", "duplicate_line": 11, "correlation_key": "fp|ff770d172148336ae5def2ae14014e6330e5f2848f3abc80ed01a7866143334f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/entities/ECSignedPreKey.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 128322, "scanner": "repobility-threat-engine", "fingerprint": "acb32b6d0dc2632912575d953f2e5d60dc5b8f2cdab4eea9bc115c583bf54e0e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|acb32b6d0dc2632912575d953f2e5d60dc5b8f2cdab4eea9bc115c583bf54e0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/workers/SetUserDiscoverabilityCommand.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 128318, "scanner": "repobility-threat-engine", "fingerprint": "cd4fb2e99c50182a40a5001b9a64e2cef7ae46a582a81e800390063eb3fd8f4e", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|109|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/redis/ClusterLuaScript.java"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 128316, "scanner": "repobility-threat-engine", "fingerprint": "097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 128312, "scanner": "repobility-threat-engine", "fingerprint": "dd5b64e6744e5f494f3eafb49441a01ab167cdd11743c3d4ade0f028db583ab9", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dd5b64e6744e5f494f3eafb49441a01ab167cdd11743c3d4ade0f028db583ab9"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 128311, "scanner": "repobility-threat-engine", "fingerprint": "001eeb11e21e52575902176b72bf4afc2fef9e3fa1953c841c93d366c3c61806", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|36|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/metrics/UserAgentTagUtil.java"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 128310, "scanner": "repobility-threat-engine", "fingerprint": "852b47e5ed34da120733a6519cf81787dd66f486c9f7cdc334d25172bb93c751", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|58|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/metrics/CallQualitySurveyManager.java"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 128309, "scanner": "repobility-threat-engine", "fingerprint": "9923e6056c4f1c2bab467ba733f6a9afa48e85f18b39fab0ea578bf32023be07", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|156|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountControllerV2.java"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 128308, "scanner": "repobility-threat-engine", "fingerprint": "c0e368bb40d6cd86b04a768b7b5517910a4be05b60f7d0081cd78077881eb56b", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warn(\"Failed to retrieve identity token\", e)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|logger.warn failed to retrieve identity token e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/registration/IdentityTokenCallCredentials.java"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128320, "scanner": "repobility-threat-engine", "fingerprint": "21f416b3c91a3036454b6614eb5af0aaa4bba32b18d46d6c340cef37c719daad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mac.update(input);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21f416b3c91a3036454b6614eb5af0aaa4bba32b18d46d6c340cef37c719daad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/util/HmacUtils.java"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128319, "scanner": "repobility-threat-engine", "fingerprint": "d790ad2a45131f24285b22eee46a6e07cdd60fcbd03ab5b5c80db7a9367d489c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pagedPqPreKeys.delete(identifier)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d790ad2a45131f24285b22eee46a6e07cdd60fcbd03ab5b5c80db7a9367d489c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/storage/KeysManager.java"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128317, "scanner": "repobility-threat-engine", "fingerprint": "7974bc20e2300344ae7fd609cea26cbd678697c1334ba275b70945de789135db", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7974bc20e2300344ae7fd609cea26cbd678697c1334ba275b70945de789135db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/metrics/CallQualitySurveyManager.java"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 128307, "scanner": "repobility-threat-engine", "fingerprint": "bd70273d09d56289c0bdfb0a590f50a2b8a98c3f607c8c66d91f33ef07c021d0", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.debug(\"invalid site-key {}, action={}, token=}\", siteKey, action, token)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|10|logger.debug invalid site-key action token redacted sitekey action token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaChecker.java"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 128306, "scanner": "repobility-supply-chain", "fingerprint": "377e1c989fc4a0864e00d3fbcf04d6ef8622c5cfff81387bedd1ba924d3df09d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|377e1c989fc4a0864e00d3fbcf04d6ef8622c5cfff81387bedd1ba924d3df09d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".mvn/wrapper/maven-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `foundationdb/foundationdb:7.3.62` unpinned"}, "properties": {"repobilityId": 128305, "scanner": "repobility-supply-chain", "fingerprint": "0a2b291a039fec0340010a7feb9261d8f9ef7fee9355304c8cccc72b606b4853", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a2b291a039fec0340010a7feb9261d8f9ef7fee9355304c8cccc72b606b4853"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `foundationdb/foundationdb:7.3.62` unpinned"}, "properties": {"repobilityId": 128304, "scanner": "repobility-supply-chain", "fingerprint": "90323dc8e04d590e9f29d47cddd719c5b830e330d8d4989e96d4664e5dc26600", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90323dc8e04d590e9f29d47cddd719c5b830e330d8d4989e96d4664e5dc26600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `ubuntu:24.04` unpinned"}, "properties": {"repobilityId": 128303, "scanner": "repobility-supply-chain", "fingerprint": "acb8b52fc36cb9f3688a10c54e2c7816425102f5c3a28aa4e2f76fa909583779", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acb8b52fc36cb9f3688a10c54e2c7816425102f5c3a28aa4e2f76fa909583779"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 128338, "scanner": "gitleaks", "fingerprint": "a05bda336856edff7682ae4581aca5bec00e736f60e719e448447516c63e3bb1", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "genericZkConfig.serverSecret: ", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|15|token : redacted", "duplicate_count": 2, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["0f6e1c53507ed4701a3218d01bd2c064280110e17cc42e02175e45f1b817c6d1", "3511d8430e45492fbef97eaabe608f505c809dd05b07b64ac7721ec72f23b915", "a05bda336856edff7682ae4581aca5bec00e736f60e719e448447516c63e3bb1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 128337, "scanner": "gitleaks", "fingerprint": "c8e8f153f2fd665e89ac3738f765c0a23be5dc08993d971f549ecf782d7cf00b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key : REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|14|key : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 128336, "scanner": "gitleaks", "fingerprint": "5b2596b7d821379a922f54e29b08172a3ec3c663d555f7ec80258456ff94199e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "directoryV2.client.userIdTokenSharedSecret: ", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|5|token : redacted", "duplicate_count": 2, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["20da141d53d04dda63da86be54bb08346801ee9e84d52bf9d20f702b5de1602f", "5b2596b7d821379a922f54e29b08172a3ec3c663d555f7ec80258456ff94199e", "62e02bf8ea0552312b8bfcb916441b774390f132e7ee246a10b214bf1b9989e7"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 128335, "scanner": "gitleaks", "fingerprint": "ca226a933c76548137941ea18d73bb735a873fd8b4507a05859f766be7074b9d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|14|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 128334, "scanner": "gitleaks", "fingerprint": "52f63b363670c60c6541bd64f12d17b57f19bb18f09a0d4b70a209a5fcaf8661", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|10|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 128333, "scanner": "gitleaks", "fingerprint": "97577a788e25bf380503abf334f4df83ac15e986dc4639f87dc2262e38e0f7d8", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|9|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 128332, "scanner": "gitleaks", "fingerprint": "a00d4073adb83d20213ba1bdea24be2dd1528c8aae052e8c1f1d2b69c61d6155", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|6|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 128331, "scanner": "gitleaks", "fingerprint": "2b758f60b3ea6d661d3423ff61fb843798e4d881257f90ba829bb4a96300b786", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|4|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 128330, "scanner": "gitleaks", "fingerprint": "d06418abf8bb00054f3dcdb20513695de9300e135287688080925815ff751027", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/config/test-secrets-bundle.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 128329, "scanner": "gitleaks", "fingerprint": "43e47c1068dcfc27ba9801b2ada9d1de3e6b9be6dd51489f15d82245845aa3ad", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "pniIdentityKey\": \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|4|pniidentitykey : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/org/whispersystems/textsecuregcm/storage/AccountsManagerTest-testJsonRoundTripSerialization.json"}, "region": {"startLine": 42}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 128328, "scanner": "gitleaks", "fingerprint": "3ffdb77eeaedf82e4e368bcca36109d9c7d79f5b4f9ab574594029f96af80b6e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "identityKey\": \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|3|identitykey : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/org/whispersystems/textsecuregcm/storage/AccountsManagerTest-testJsonRoundTripSerialization.json"}, "region": {"startLine": 35}}}]}, {"ruleId": "pkcs12-file", "level": "error", "message": {"text": "Found a PKCS #12 file, which commonly contain bundled private keys."}, "properties": {"repobilityId": 128327, "scanner": "gitleaks", "fingerprint": "ec670f8fc87d99db3fbf56a36fdd3212437f633a0db77483551f2bb4553c0df4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTEDfREDACTEDiREDACTEDlREDACTEDeREDACTED REDACTEDdREDACTEDeREDACTEDtREDACTEDeREDACTEDcREDACTEDtREDACTEDeREDACTEDdREDACTED:REDACTED REDACTED/REDACTEDtREDACTEDmREDACTEDpREDACTED/REDACTEDrREDACTEDeREDACTEDpREDACTEDoREDACTEDbREDACTEDiREDACTEDlREDACTEDiREDACTEDtREDACTEDyREDACTED-REDACTEDaREDACTEDnRED", "rule_id": "pkcs12-file", "scanner": "gitleaks", "detector": "pkcs12-file", "correlation_key": "secret|token||token token token", "duplicate_count": 1, "duplicate_rule_ids": ["pkcs12-file"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["2ba82f20cbf21285dd8dee5dbcba13c777c111b28f9b3726919cd26dab55007f", "ec670f8fc87d99db3fbf56a36fdd3212437f633a0db77483551f2bb4553c0df4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/resources/org/whispersystems/textsecuregcm/grpc/net/omnibus-h2-server-test-keystore.p12"}, "region": {"startLine": 1}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 128326, "scanner": "gitleaks", "fingerprint": "5d8176f2b2073f663facbfd60fc0f8605180c81d8d67e91ecaf8c1242506048b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "UNIDENTIFIED_ACCESS_BYTES = \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|14|unidentified_access_bytes redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/java/org/whispersystems/textsecuregcm/controllers/MessageControllerTest.java"}, "region": {"startLine": 144}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 128325, "scanner": "gitleaks", "fingerprint": "0688964a369ac28c6ce1325adaf81aceadab637108cc49c5bb1de591ac0deea9", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|7|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/java/org/whispersystems/textsecuregcm/grpc/AttachmentsGrpcServiceTest.java"}, "region": {"startLine": 76}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 128324, "scanner": "gitleaks", "fingerprint": "b88f906a0d8674c149f0f833841e4688a212c75b2069b24ab6f9832fadc5d275", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "stripe.idempotencyKeyGenerator: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|token : redacted", "duplicate_count": 4, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["1f2b8f503ad45507bf7aad2f87cdc1c3ea5c9bf5ed159d9711c9780a315f3b9d", "27d42e3eed0083e87b6c5546e260bfa5aca51a3879ce79ff02667155609727c1", "58ea73d6ef9413d372a9f4267a0558bac48afe5aa748fa97db8e3d0fd4043b05", "7ab97e012af24d67bb1f0dad848f7e55a59b97b219082cf8d6ab9cb80e9f1254", "b88f906a0d8674c149f0f833841e4688a212c75b2069b24ab6f9832fadc5d275"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/config/sample-secrets-bundle.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 128323, "scanner": "gitleaks", "fingerprint": "b9850791544427c24f20e7a474704f03d5840ce78be40dc67aa7ffec421f105d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|8|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/test/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV4Test.java"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 128321, "scanner": "repobility-threat-engine", "fingerprint": "96c6740dc6e0dcc96651c3d5a877870a77229e8e2679c6f9cca9c0dd974c7d2c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96c6740dc6e0dcc96651c3d5a877870a77229e8e2679c6f9cca9c0dd974c7d2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/src/main/java/org/whispersystems/textsecuregcm/util/logging/LoggingUnhandledExceptionMapper.java"}, "region": {"startLine": 44}}}]}]}]}