{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 14 more): Same pattern found in 14 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 64 more): Same pattern found in 64 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 87 more): Same pattern found in 87 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 87 more): Same pattern found in 87 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `packages/react-router/test/base/android/gradle/wrapper/gradle-wrapper.jar` committed in source r", "shortDescription": {"text": "[MINED134] Binary file `packages/react-router/test/base/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/react-router/test/base/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (53,636 bytes) committ"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v7` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mcr.microsoft.com/playwright:v1.59.1` not pinned by digest: `FROM mcr.microsoft.com/playwrig", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/playwright:v1.59.1` not pinned by digest: `FROM mcr.microsoft.com/playwright:v1.59.1` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build "}, "fullDescription": {"text": "Replace with: `FROM mcr.microsoft.com/playwright:v1.59.1@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `eslint-plugin-custom-rules` pulled from URL/Git: `devDependencies.eslint-plugin-custom-rule", "shortDescription": {"text": "[MINED122] package.json dep `eslint-plugin-custom-rules` pulled from URL/Git: `devDependencies.eslint-plugin-custom-rules` = `file:custom-rules` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/941"}, "properties": {"repository": "ionic-team/ionic-framework", "repoUrl": "https://github.com/ionic-team/ionic-framework", "branch": "main"}, "results": [{"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 88424, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 88423, "scanner": "repobility-docker", "fingerprint": "a0174746a2f9a3cd446dd8f8b48154691a8d21ea890f3a86d53551103eb092a0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/playwright:v1.59.1", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a0174746a2f9a3cd446dd8f8b48154691a8d21ea890f3a86d53551103eb092a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 88378, "scanner": "repobility-threat-engine", "fingerprint": "eb9fdcca6ae266710e7a75490febd42b7624dae91ac0109af74e19fbf2eab516", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|261|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/angular/common/src/providers/platform.ts"}, "region": {"startLine": 261}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 88377, "scanner": "repobility-threat-engine", "fingerprint": "6cd2b97252249551ca7cefeba07164c0e14d884e12013f645c227a13484df135", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|95|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/datetime/utils/parse.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88422, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84131e473da23b4fb17ed55ec6f14cd7f788ec1861f491e253c1f648fc8b926d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/checkbox/checkbox.tsx", "duplicate_line": 123, "correlation_key": "fp|84131e473da23b4fb17ed55ec6f14cd7f788ec1861f491e253c1f648fc8b926d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/toggle/toggle.tsx"}, "region": {"startLine": 216}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88421, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dab5b1160c935b43d1a738be231827f24cddaf78590cb46eeb74c9db87cbb3bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/select/select.tsx", "duplicate_line": 108, "correlation_key": "fp|dab5b1160c935b43d1a738be231827f24cddaf78590cb46eeb74c9db87cbb3bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/toggle/toggle.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88420, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88cd7f3886e39e4ebca009f08b50a2bcf793247133ea21c43ab916a08bd085d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/picker-legacy/picker.tsx", "duplicate_line": 76, "correlation_key": "fp|88cd7f3886e39e4ebca009f08b50a2bcf793247133ea21c43ab916a08bd085d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/toast/toast.tsx"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88419, "scanner": "repobility-ai-code-hygiene", "fingerprint": "449b17d44f76552f18d3121d50e8267416bcf437c0b74810ff03aacc849647fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/action-sheet.tsx", "duplicate_line": 76, "correlation_key": "fp|449b17d44f76552f18d3121d50e8267416bcf437c0b74810ff03aacc849647fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/toast/toast.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88418, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c760c90029b0aa7184782db0e673b60ad6120188b7ce5962ca07a9cb8b5d92d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/select/select.tsx", "duplicate_line": 523, "correlation_key": "fp|4c760c90029b0aa7184782db0e673b60ad6120188b7ce5962ca07a9cb8b5d92d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/textarea/textarea.tsx"}, "region": {"startLine": 271}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88417, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69637f6e0b700b3d755709c40fd26c2746e23635f832dd54395faca88387818d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/searchbar/searchbar.tsx", "duplicate_line": 137, "correlation_key": "fp|69637f6e0b700b3d755709c40fd26c2746e23635f832dd54395faca88387818d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/textarea/textarea.tsx"}, "region": {"startLine": 190}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88416, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eebf19d0d388f6417eb27678bdd6187a0dd10017f5eaea289195deda0e85661d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/input/input.tsx", "duplicate_line": 1, "correlation_key": "fp|eebf19d0d388f6417eb27678bdd6187a0dd10017f5eaea289195deda0e85661d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/textarea/textarea.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88415, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8381db7c36e6986c6a0482c6b4d8881c25a6aaf723a6c297d9181ba312a08f84", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/badge/badge.tsx", "duplicate_line": 15, "correlation_key": "fp|8381db7c36e6986c6a0482c6b4d8881c25a6aaf723a6c297d9181ba312a08f84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/text/text.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88414, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47baad0e87332ba4e93863a5cd224fd9c59386ff38a685f29417dd08005d1462", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/footer/footer.tsx", "duplicate_line": 29, "correlation_key": "fp|47baad0e87332ba4e93863a5cd224fd9c59386ff38a685f29417dd08005d1462"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/tab-bar/tab-bar.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88413, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d4d79797fedd2422967c3008a2a3d635e55240140bb33d9fe30ab07ecf872e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/checkbox/checkbox.tsx", "duplicate_line": 123, "correlation_key": "fp|8d4d79797fedd2422967c3008a2a3d635e55240140bb33d9fe30ab07ecf872e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/select/select.tsx"}, "region": {"startLine": 621}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88412, "scanner": "repobility-ai-code-hygiene", "fingerprint": "097bb4b58963bfa696c95cbfdac769e80f189605fa693ac5a20ea90d5a9992ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/input/input.tsx", "duplicate_line": 366, "correlation_key": "fp|097bb4b58963bfa696c95cbfdac769e80f189605fa693ac5a20ea90d5a9992ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/select/select.tsx"}, "region": {"startLine": 525}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88411, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e5bf16d1c523c0c358409d7d193408f055d9faebd54aa03d79e915e3dffcd4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/select-modal/select-modal.tsx", "duplicate_line": 101, "correlation_key": "fp|7e5bf16d1c523c0c358409d7d193408f055d9faebd54aa03d79e915e3dffcd4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/select-popover/select-popover.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88410, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61d771981646c7fe4af36ba1578352a71780eef3e2b9a962a3020e21740b4605", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/input/input.tsx", "duplicate_line": 197, "correlation_key": "fp|61d771981646c7fe4af36ba1578352a71780eef3e2b9a962a3020e21740b4605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/searchbar/searchbar.tsx"}, "region": {"startLine": 126}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88409, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b44ed0821ac02712af52ff93ca68b64c4dbdbbaafd5cd7ceef6238731d6b7c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/modal/modal.tsx", "duplicate_line": 218, "correlation_key": "fp|6b44ed0821ac02712af52ff93ca68b64c4dbdbbaafd5cd7ceef6238731d6b7c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/popover/popover.tsx"}, "region": {"startLine": 149}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88408, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5801f596d9bc147935fdfed3d3307240203851089f7727535ac6da09746f485", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/popover/animations/ios.enter.ts", "duplicate_line": 70, "correlation_key": "fp|b5801f596d9bc147935fdfed3d3307240203851089f7727535ac6da09746f485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/popover/animations/md.enter.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88407, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bebd03510fa445cd76c8cf6fd28dac7fb125dd33718ca38c2e5ff95e02ccffec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/action-sheet.tsx", "duplicate_line": 74, "correlation_key": "fp|bebd03510fa445cd76c8cf6fd28dac7fb125dd33718ca38c2e5ff95e02ccffec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/picker-legacy/picker.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88406, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b46e738aba5d639122e403bd5edc466c6f2e4279e9bcb7535ed624ff71e93be1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/alert/alert.tsx", "duplicate_line": 6, "correlation_key": "fp|b46e738aba5d639122e403bd5edc466c6f2e4279e9bcb7535ed624ff71e93be1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/picker-legacy/picker.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88405, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7acbc5485a0770bff2ec3835b9d9fdce9d6d00304edfe65810eb4e1d3f52540e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/animations/ios.enter.ts", "duplicate_line": 1, "correlation_key": "fp|7acbc5485a0770bff2ec3835b9d9fdce9d6d00304edfe65810eb4e1d3f52540e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/picker-legacy/animations/ios.enter.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88404, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b234dc140130c9477593e7adc76ef9a92f3246581dcb0e83d6bc3bea235fd799", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/badge/badge.tsx", "duplicate_line": 15, "correlation_key": "fp|b234dc140130c9477593e7adc76ef9a92f3246581dcb0e83d6bc3bea235fd799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/note/note.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88403, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32bb5b3e826bc0ce84f8850fa72abbfe5ddb3b7a79a1ce51a24e04fc63a6a3aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/action-sheet.tsx", "duplicate_line": 75, "correlation_key": "fp|32bb5b3e826bc0ce84f8850fa72abbfe5ddb3b7a79a1ce51a24e04fc63a6a3aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/modal/modal.tsx"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88402, "scanner": "repobility-ai-code-hygiene", "fingerprint": "deeb8f9e7663520857d6e4f4b6a73658869bc786af101ef59beaadd1608664cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/action-sheet.tsx", "duplicate_line": 73, "correlation_key": "fp|deeb8f9e7663520857d6e4f4b6a73658869bc786af101ef59beaadd1608664cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/loading/loading.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88401, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95553788725d1e2f4d80145963fdcc3c847a7ca1eb12bca7b43df22279f1eb78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/loading/animations/ios.leave.ts", "duplicate_line": 4, "correlation_key": "fp|95553788725d1e2f4d80145963fdcc3c847a7ca1eb12bca7b43df22279f1eb78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/loading/animations/md.leave.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88400, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3ff6392e9782324ee03476fc88081aab9f26e359d3da1686d251e1717a0af30", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/loading/animations/ios.enter.ts", "duplicate_line": 4, "correlation_key": "fp|b3ff6392e9782324ee03476fc88081aab9f26e359d3da1686d251e1717a0af30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/loading/animations/md.enter.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88399, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f680b0cdf03bb07a5d7432f2287b507e674e9afb388b2f560b1422d0775f3cc4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/animations/md.enter.ts", "duplicate_line": 1, "correlation_key": "fp|f680b0cdf03bb07a5d7432f2287b507e674e9afb388b2f560b1422d0775f3cc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/loading/animations/md.enter.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88398, "scanner": "repobility-ai-code-hygiene", "fingerprint": "01f3fdfaa3fb7ea6093202f6da08f73c3b9d23e57b1465abb2c6b8751ef9c030", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/animations/ios.enter.ts", "duplicate_line": 1, "correlation_key": "fp|01f3fdfaa3fb7ea6093202f6da08f73c3b9d23e57b1465abb2c6b8751ef9c030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/loading/animations/ios.enter.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88397, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aca898abe1d66bbdb2a88bbc8c0a36ca6d3660e0eb048ac6ea4df113e187b2c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/animations/md.enter.ts", "duplicate_line": 1, "correlation_key": "fp|aca898abe1d66bbdb2a88bbc8c0a36ca6d3660e0eb048ac6ea4df113e187b2c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/alert/animations/md.enter.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88396, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a65cb07d1b6fc042ff0a31b25ca516bf5efb6d8813d07774667eb2040d9cafcb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/animations/ios.enter.ts", "duplicate_line": 1, "correlation_key": "fp|a65cb07d1b6fc042ff0a31b25ca516bf5efb6d8813d07774667eb2040d9cafcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/alert/animations/ios.enter.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88395, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e66cb6bbb2b3a34eb07c194e50b938620a2863797e32b6e4bd8399ac2c59457", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/action-sheet.tsx", "duplicate_line": 73, "correlation_key": "fp|4e66cb6bbb2b3a34eb07c194e50b938620a2863797e32b6e4bd8399ac2c59457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/alert/alert.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88394, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd4651ebba084dde9fd2848db4cededd2832d5fb8939c4b6161405202ac9a18f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/animations/ios.leave.ts", "duplicate_line": 4, "correlation_key": "fp|bd4651ebba084dde9fd2848db4cededd2832d5fb8939c4b6161405202ac9a18f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/action-sheet/animations/md.leave.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 88393, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d709bf1efc676c9d9525e38ad2a8e9e2ca57e17f9ddc50ae254be553dfbf1d54", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/src/components/action-sheet/animations/ios.enter.ts", "duplicate_line": 4, "correlation_key": "fp|d709bf1efc676c9d9525e38ad2a8e9e2ca57e17f9ddc50ae254be553dfbf1d54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/action-sheet/animations/md.enter.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 88386, "scanner": "repobility-threat-engine", "fingerprint": "8147b8c137e5e47d1293d71b57ebe4765f3fa707ad375d348427e2a067f25103", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|10|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router/src/ReactRouter/clonePageElement.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 88385, "scanner": "repobility-threat-engine", "fingerprint": "ae289d52e3aa9c476e846ca61f2dacd63d95c89dadbd82d03ea477feb079a8a6", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = u", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|34|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/utils/sanitization/index.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 88392, "scanner": "repobility-threat-engine", "fingerprint": "30b0bcadbb331d456a4c060e0783cc1194c960dc0bcd4eecde270af591ab2658", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|30b0bcadbb331d456a4c060e0783cc1194c960dc0bcd4eecde270af591ab2658", "aggregated_count": 5}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 88391, "scanner": "repobility-threat-engine", "fingerprint": "1e1081ab10c857869592cfb94a60695d444fed068d5e801c48d4ea318f8b7031", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e1081ab10c857869592cfb94a60695d444fed068d5e801c48d4ea318f8b7031"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/angular/scripts/sync.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 88390, "scanner": "repobility-threat-engine", "fingerprint": "698b4dcceb6bdb3916b8ddd4750a60e30c4befa9fa236ce09c5997d4e4bf9520", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|698b4dcceb6bdb3916b8ddd4750a60e30c4befa9fa236ce09c5997d4e4bf9520"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/angular/scripts/sync-and-pack.sh"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 88389, "scanner": "repobility-threat-engine", "fingerprint": "38c596e4d5484470978d8fc1712eb065df0a0a3bd3f7d3551ec025170b0e21ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38c596e4d5484470978d8fc1712eb065df0a0a3bd3f7d3551ec025170b0e21ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/angular-server/scripts/sync.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 88388, "scanner": "repobility-threat-engine", "fingerprint": "72c200c705fd4b49f69fd79694e5c363301cb0c16d81b7097035a8b14def3021", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72c200c705fd4b49f69fd79694e5c363301cb0c16d81b7097035a8b14def3021"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vue/scripts/build-web-types.js"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 88387, "scanner": "repobility-threat-engine", "fingerprint": "e8519487ceb201b0e4fff80fcdee944d046eb146e667254b89ebeb089bcd147c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8519487ceb201b0e4fff80fcdee944d046eb146e667254b89ebeb089bcd147c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/stencil.config.ts"}, "region": {"startLine": 260}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 88384, "scanner": "repobility-threat-engine", "fingerprint": "60d3535791d57daecb7571f76beae1cc0e0c1ff976eb68234272a7f7e7d25fca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|60d3535791d57daecb7571f76beae1cc0e0c1ff976eb68234272a7f7e7d25fca"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 88376, "scanner": "repobility-threat-engine", "fingerprint": "fd5263f259df18a6d881fa012e78c00f0f8814bd1b866788a5442afaae3a615d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fd5263f259df18a6d881fa012e78c00f0f8814bd1b866788a5442afaae3a615d", "aggregated_count": 19}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88375, "scanner": "repobility-threat-engine", "fingerprint": "a11a1c46e7d8b6a6b5feffb77225fce1b6ff113c852c2e5c171252e91b5942eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a11a1c46e7d8b6a6b5feffb77225fce1b6ff113c852c2e5c171252e91b5942eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/datetime/utils/format.ts"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88374, "scanner": "repobility-threat-engine", "fingerprint": "4f34d40a5c8826b7510e77531dfb0d0621c422e9d60d8e6fd0d6980e72b3c0b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f34d40a5c8826b7510e77531dfb0d0621c422e9d60d8e6fd0d6980e72b3c0b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/datetime/utils/comparison.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 88373, "scanner": "repobility-threat-engine", "fingerprint": "222b82eed3c66aebc6053d8fa52e055168961b62c17872fc823b10a0e160caf1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|222b82eed3c66aebc6053d8fa52e055168961b62c17872fc823b10a0e160caf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/col/col.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 88372, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "properties": {"repobilityId": 88368, "scanner": "repobility-threat-engine", "fingerprint": "539557baa1f393eb47468105a47d879301b75ec816c1fcfc6fa54a202429bbfb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 64 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|539557baa1f393eb47468105a47d879301b75ec816c1fcfc6fa54a202429bbfb", "aggregated_count": 64}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 88367, "scanner": "repobility-threat-engine", "fingerprint": "e8743532a0e42b3bf8ec4fe04105ae968a9e11f67c7c11eba12234e5331b7261", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8743532a0e42b3bf8ec4fe04105ae968a9e11f67c7c11eba12234e5331b7261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/card/card.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 88366, "scanner": "repobility-threat-engine", "fingerprint": "5dad239214f7b03cf9ce311d7c38ca47aabd80a9d8921f76a5778761cf6ba0f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5dad239214f7b03cf9ce311d7c38ca47aabd80a9d8921f76a5778761cf6ba0f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/breadcrumb/breadcrumb.tsx"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 88365, "scanner": "repobility-threat-engine", "fingerprint": "1e9a73f5228dfb09c1278b3ba0697b8ddb864d5d51b4d6322e0b064d7a831cdd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e9a73f5228dfb09c1278b3ba0697b8ddb864d5d51b4d6322e0b064d7a831cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/app/app.tsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 87 more): Same pattern found in 87 additional files. Review if needed."}, "properties": {"repobilityId": 88364, "scanner": "repobility-threat-engine", "fingerprint": "62fb93ccdb7671099e748da64a7be28cc1d379b5a80243f33f6f94e93e7bf27e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 87 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62fb93ccdb7671099e748da64a7be28cc1d379b5a80243f33f6f94e93e7bf27e", "aggregated_count": 87}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 88363, "scanner": "repobility-threat-engine", "fingerprint": "c6cc6e78f46523bc1f93412a0d89e3ea99164829c9459040e3d9f4502b67ea9e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6cc6e78f46523bc1f93412a0d89e3ea99164829c9459040e3d9f4502b67ea9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/header/header.utils.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 88362, "scanner": "repobility-threat-engine", "fingerprint": "778dda29420c77f431404f0ef1a238b31498bcb65f8dce894ed33fa212477c74", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|778dda29420c77f431404f0ef1a238b31498bcb65f8dce894ed33fa212477c74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/datetime/utils/parse.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 88361, "scanner": "repobility-threat-engine", "fingerprint": "0032bd6128f4fc0f3dadd036513ccbc1c90b562674759dbcf7e3b5d7ad5010fa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0032bd6128f4fc0f3dadd036513ccbc1c90b562674759dbcf7e3b5d7ad5010fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/alert/alert-interface.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 88357, "scanner": "repobility-threat-engine", "fingerprint": "0190d4d3317f3451b6ed1e876fd6829280a4bb59402f9117c5f5c5de7b266624", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0190d4d3317f3451b6ed1e876fd6829280a4bb59402f9117c5f5c5de7b266624", "aggregated_count": 12}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88356, "scanner": "repobility-threat-engine", "fingerprint": "ee7b1b1d9fd8907263835047b3f0dd5bc9c5950056d085375a75956bf855c00c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee7b1b1d9fd8907263835047b3f0dd5bc9c5950056d085375a75956bf855c00c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/scripts/treeshaking.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88355, "scanner": "repobility-threat-engine", "fingerprint": "2fa24d9d7b21c78eed51d99b106037da73f9d1c4cee068936bc8c7a43f32d2e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2fa24d9d7b21c78eed51d99b106037da73f9d1c4cee068936bc8c7a43f32d2e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/scripts/docker.mjs"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 88354, "scanner": "repobility-threat-engine", "fingerprint": "9fd5c26a4beaf1a5c3ee8f291e92f7df058d5cdc3cef558871ab4efc5941a32a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9fd5c26a4beaf1a5c3ee8f291e92f7df058d5cdc3cef558871ab4efc5941a32a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".scripts/bump-version.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/react-router/test/base/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/react-router/test/base/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (53,636 bytes) committed to a repo that otherwise has 1530 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 88436, "scanner": "repobility-supply-chain", "fingerprint": "98d26dbf3cb7f0ca6f4f5986dce6bf00cedd3a6602e4a7e94b51b6c4b9cd3a61", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98d26dbf3cb7f0ca6f4f5986dce6bf00cedd3a6602e4a7e94b51b6c4b9cd3a61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-router/test/base/android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88435, "scanner": "repobility-supply-chain", "fingerprint": "5d8317ece6125d185f113ed18111aee1c1f80ce156786954bf1c45ceb71f8781", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d8317ece6125d185f113ed18111aee1c1f80ce156786954bf1c45ceb71f8781"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actions/test-core-screenshot/action.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88434, "scanner": "repobility-supply-chain", "fingerprint": "bc8ef1c81198d58f962546acbef83b6a5653b17db0c6dadf81c859a01de4d890", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc8ef1c81198d58f962546acbef83b6a5653b17db0c6dadf81c859a01de4d890"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actions/download-archive/action.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88433, "scanner": "repobility-supply-chain", "fingerprint": "a9e1ca51e711ffd4ab707252243616d60dfc5494741b58348cb3ead3c284a493", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9e1ca51e711ffd4ab707252243616d60dfc5494741b58348cb3ead3c284a493"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actions/update-reference-screenshots/action.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88432, "scanner": "repobility-supply-chain", "fingerprint": "2a556ff6f3caec1240e0b44b648b1399caaf7a1d4b4bf78cb2f76d2125aa75c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a556ff6f3caec1240e0b44b648b1399caaf7a1d4b4bf78cb2f76d2125aa75c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actions/build-angular/action.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88431, "scanner": "repobility-supply-chain", "fingerprint": "67e835fd45df7c26bc705ee9371516951a1b804e6857f24e35a3f56b6a69052f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67e835fd45df7c26bc705ee9371516951a1b804e6857f24e35a3f56b6a69052f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actions/upload-archive/action.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/labeler` pinned to mutable ref `@v6`: `uses: actions/labeler@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88430, "scanner": "repobility-supply-chain", "fingerprint": "176e27f6c00162b19595bcb8dad30d0b4e89796cf31ddeec3a67a0df0718327e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|176e27f6c00162b19595bcb8dad30d0b4e89796cf31ddeec3a67a0df0718327e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/label.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88429, "scanner": "repobility-supply-chain", "fingerprint": "8d0ecec5f3659a82ba78938e492e8766441fab45463fca0868d06f85c8959ef0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d0ecec5f3659a82ba78938e492e8766441fab45463fca0868d06f85c8959ef0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88428, "scanner": "repobility-supply-chain", "fingerprint": "579392a440b10ee564efcdbf1c0b53ea2cf886251348bfac976b00ed59e4b628", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|579392a440b10ee564efcdbf1c0b53ea2cf886251348bfac976b00ed59e4b628"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `amannn/action-semantic-pull-request` pinned to mutable ref `@v6`: `uses: amannn/action-semantic-pull-request@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 88427, "scanner": "repobility-supply-chain", "fingerprint": "8ec64e650f25a7654565c1f78f03b9df9ca84e96015b7c5d30bef4c71a0c20ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ec64e650f25a7654565c1f78f03b9df9ca84e96015b7c5d30bef4c71a0c20ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/conventional-commit.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/playwright:v1.59.1` not pinned by digest: `FROM mcr.microsoft.com/playwright:v1.59.1` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 88426, "scanner": "repobility-supply-chain", "fingerprint": "01823a53664f8e2aa8b0289822f518a2e51fb67b6b012bc2b3c3ab045f3d8c6b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01823a53664f8e2aa8b0289822f518a2e51fb67b6b012bc2b3c3ab045f3d8c6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-custom-rules` pulled from URL/Git: `devDependencies.eslint-plugin-custom-rules` = `file:custom-rules` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 88425, "scanner": "repobility-supply-chain", "fingerprint": "c2291db51dc3958d35f3b02d08f2ade3f4cedf1862ac0f0b3219cf513fc916eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2291db51dc3958d35f3b02d08f2ade3f4cedf1862ac0f0b3219cf513fc916eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88383, "scanner": "repobility-threat-engine", "fingerprint": "e79113953cbc3f9aa89a71e4d5f94f2444ecf6109db1c642525d2a8fa5bedd64", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.gesture.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e79113953cbc3f9aa89a71e4d5f94f2444ecf6109db1c642525d2a8fa5bedd64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/router-outlet/router-outlet.tsx"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88382, "scanner": "repobility-threat-engine", "fingerprint": "764ed577d77b9e0cf4728da0615803552823d6bd1e6fd31032ed7eb2b7bb93ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.gesture.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|764ed577d77b9e0cf4728da0615803552823d6bd1e6fd31032ed7eb2b7bb93ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/reorder-group/reorder-group.tsx"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 88381, "scanner": "repobility-threat-engine", "fingerprint": "633a79d1601927564b0306ba872e7e3eb438178edcf123d783888108f6068625", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "keyboardCtrl.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|633a79d1601927564b0306ba872e7e3eb438178edcf123d783888108f6068625"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/footer/footer.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 88380, "scanner": "repobility-threat-engine", "fingerprint": "d57d556e83a9c2bd03284246cb9add139ba78d9defe138a8715443d0b2e0b3d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d57d556e83a9c2bd03284246cb9add139ba78d9defe138a8715443d0b2e0b3d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/angular/common/src/providers/platform.ts"}, "region": {"startLine": 261}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 88379, "scanner": "repobility-threat-engine", "fingerprint": "3afb38ac104ff7781aef0f1631d994e7d19c67b2bdc98ba395d88f457fb3ea05", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(val", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3afb38ac104ff7781aef0f1631d994e7d19c67b2bdc98ba395d88f457fb3ea05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/datetime/utils/parse.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88371, "scanner": "repobility-threat-engine", "fingerprint": "902a90c60e3a14e5e22b5b5f2d8186df7f5a7216353058d8e8d647dcf09d77bd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|902a90c60e3a14e5e22b5b5f2d8186df7f5a7216353058d8e8d647dcf09d77bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/card/card.tsx"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88370, "scanner": "repobility-threat-engine", "fingerprint": "51dad6f9fe2878834da7c3a9843616095fbac57a553e51e91627dec5d6af744a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|51dad6f9fe2878834da7c3a9843616095fbac57a553e51e91627dec5d6af744a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/breadcrumb/breadcrumb.tsx"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 88369, "scanner": "repobility-threat-engine", "fingerprint": "f806eb4d7fbeb39a84e5ddf117b8b5206a1d659343dc3c9921eb8bf07ac62a37", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f806eb4d7fbeb39a84e5ddf117b8b5206a1d659343dc3c9921eb8bf07ac62a37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/back-button/back-button.tsx"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 88360, "scanner": "repobility-threat-engine", "fingerprint": "654daa47ef8ed00d5935e2d9bd9f2dd5d50e22b5573a815474d0e7209152bea4", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((key) => `:${key}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|654daa47ef8ed00d5935e2d9bd9f2dd5d50e22b5573a815474d0e7209152bea4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/router/utils/matching.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 88359, "scanner": "repobility-threat-engine", "fingerprint": "0706e74125b4eb67d8ecd3b24958404a6d6af5ad23c40aba6cddaf6832242d53", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((v) => `'${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0706e74125b4eb67d8ecd3b24958404a6d6af5ad23c40aba6cddaf6832242d53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/src/components/accordion-group/accordion-group.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 88358, "scanner": "repobility-threat-engine", "fingerprint": "ec9f55341570f59bcbe129bcaaeaf14360eb7b330310c4ca8018eae710cf6791", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|core/scripts/treeshaking.js|62|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/scripts/treeshaking.js"}, "region": {"startLine": 62}}}]}]}]}