{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `after_scenario` has cognitive complexity 16 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `after_scenario` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 16."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `lgtm` image uses the latest tag", "shortDescription": {"text": "Compose service `lgtm` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `packages/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/java/gradle", "shortDescription": {"text": "[MINED134] Binary file `packages/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 334 source files. Tr"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at wo", "shortDescription": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromi"}, "fullDescription": {"text": "Replace with: `uses: mxschmitt/action-tmate@<40-char-sha>  # v3` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `alumnium` pulled from URL/Git: `dependencies.alumnium` = `file:../../../dist/npm-alumnium` ", "shortDescription": {"text": "[MINED122] package.json dep `alumnium` pulled from URL/Git: `dependencies.alumnium` = `file:../../../dist/npm-alumnium` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is c"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "[MINED119] Dockerfile `ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-${TARGETARCH}`: Dockerfile `AD", "shortDescription": {"text": "[MINED119] Dockerfile `ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-${TARGETARCH}`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between l"}, "fullDescription": {"text": "Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Produc"}, "fullDescription": {"text": "Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._get_frame_chain` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDr", "shortDescription": {"text": "[MINED108] `self._get_frame_chain` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._get_frame_chain`, but no assignment to it exists in __init__ (and no class-level fallback). This rais"}, "fullDescription": {"text": "Initialize `self._get_frame_chain = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_cross_origin_iframe: Test function `test_cross_origin_iframe` runs code but conta", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_cross_origin_iframe: Test function `test_cross_origin_iframe` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/225"}, "properties": {"repository": "alumnium-hq/alumnium", "repoUrl": "https://github.com/alumnium-hq/alumnium", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 46586, "scanner": "repobility-ast-engine", "fingerprint": "6b10f80331a8d0ce44405e73afccb4b5b6c4fa3f2b19c8e0bcabeccaf9c93e98", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b10f80331a8d0ce44405e73afccb4b5b6c4fa3f2b19c8e0bcabeccaf9c93e98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 46564, "scanner": "repobility-threat-engine", "fingerprint": "8e4926a36336c8d74796174b98a4c305b5724b1cb7a1693741fc7fe363b196c1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|127|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/cache/ElementsCache/ElementsCacheMask.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 46538, "scanner": "repobility-threat-engine", "fingerprint": "48d70366c87b425a939939ffb40c38c9f289d9e44fb0f32c561b8fb08ee55d75", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def drag_slider(self, id: int, value: float) -> None:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48d70366c87b425a939939ffb40c38c9f289d9e44fb0f32c561b8fb08ee55d75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/appium_driver.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `after_scenario` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=1, for=1, if=5, nested_bonus=7."}, "properties": {"repobilityId": 46530, "scanner": "repobility-threat-engine", "fingerprint": "fcb0418dc4f9b8f032d4432f870a8c4cbd5523b409615bbc8af7ffd2fe543b1e", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "after_scenario", "breakdown": {"if": 5, "for": 1, "elif": 2, "else": 1, "nested_bonus": 7}, "complexity": 16, "correlation_key": "fp|fcb0418dc4f9b8f032d4432f870a8c4cbd5523b409615bbc8af7ffd2fe543b1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/examples/behave/features/environment.py"}, "region": {"startLine": 235}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `lgtm` image uses the latest tag"}, "properties": {"repobilityId": 7223, "scanner": "repobility-docker", "fingerprint": "5ea1e7b7b203c07c62f2d106cc5bba9284778684aaf5300305f08f0b56aa9a27", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "grafana/otel-lgtm:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5ea1e7b7b203c07c62f2d106cc5bba9284778684aaf5300305f08f0b56aa9a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "telemetry/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 7221, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 7220, "scanner": "repobility-docker", "fingerprint": "02edf5986a7e2510b4c84661aee1cf4f74f61a99ce2de6908b91b5e75a27ef9f", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|02edf5986a7e2510b4c84661aee1cf4f74f61a99ce2de6908b91b5e75a27ef9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 7219, "scanner": "repobility-threat-engine", "fingerprint": "800439bf359e684cebc1fafaf8d85a037d6568f0ed8e1543c2c19e46c0a574a6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|800439bf359e684cebc1fafaf8d85a037d6568f0ed8e1543c2c19e46c0a574a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/playwright_async_driver.py"}, "region": {"startLine": 599}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 7218, "scanner": "repobility-threat-engine", "fingerprint": "862eb6267913922c70d82eee98bfb54401cfceb4f442d9ca8d98d042a56e9cb8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|862eb6267913922c70d82eee98bfb54401cfceb4f442d9ca8d98d042a56e9cb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/playwright_driver.py"}, "region": {"startLine": 544}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 7216, "scanner": "repobility-threat-engine", "fingerprint": "b10b7bfbd57922e61b0345e40523ade403e424308ad8c441c7e6a2f7fcd86bec", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b10b7bfbd57922e61b0345e40523ade403e424308ad8c441c7e6a2f7fcd86bec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/ServerCommand.ts"}, "region": {"startLine": 281}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7213, "scanner": "repobility-agent-runtime", "fingerprint": "c9daf39822d8b531a3e2c9df1e2f2f855c4a14ce1c77a105e1759e04e8468f91", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c9daf39822d8b531a3e2c9df1e2f2f855c4a14ce1c77a105e1759e04e8468f91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "websites/docs/src/content/blog/2026-05-13-release-0.20.0.md"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7207, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81ddbfa13450099344dd1ab472f6d125a6378c977f5777423db2f3e196ce831f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/typescript/src/drivers/PlaywrightDriver.ts", "duplicate_line": 469, "correlation_key": "fp|81ddbfa13450099344dd1ab472f6d125a6378c977f5777423db2f3e196ce831f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/drivers/SeleniumDriver.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7204, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60d0ed3b52a056b804be1bced09413df16b3237482e0e5ed1f86330848b0b7a9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/python/src/alumnium/drivers/playwright_async_driver.py", "duplicate_line": 362, "correlation_key": "fp|60d0ed3b52a056b804be1bced09413df16b3237482e0e5ed1f86330848b0b7a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/selenium_driver.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7203, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f3194440a1d81a48bbf5ca7b86170bf6772a020ec3f4269fc0481591d30364eb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/python/src/alumnium/drivers/playwright_driver.py", "duplicate_line": 316, "correlation_key": "fp|f3194440a1d81a48bbf5ca7b86170bf6772a020ec3f4269fc0481591d30364eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/selenium_driver.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7202, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95d4e60b1833e34cd6077a3710512f5868346160ddc9b0797884131b1d59a277", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/python/src/alumnium/drivers/playwright_async_driver.py", "duplicate_line": 71, "correlation_key": "fp|95d4e60b1833e34cd6077a3710512f5868346160ddc9b0797884131b1d59a277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/playwright_driver.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46571, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa2f76e7cdd144e7e86cdc40a5b11a03d33f4f176b86a8b1ee8f8e41aa330847", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/python/src/alumnium/drivers/playwright_async_driver.py", "duplicate_line": 60, "correlation_key": "fp|fa2f76e7cdd144e7e86cdc40a5b11a03d33f4f176b86a8b1ee8f8e41aa330847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/playwright_driver.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46570, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b79d40cb9d0e0ccdf6d310858329f8395c504b0697c863f0a2945490f64a9e17", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/java/src/main/java/ai/alumnium/driver/AppiumDriver.java", "duplicate_line": 95, "correlation_key": "fp|b79d40cb9d0e0ccdf6d310858329f8395c504b0697c863f0a2945490f64a9e17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/driver/SeleniumDriver.java"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46569, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5462c05faf4deac9414e5ffc844850b08e1d1d3b441e52a9b7e6ebf092bda66a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/java/src/main/java/ai/alumnium/driver/PlaywrightDriver.java", "duplicate_line": 58, "correlation_key": "fp|5462c05faf4deac9414e5ffc844850b08e1d1d3b441e52a9b7e6ebf092bda66a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/driver/SeleniumDriver.java"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46568, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4409264910fd548705a0a5b7ee1095a256ad497904237ece8775d001ada474d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/java/src/main/java/ai/alumnium/accessibility/UIAutomator2AccessibilityTree.java", "duplicate_line": 27, "correlation_key": "fp|4409264910fd548705a0a5b7ee1095a256ad497904237ece8775d001ada474d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/accessibility/XCUITestAccessibilityTree.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46567, "scanner": "repobility-ai-code-hygiene", "fingerprint": "653cdf366ee6521dc671459488fe748b4ddca56cb734d686854af30ac818614c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/java/src/main/java/ai/alumnium/Alumni.java", "duplicate_line": 104, "correlation_key": "fp|653cdf366ee6521dc671459488fe748b4ddca56cb734d686854af30ac818614c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/Area.java"}, "region": {"startLine": 96}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `driver` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=3, else=3, if=3, nested_bonus=2."}, "properties": {"repobilityId": 46531, "scanner": "repobility-threat-engine", "fingerprint": "f88494369b9791471c44593c84881388a48c869330d148d4b6424cf38b504781", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "driver", "breakdown": {"if": 3, "elif": 3, "else": 3, "nested_bonus": 2}, "complexity": 11, "correlation_key": "fp|f88494369b9791471c44593c84881388a48c869330d148d4b6424cf38b504781"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/examples/behave/features/environment.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 46520, "scanner": "repobility-threat-engine", "fingerprint": "7a4632df306c22b6211ffc4feb43be5ae4f37dfaee38db75361ff5ee48cd2e48", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"No element with raw_id=\" + rawId + \" found\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a4632df306c22b6211ffc4feb43be5ae4f37dfaee38db75361ff5ee48cd2e48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/accessibility/XCUITestAccessibilityTree.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 46519, "scanner": "repobility-threat-engine", "fingerprint": "d1cb5587b61a453ae708aa589f80248bc92f929bd90cd2a49ca5add13008e009", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"No element with raw_id=\" + rawId + \" found\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1cb5587b61a453ae708aa589f80248bc92f929bd90cd2a49ca5add13008e009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/accessibility/UIAutomator2AccessibilityTree.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 46518, "scanner": "repobility-threat-engine", "fingerprint": "3f6ad96f0c4947e99a5a76ef7d9500351fc4600d2cb4490f53046f614dfe9fff", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"No element with raw_id=\" + rawId + \" found\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3f6ad96f0c4947e99a5a76ef7d9500351fc4600d2cb4490f53046f614dfe9fff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/accessibility/ChromiumAccessibilityTree.java"}, "region": {"startLine": 183}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7225, "scanner": "repobility-docker", "fingerprint": "876d626a2053ed7f7a6318e81f165caf65fa9913e445df0358c7a95dd7512110", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "lgtm", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|876d626a2053ed7f7a6318e81f165caf65fa9913e445df0358c7a95dd7512110"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "telemetry/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 7224, "scanner": "repobility-docker", "fingerprint": "08247e79b5e8f7e2418f8142b96a65a141c99154412fcd4afaf43718a88effe9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "lgtm", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|08247e79b5e8f7e2418f8142b96a65a141c99154412fcd4afaf43718a88effe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "telemetry/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 7222, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7212, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7fe6fa9719879f24f1994f2e75f4ff9df73ade20fcaef8538114f2b6d5ba21f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/typescript/src/tools/ClickTool.ts", "duplicate_line": 6, "correlation_key": "fp|7fe6fa9719879f24f1994f2e75f4ff9df73ade20fcaef8538114f2b6d5ba21f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/tools/ScrollTool.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7211, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a5d180ff9f203e455045f494be81fcd91b818c0446785ee46f202f5127d0ad5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/typescript/src/tools/ClickTool.ts", "duplicate_line": 6, "correlation_key": "fp|2a5d180ff9f203e455045f494be81fcd91b818c0446785ee46f202f5127d0ad5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/tools/HoverTool.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7210, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d4207e9de337001ae2dce74c3e382e53844965dabd496fd7b25e8a953b47e7e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/typescript/src/server/cache/ElementsCache/ElementsCache.ts", "duplicate_line": 222, "correlation_key": "fp|7d4207e9de337001ae2dce74c3e382e53844965dabd496fd7b25e8a953b47e7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/cache/ResponseCache.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7209, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b68f0a39d641e823bb1f3d5df491b62a9a093f49035a0225d598390c8629e8bd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/typescript/src/server/agents/AreaAgent.ts", "duplicate_line": 58, "correlation_key": "fp|b68f0a39d641e823bb1f3d5df491b62a9a093f49035a0225d598390c8629e8bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/agents/LocatorAgent.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7208, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35206526317eae43028d9d9ad2f26d829184ad397283a8c7dde50bbce92e14cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/python/src/alumnium/drivers/scripts/waiter.js", "duplicate_line": 1, "correlation_key": "fp|35206526317eae43028d9d9ad2f26d829184ad397283a8c7dde50bbce92e14cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/drivers/scripts/waiter.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7206, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ddfd46e61518c27961be691fafb63068cc89efc8d3c42dab4ad42308d5ff898a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/typescript/src/client/Alumni.ts", "duplicate_line": 146, "correlation_key": "fp|ddfd46e61518c27961be691fafb63068cc89efc8d3c42dab4ad42308d5ff898a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/client/Area.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7205, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e45fd8cda4fa95069dd7a7ba8e51d1ed19e09fd27b182d1b8ad85a1f8124708a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/typescript/src/accessibility/ChromiumAccessibilityTree.ts", "duplicate_line": 175, "correlation_key": "fp|e45fd8cda4fa95069dd7a7ba8e51d1ed19e09fd27b182d1b8ad85a1f8124708a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/accessibility/XCUITestAccessibilityTree.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7201, "scanner": "repobility-ai-code-hygiene", "fingerprint": "28f1b6c1bf01a2008563b3833d1b06e459bcb61e9691cafc3692f08fbb4105cf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py", "duplicate_line": 14, "correlation_key": "fp|28f1b6c1bf01a2008563b3833d1b06e459bcb61e9691cafc3692f08fbb4105cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/xcuitest_accessibility_tree.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 46566, "scanner": "repobility-threat-engine", "fingerprint": "346040b6745b95b4ac4230011f95ce736cca7b2745d04c478a20448e1f99296d", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|171|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/session/Session.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 46557, "scanner": "repobility-threat-engine", "fingerprint": "dc495931fe10ccd594ead31c7c77f06bc2fd305548c052c38b6f9feadb646876", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dc495931fe10ccd594ead31c7c77f06bc2fd305548c052c38b6f9feadb646876", "aggregated_count": 4}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46556, "scanner": "repobility-threat-engine", "fingerprint": "84cd8e0eb2e1adad1d1705bacc64fd7b20ade2f7cf1e8c21261c43aa39c849fa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|84cd8e0eb2e1adad1d1705bacc64fd7b20ade2f7cf1e8c21261c43aa39c849fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/ServerTelemetry.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46555, "scanner": "repobility-threat-engine", "fingerprint": "0f12a6fb6ce56b4bb1372988fac5d54eb4ec65846cb1815183b1ce18b434939b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f12a6fb6ce56b4bb1372988fac5d54eb4ec65846cb1815183b1ce18b434939b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/mcp/McpServer.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46554, "scanner": "repobility-threat-engine", "fingerprint": "4aa282f25a7b18b6d57d838c42bcdd264b16561d983ba99efaef128a638143c0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4aa282f25a7b18b6d57d838c42bcdd264b16561d983ba99efaef128a638143c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/client/Alumni.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 46553, "scanner": "repobility-threat-engine", "fingerprint": "9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "aggregated_count": 2}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46552, "scanner": "repobility-threat-engine", "fingerprint": "e9ac53db33e34446ca9af8eddbc7c2b3e69fefa0330dc911f36ceec730c269db", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9ac53db33e34446ca9af8eddbc7c2b3e69fefa0330dc911f36ceec730c269db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/mcp/McpServer.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46551, "scanner": "repobility-threat-engine", "fingerprint": "6c70bebfa73fae38d50c6e8c0fef78d54c51c61d6d1250c3998a367176d2b9eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c70bebfa73fae38d50c6e8c0fef78d54c51c61d6d1250c3998a367176d2b9eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/client/Alumni.ts"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46550, "scanner": "repobility-threat-engine", "fingerprint": "f3d29dbfc7ff851e25a9a7f935d08379de8f1b865880450ebf5eb152bab7bf8e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3d29dbfc7ff851e25a9a7f935d08379de8f1b865880450ebf5eb152bab7bf8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/Xml.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 46549, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46548, "scanner": "repobility-threat-engine", "fingerprint": "0c0f13ceaa649b2180246c58efcc71a58ba660f7ff525ac250293de9d3566e53", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c0f13ceaa649b2180246c58efcc71a58ba660f7ff525ac250293de9d3566e53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/mcp/tools/checkMcpTool.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46547, "scanner": "repobility-threat-engine", "fingerprint": "623ed7973691420b72dc1ee6d75bfefbe36d0242faa66468573834af63d1332e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|623ed7973691420b72dc1ee6d75bfefbe36d0242faa66468573834af63d1332e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/cli/CliCommand.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46546, "scanner": "repobility-threat-engine", "fingerprint": "f1750d9c743c6f333dba2b975a498b36aeeceaa27032922e1cefd979ae945ddf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f1750d9c743c6f333dba2b975a498b36aeeceaa27032922e1cefd979ae945ddf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/Env.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 46545, "scanner": "repobility-threat-engine", "fingerprint": "d5b4030d7b09d6b65a804b125d101d73e765583b6adbc4edb9bf8138ce228468", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5b4030d7b09d6b65a804b125d101d73e765583b6adbc4edb9bf8138ce228468"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/result.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 46544, "scanner": "repobility-threat-engine", "fingerprint": "67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|67a27f5cf85eac044eca73e20fc23fb9d6a1a9f74728d143ec989b8f7cbb925d", "aggregated_count": 4}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46543, "scanner": "repobility-threat-engine", "fingerprint": "a43603a317837244648fd99bf0ee93f00fb232bbe73ec8d8d64b418d9d6359a3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a43603a317837244648fd99bf0ee93f00fb232bbe73ec8d8d64b418d9d6359a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/cli/CliCommand.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46542, "scanner": "repobility-threat-engine", "fingerprint": "0d15f91c30a7fda3ce955a2b5922f5d491f0a533dc20f1f9c3256545d4fc20fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d15f91c30a7fda3ce955a2b5922f5d491f0a533dc20f1f9c3256545d4fc20fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/Env.ts"}, "region": {"startLine": 319}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46541, "scanner": "repobility-threat-engine", "fingerprint": "436ffb30ea9ac110382154141ccfc90107f3b0ecc9a507f8b94bc1a6704e94f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|436ffb30ea9ac110382154141ccfc90107f3b0ecc9a507f8b94bc1a6704e94f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/scripts/waiter.js"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 46537, "scanner": "repobility-threat-engine", "fingerprint": "4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 46533, "scanner": "repobility-threat-engine", "fingerprint": "ae057f38a82b4ab40df0f4aaddc1a0bad56cc3e35c9a31fbdc7db8da14fe6f6c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "after_scenario", "breakdown": {"if": 5, "for": 1, "elif": 2, "else": 1, "nested_bonus": 7}, "aggregated": true, "complexity": 16, "correlation_key": "fp|ae057f38a82b4ab40df0f4aaddc1a0bad56cc3e35c9a31fbdc7db8da14fe6f6c", "aggregated_count": 7}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 46529, "scanner": "repobility-threat-engine", "fingerprint": "a28cbeac28128be054c3f8e1a83589ca9ebddaa29ed78b582b0c2183d021e21c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a28cbeac28128be054c3f8e1a83589ca9ebddaa29ed78b582b0c2183d021e21c", "aggregated_count": 4}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 46528, "scanner": "repobility-threat-engine", "fingerprint": "6273e1f903761e5042cb6a66f542eff44e72430be2d8255a67ae01fa995b0216", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6273e1f903761e5042cb6a66f542eff44e72430be2d8255a67ae01fa995b0216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/alumni.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 46527, "scanner": "repobility-threat-engine", "fingerprint": "457dbde58520b864bf6308b7aa4e8d303a8e2781774552c3a5409ef2ed0f2f64", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|457dbde58520b864bf6308b7aa4e8d303a8e2781774552c3a5409ef2ed0f2f64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/base_accessibility_tree.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 46526, "scanner": "repobility-threat-engine", "fingerprint": "c2e2703a828ebf36fb3ab434c2fef7a357e37b5347b1498a048918262391378d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2e2703a828ebf36fb3ab434c2fef7a357e37b5347b1498a048918262391378d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/examples/behave/features/environment.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 46525, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 46524, "scanner": "repobility-threat-engine", "fingerprint": "124e7d5631ca768cdb3d1cb99bc92b5f0e37ab95a83f4c978e52a6768b7c853b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|124e7d5631ca768cdb3d1cb99bc92b5f0e37ab95a83f4c978e52a6768b7c853b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/ServerCommand.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 46523, "scanner": "repobility-threat-engine", "fingerprint": "7ac8c6e40f4dffdf5e694f73de531f63ac6742ea8364e8faeaf92e7b480ca4a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ac8c6e40f4dffdf5e694f73de531f63ac6742ea8364e8faeaf92e7b480ca4a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/clients/http_client.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 46522, "scanner": "repobility-threat-engine", "fingerprint": "0176dc19a1b5ab421bbf270c2269ed85407c2b28f2361e2901344ac61edf7c3b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0176dc19a1b5ab421bbf270c2269ed85407c2b28f2361e2901344ac61edf7c3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/accessibility/ChromiumAccessibilityTree.java"}, "region": {"startLine": 257}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 46521, "scanner": "repobility-threat-engine", "fingerprint": "802362717bb8b9596309b60635fbb04d345013c3d2defa44f95ace1b246cb77c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|802362717bb8b9596309b60635fbb04d345013c3d2defa44f95ace1b246cb77c"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7215, "scanner": "repobility-threat-engine", "fingerprint": "368b2e80e572a8a41b314cf59d253b69a7545dc31705ea4358a55fbc1e06f407", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.info(`Driver ${id}: Token stats saved to ${statsPath}`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|11|logger.info driver id : token stats saved to statspath"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/mcp/McpState.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 334 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 46632, "scanner": "repobility-supply-chain", "fingerprint": "63d94fe274b336000211a1be1346d00bdf95c6550df2b228139fcfe7be1fbafe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|63d94fe274b336000211a1be1346d00bdf95c6550df2b228139fcfe7be1fbafe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46631, "scanner": "repobility-supply-chain", "fingerprint": "127be4032382c872b025a7201d864af1c2697bbd7580ef907d9c985dca8ff85e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|127be4032382c872b025a7201d864af1c2697bbd7580ef907d9c985dca8ff85e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/attest` pinned to mutable ref `@v4`: `uses: actions/attest@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46630, "scanner": "repobility-supply-chain", "fingerprint": "01dd25843cc611f6b8bb7a80c8d95cd897a91f47501007e8faca3ee8d347319e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01dd25843cc611f6b8bb7a80c8d95cd897a91f47501007e8faca3ee8d347319e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46629, "scanner": "repobility-supply-chain", "fingerprint": "02f71d6734e112de78e2c11f35600b8ec7b1a8eeeaff6c26ee3752ad826e5534", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02f71d6734e112de78e2c11f35600b8ec7b1a8eeeaff6c26ee3752ad826e5534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46628, "scanner": "repobility-supply-chain", "fingerprint": "b425f195d84b6b1b5bdee44576c2e240ab92bc5ca1553a766bef1136d9e98ee5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b425f195d84b6b1b5bdee44576c2e240ab92bc5ca1553a766bef1136d9e98ee5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v3`: `uses: actions/attest-build-provenance@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46627, "scanner": "repobility-supply-chain", "fingerprint": "ef5304c5d5e8daf5ea26cf6fc3df2160f8748e1eebd25c12c725fb039959ee66", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef5304c5d5e8daf5ea26cf6fc3df2160f8748e1eebd25c12c725fb039959ee66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46626, "scanner": "repobility-supply-chain", "fingerprint": "3c187d9177afc16aca8a1e14d9d8d5ed1130eebc4d366604d22d40fcf8f7dfea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c187d9177afc16aca8a1e14d9d8d5ed1130eebc4d366604d22d40fcf8f7dfea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46625, "scanner": "repobility-supply-chain", "fingerprint": "8e07937ce900ebf56df105d614a2be06601929651020fc789f0103f7ed002fea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e07937ce900ebf56df105d614a2be06601929651020fc789f0103f7ed002fea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46624, "scanner": "repobility-supply-chain", "fingerprint": "944285ea160b0cf1a60ef3d43ff1c80dc709a672c08c106a0cc84428fe69c9b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|944285ea160b0cf1a60ef3d43ff1c80dc709a672c08c106a0cc84428fe69c9b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46623, "scanner": "repobility-supply-chain", "fingerprint": "e8b9c9b4b623dae6ff5a8df6e5262df6c036ea64e41d680643e913d6bddd8d41", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8b9c9b4b623dae6ff5a8df6e5262df6c036ea64e41d680643e913d6bddd8d41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46622, "scanner": "repobility-supply-chain", "fingerprint": "1dd83cb7fbbbcaf2fef06c4f36def3aea2f2050dba78de8ef3b6061a4fb9c304", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1dd83cb7fbbbcaf2fef06c4f36def3aea2f2050dba78de8ef3b6061a4fb9c304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46621, "scanner": "repobility-supply-chain", "fingerprint": "480ffe1434280d482d9f1521b8c112c65135db882535abcee555af8e2a436931", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|480ffe1434280d482d9f1521b8c112c65135db882535abcee555af8e2a436931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46620, "scanner": "repobility-supply-chain", "fingerprint": "538c7336cf2298c9d8f9484dde91aa45b61cec5918d0ee806a7f1c135402e8ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|538c7336cf2298c9d8f9484dde91aa45b61cec5918d0ee806a7f1c135402e8ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46619, "scanner": "repobility-supply-chain", "fingerprint": "4d175615bde6af48ae20bec5a620aa444f54a5c5e099bcfccb301a859c899439", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d175615bde6af48ae20bec5a620aa444f54a5c5e099bcfccb301a859c899439"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46618, "scanner": "repobility-supply-chain", "fingerprint": "50ffb4d7639fb71a2be0a371132213b7a9e8ecb0a20f17949a702bcbfa2e244c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50ffb4d7639fb71a2be0a371132213b7a9e8ecb0a20f17949a702bcbfa2e244c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46617, "scanner": "repobility-supply-chain", "fingerprint": "f12de1ec29857f76e21cb2fdd8d66c97fb7e504e768195d50c2165c0d9234dba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f12de1ec29857f76e21cb2fdd8d66c97fb7e504e768195d50c2165c0d9234dba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-cool/check-user-permission` pinned to mutable ref `@v2`: `uses: actions-cool/check-user-permission@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46616, "scanner": "repobility-supply-chain", "fingerprint": "66ed14b0c3aad36dc03e602cbde03f4ce2bfa438cc93e619848ebef34fd55f78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66ed14b0c3aad36dc03e602cbde03f4ce2bfa438cc93e619848ebef34fd55f78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46615, "scanner": "repobility-supply-chain", "fingerprint": "fe6814fff37af90a8e08d93a008330ae113320d71ba450f8d7364084a83cc4ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe6814fff37af90a8e08d93a008330ae113320d71ba450f8d7364084a83cc4ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v5`: `uses: actions/deploy-pages@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46614, "scanner": "repobility-supply-chain", "fingerprint": "5b7ae2ebc191c42116217637ca486ce80701b6b1c9f45c4d336e00c63c928af7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b7ae2ebc191c42116217637ca486ce80701b6b1c9f45c4d336e00c63c928af7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deployment.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-pages-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46613, "scanner": "repobility-supply-chain", "fingerprint": "e98caa05d2bc13d74ae0e4f70458e47529f8d4b3a6003112fa0b6ed1c9d31edc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e98caa05d2bc13d74ae0e4f70458e47529f8d4b3a6003112fa0b6ed1c9d31edc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deployment.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `jdx/mise-action` pinned to mutable ref `@v4`: `uses: jdx/mise-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46612, "scanner": "repobility-supply-chain", "fingerprint": "438525890d8f267457e2697ca25c01ebe2065c4d2c0492f591f9b269b727e8be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|438525890d8f267457e2697ca25c01ebe2065c4d2c0492f591f9b269b727e8be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deployment.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46611, "scanner": "repobility-supply-chain", "fingerprint": "bd04d15c05725d96df958b447a128dbeb46373e6ec7543a4a6e9a34a1d01cf5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd04d15c05725d96df958b447a128dbeb46373e6ec7543a4a6e9a34a1d01cf5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deployment.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46610, "scanner": "repobility-supply-chain", "fingerprint": "0918291115b03403dfaba2dd8d81de99b4ed4ff95d96ce5aeacbb18ca4b7b2d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0918291115b03403dfaba2dd8d81de99b4ed4ff95d96ce5aeacbb18ca4b7b2d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-java.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46609, "scanner": "repobility-supply-chain", "fingerprint": "d09bb314a685331ec49f3c4f84b043c2fd9ee1bd2a9c835f04f8ac33f5ca3ec0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d09bb314a685331ec49f3c4f84b043c2fd9ee1bd2a9c835f04f8ac33f5ca3ec0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-java.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46608, "scanner": "repobility-supply-chain", "fingerprint": "c057661687b214e20f731e9feaa51539d3e237a473529c0d9402a109f781f132", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c057661687b214e20f731e9feaa51539d3e237a473529c0d9402a109f781f132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-java.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46607, "scanner": "repobility-supply-chain", "fingerprint": "cfad73c878b82f2cf6392e0295d458310653278b91f8b0a24f6ca242afec21f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cfad73c878b82f2cf6392e0295d458310653278b91f8b0a24f6ca242afec21f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-java.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `alumnium` pulled from URL/Git: `dependencies.alumnium` = `file:../../../dist/npm-alumnium` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 46606, "scanner": "repobility-supply-chain", "fingerprint": "75d5d9f0bb92cc1bb993714f3a42dd01ffd90f575855aa53566013df1fc429d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75d5d9f0bb92cc1bb993714f3a42dd01ffd90f575855aa53566013df1fc429d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/tests/npm/esm/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `alumnium` pulled from URL/Git: `dependencies.alumnium` = `file:../../../dist/npm-alumnium` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 46605, "scanner": "repobility-supply-chain", "fingerprint": "ae6254ef145d09a983d487a2aa20642483bf6aedfb3b13d425edf2eebb2075b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae6254ef145d09a983d487a2aa20642483bf6aedfb3b13d425edf2eebb2075b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/tests/npm/cjs/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-${TARGETARCH}`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 46604, "scanner": "repobility-supply-chain", "fingerprint": "82cc4b0904923413972f9674e9c23c0e800a5261fa3e14dddb5ea7e6f11e97f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82cc4b0904923413972f9674e9c23c0e800a5261fa3e14dddb5ea7e6f11e97f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 46603, "scanner": "repobility-supply-chain", "fingerprint": "b53bca0531f871377aa2f04d54240cb277d316445281d80d9a92b3f63a002fbf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b53bca0531f871377aa2f04d54240cb277d316445281d80d9a92b3f63a002fbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_frame_chain` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._get_frame_chain`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46602, "scanner": "repobility-ast-engine", "fingerprint": "ef2b89379a984df4cbd87da7aa1dcc27643485fe6c86a84c6da90c9183dd7f47", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef2b89379a984df4cbd87da7aa1dcc27643485fe6c86a84c6da90c9183dd7f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/selenium_driver.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._build_frame_hierarchy` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._build_frame_hierarchy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46601, "scanner": "repobility-ast-engine", "fingerprint": "e8bb2d6fae91cac9a7caf7b40adf214bbc06ab09509437e425c97e1f37a4ea29", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8bb2d6fae91cac9a7caf7b40adf214bbc06ab09509437e425c97e1f37a4ea29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/selenium_driver.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_all_frame_ids` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._get_all_frame_ids`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46600, "scanner": "repobility-ast-engine", "fingerprint": "273fa8e4535d25c94ccd124d98b769ecf95d26271968b27dc64f1614281a0226", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|273fa8e4535d25c94ccd124d98b769ecf95d26271968b27dc64f1614281a0226"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/selenium_driver.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._wait_for_page_to_load` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._wait_for_page_to_load`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46599, "scanner": "repobility-ast-engine", "fingerprint": "7220fc138dcf250f36218f82647b742af0158635138858ac28afc858d1f5c207", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7220fc138dcf250f36218f82647b742af0158635138858ac28afc858d1f5c207"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/selenium_driver.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stop_server` used but never assigned in __init__: Method `_resolve_url` of class `HttpClient` reads `self._stop_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46598, "scanner": "repobility-ast-engine", "fingerprint": "7ffbfad1ecd5855db9af86ba8ff45b856e788532e3ec11523880871ba0ebd5ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ffbfad1ecd5855db9af86ba8ff45b856e788532e3ec11523880871ba0ebd5ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/clients/http_client.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._build_server_pid_name` used but never assigned in __init__: Method `_resolve_url` of class `HttpClient` reads `self._build_server_pid_name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46597, "scanner": "repobility-ast-engine", "fingerprint": "453f3631f20d5e196179bf4c0b3fe376593837d99389415a76dad14e4b3e035d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|453f3631f20d5e196179bf4c0b3fe376593837d99389415a76dad14e4b3e035d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/clients/http_client.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._stop_server` used but never assigned in __init__: Method `quit` of class `HttpClient` reads `self._stop_server`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46596, "scanner": "repobility-ast-engine", "fingerprint": "bff0aaf2fd08c4c1208d9f6bde2103a5e333c03cc67bd14e40a30fbf2e281b97", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bff0aaf2fd08c4c1208d9f6bde2103a5e333c03cc67bd14e40a30fbf2e281b97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/clients/http_client.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._normalize_paths` used but never assigned in __init__: Method `invoke` of class `UploadTool` reads `self._normalize_paths`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46595, "scanner": "repobility-ast-engine", "fingerprint": "c4edf201fb5b92cf977c0a578d8607e8103532d98465cc6eed1ad4e84b5b510e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4edf201fb5b92cf977c0a578d8607e8103532d98465cc6eed1ad4e84b5b510e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/tools/upload_tool.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.to_str` used but never assigned in __init__: Method `scope_to_area` of class `XCUITestAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46594, "scanner": "repobility-ast-engine", "fingerprint": "3a7c17a4bcfa91496b6d29e191352f0d42dd3194287c58a29afab8356a7786cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a7c17a4bcfa91496b6d29e191352f0d42dd3194287c58a29afab8356a7786cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/xcuitest_accessibility_tree.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.to_str` used but never assigned in __init__: Method `element_by_id` of class `XCUITestAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46593, "scanner": "repobility-ast-engine", "fingerprint": "c1f160edc1fb85b319c6c094d1e1deafca20c6677bf2bfad0abf6f3ddbfeac06", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1f160edc1fb85b319c6c094d1e1deafca20c6677bf2bfad0abf6f3ddbfeac06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/xcuitest_accessibility_tree.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `_add_raw_ids` of class `XCUITestAccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46592, "scanner": "repobility-ast-engine", "fingerprint": "ba4b2591345b870f6e286e96f8ab00bc97886e96d8f72d886501e33f20d60035", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ba4b2591345b870f6e286e96f8ab00bc97886e96d8f72d886501e33f20d60035"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/xcuitest_accessibility_tree.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `to_str` of class `XCUITestAccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46591, "scanner": "repobility-ast-engine", "fingerprint": "a9fb1f87a6c6fb46931d092fc82f5b40d8de68308d76e9c531c8b36d126c3bc3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9fb1f87a6c6fb46931d092fc82f5b40d8de68308d76e9c531c8b36d126c3bc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/xcuitest_accessibility_tree.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.to_str` used but never assigned in __init__: Method `scope_to_area` of class `UIAutomator2AccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46590, "scanner": "repobility-ast-engine", "fingerprint": "412639d6985476b63736babb2dfb42dfbe7fe9e6ac98ee5726e4acc046b4ea6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|412639d6985476b63736babb2dfb42dfbe7fe9e6ac98ee5726e4acc046b4ea6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.to_str` used but never assigned in __init__: Method `element_by_id` of class `UIAutomator2AccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46589, "scanner": "repobility-ast-engine", "fingerprint": "8f9c011d69a8c5ce48f4afa1cd61ffd200b6c78dad682cfd6cdded4a13a730b2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f9c011d69a8c5ce48f4afa1cd61ffd200b6c78dad682cfd6cdded4a13a730b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `_add_raw_ids` of class `UIAutomator2AccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46588, "scanner": "repobility-ast-engine", "fingerprint": "74014916696384ab681993f332d9a89ce13556d80b7c6d51ff824d233b64424c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|74014916696384ab681993f332d9a89ce13556d80b7c6d51ff824d233b64424c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `to_str` of class `UIAutomator2AccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46587, "scanner": "repobility-ast-engine", "fingerprint": "b902ab8790452bf6ed5e5339ba7f251dd8c0a368e3016347b6b9b247dee8cad0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b902ab8790452bf6ed5e5339ba7f251dd8c0a368e3016347b6b9b247dee8cad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/uiautomator2_accessibility_tree.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._from_xml` used but never assigned in __init__: Method `scope_to_area` of class `ChromiumAccessibilityTree` reads `self._from_xml`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46585, "scanner": "repobility-ast-engine", "fingerprint": "1610855587d4559fec1995780a78197f6da74ceec9a4e7731e8603a1f90cf218", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1610855587d4559fec1995780a78197f6da74ceec9a4e7731e8603a1f90cf218"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.to_str` used but never assigned in __init__: Method `scope_to_area` of class `ChromiumAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46584, "scanner": "repobility-ast-engine", "fingerprint": "282fa56d209cac7771a3ca8c938cd21b991aae6350dd8681af0fdf17b974a72c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|282fa56d209cac7771a3ca8c938cd21b991aae6350dd8681af0fdf17b974a72c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.to_str` used but never assigned in __init__: Method `element_by_id` of class `ChromiumAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46583, "scanner": "repobility-ast-engine", "fingerprint": "eed4ff95dbbae83a7bc83e909d9bd4351c32de8926cc74d97fdff99e649a57be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eed4ff95dbbae83a7bc83e909d9bd4351c32de8926cc74d97fdff99e649a57be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46582, "scanner": "repobility-ast-engine", "fingerprint": "c0c98a2524636b0c38c3e21b2207eb1b49ea903edfd11e4137074e11e4e9c22b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c0c98a2524636b0c38c3e21b2207eb1b49ea903edfd11e4137074e11e4e9c22b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46581, "scanner": "repobility-ast-engine", "fingerprint": "5d23c4e81abbe78a7e4064e3207c3f5762088836c9b416a9e4379c97391d1c04", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d23c4e81abbe78a7e4064e3207c3f5762088836c9b416a9e4379c97391d1c04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._node_to_xml` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46580, "scanner": "repobility-ast-engine", "fingerprint": "2e0058d5aad090462f4a5ea0950f9756f472589d0b93cb3b1d5eca407dc867de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2e0058d5aad090462f4a5ea0950f9756f472589d0b93cb3b1d5eca407dc867de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._node_to_xml` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46579, "scanner": "repobility-ast-engine", "fingerprint": "9ca98728602b56d320dfb6a802d675bbe80addaede46049f4c04711e291f8b0f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ca98728602b56d320dfb6a802d675bbe80addaede46049f4c04711e291f8b0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46578, "scanner": "repobility-ast-engine", "fingerprint": "7b30b3600df839d3dfc4705167289fc1cda0a2bc5008a5a3d27f5c381dd4d71b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b30b3600df839d3dfc4705167289fc1cda0a2bc5008a5a3d27f5c381dd4d71b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._node_to_xml` used but never assigned in __init__: Method `to_str` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 46577, "scanner": "repobility-ast-engine", "fingerprint": "917711ca3ea9b2fbc5a0519aef70ae4599d43a16f92be4a2c17887dd8326441f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|917711ca3ea9b2fbc5a0519aef70ae4599d43a16f92be4a2c17887dd8326441f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_cross_origin_iframe: Test function `test_cross_origin_iframe` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 46576, "scanner": "repobility-ast-engine", "fingerprint": "e2714db59694c4cbd7b7e7b36bda95913a5d057faf93ed943a5e35f43cca665c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2714db59694c4cbd7b7e7b36bda95913a5d057faf93ed943a5e35f43cca665c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/examples/pytest/frames_test.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_waiting_for_requests_and_form_updates: Test function `test_waiting_for_requests_and_form_updates` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 46575, "scanner": "repobility-ast-engine", "fingerprint": "17afa49263a359728125bfc41c9dbb31f0f66ca72fce2b48c312486afe5020be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17afa49263a359728125bfc41c9dbb31f0f66ca72fce2b48c312486afe5020be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/examples/pytest/waiting_test.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_execute_javascript_to_scroll: Test function `test_execute_javascript_to_scroll` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 46574, "scanner": "repobility-ast-engine", "fingerprint": "c55560791b423b047e771d164969caf5b932b0db54a695de1026be6ce9e94ba9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c55560791b423b047e771d164969caf5b932b0db54a695de1026be6ce9e94ba9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/examples/pytest/execute_javascript_test.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_drag_slider: Test function `test_drag_slider` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 46573, "scanner": "repobility-ast-engine", "fingerprint": "3f297d99072b3f7a9fff5c31815be463393c94ffaf3c9f92a78cdf21e7b82bc6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f297d99072b3f7a9fff5c31815be463393c94ffaf3c9f92a78cdf21e7b82bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/examples/pytest/drag_slider_test.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_select_option: Test function `test_select_option` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 46572, "scanner": "repobility-ast-engine", "fingerprint": "a76d222a6ecc56df013dda68f65b76a9ad520d436136cd96c36ac54fce6ba418", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a76d222a6ecc56df013dda68f65b76a9ad520d436136cd96c36ac54fce6ba418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/examples/pytest/select_test.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 46565, "scanner": "repobility-threat-engine", "fingerprint": "44cfc6076c461892472397c6c45e7a99c9cb3ec45b331191f0abf59d08cdedad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|44cfc6076c461892472397c6c45e7a99c9cb3ec45b331191f0abf59d08cdedad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/cache/ElementsCache/ElementsCacheMask.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 46563, "scanner": "repobility-threat-engine", "fingerprint": "72e2010112af6a86859c4f22dac48e64df08473fbd8bb72d9ea8e0c5b5c21445", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72e2010112af6a86859c4f22dac48e64df08473fbd8bb72d9ea8e0c5b5c21445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/agents/RetrieverAgent.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 46562, "scanner": "repobility-threat-engine", "fingerprint": "e7d5322882be2059440fff2b8f0c2e4d5816b29648d189806e4f516021525545", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(\n          paths.seleniumAtomsDir,\n          request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|188|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/standalone/setupEmbeddedDependencies.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 46561, "scanner": "repobility-threat-engine", "fingerprint": "30aae92d265b42e5fb886ca8a5c9f8aebf9d70b3de1c0f93f9393c8bfc0c669c", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|81|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/mcp/tools/startMcpTool.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 46560, "scanner": "repobility-threat-engine", "fingerprint": "25f98f1d58fce6bfc865c77ca52ed33da3459a2b4b161a9dc1175a9d0b74a882", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}='${String(v)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|25f98f1d58fce6bfc865c77ca52ed33da3459a2b4b161a9dc1175a9d0b74a882"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/tools/BaseTool.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 46559, "scanner": "repobility-threat-engine", "fingerprint": "3c8b1c7c96c74153d561965a60daad3cd4578ed4942b92fa3939b39cf1571a51", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((a) => `'${a}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3c8b1c7c96c74153d561965a60daad3cd4578ed4942b92fa3939b39cf1571a51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/agents/PlannerAgent.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 46558, "scanner": "repobility-threat-engine", "fingerprint": "23cdd6839f6a36a160a84ba9d6788040c03bd3df50fc8ce3a304b8e42bab4e49", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n          ([k, v]) => `${k} == \"${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23cdd6839f6a36a160a84ba9d6788040c03bd3df50fc8ce3a304b8e42bab4e49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/drivers/AppiumDriver.ts"}, "region": {"startLine": 205}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 46540, "scanner": "repobility-threat-engine", "fingerprint": "fee6d3458b85d4412095fb5ad17c06723c49d1d7b56ef49b810704e4337e0697", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "state.resources.delete(el);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fee6d3458b85d4412095fb5ad17c06723c49d1d7b56ef49b810704e4337e0697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/drivers/scripts/waiter.js"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 46539, "scanner": "repobility-threat-engine", "fingerprint": "f9a0239c0e8ddc49e4dcfbe5ae12778a192bb3d455600a80ef1b21fb617b7289", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "state.resources.delete(el);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f9a0239c0e8ddc49e4dcfbe5ae12778a192bb3d455600a80ef1b21fb617b7289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/scripts/waiter.js"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 46536, "scanner": "repobility-threat-engine", "fingerprint": "d94166b00347c8b57beabe1f404e9701fa750db7034d6b46a3f154d23ff98602", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d94166b00347c8b57beabe1f404e9701fa750db7034d6b46a3f154d23ff98602"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/base_driver.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 46535, "scanner": "repobility-threat-engine", "fingerprint": "0fee3bbe9e1e0f772533afec8fce51f12a90d10291204a2442f8606dd19e0443", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0fee3bbe9e1e0f772533afec8fce51f12a90d10291204a2442f8606dd19e0443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/drivers/appium_driver.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 46534, "scanner": "repobility-threat-engine", "fingerprint": "b1f8bb0716a95093be6a165b287789019e0983a000636c024c5382ea6fefadf5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1f8bb0716a95093be6a165b287789019e0983a000636c024c5382ea6fefadf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/clients/http_client.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `_node_to_xml` has cognitive complexity 27 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, for=3, if=11, nested_bonus=9, recursion=2."}, "properties": {"repobilityId": 46532, "scanner": "repobility-threat-engine", "fingerprint": "600e1e5e1e487e940361962268670b0eeecdc4a1bc6953a50f8dad28475ded9d", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 27 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_node_to_xml", "breakdown": {"if": 11, "for": 3, "elif": 1, "else": 1, "recursion": 2, "nested_bonus": 9}, "complexity": 27, "correlation_key": "fp|600e1e5e1e487e940361962268670b0eeecdc4a1bc6953a50f8dad28475ded9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/python/src/alumnium/accessibility/chromium_accessibility_tree.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 46517, "scanner": "repobility-threat-engine", "fingerprint": "2fcba39f6f9b37691b73410040559bfeed7bce684392d62d96e62e03cc2f118b", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2fcba39f6f9b37691b73410040559bfeed7bce684392d62d96e62e03cc2f118b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/java/src/main/java/ai/alumnium/accessibility/ChromiumAccessibilityTree.java"}, "region": {"startLine": 245}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 7217, "scanner": "repobility-threat-engine", "fingerprint": "0d9eadc3b2fe272d1290680bce239c7df4721e539281166900d49b36b8d3c820", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(method, url, ...rest);\\n    };\\n\\n    /**\\n     * @this  {XMLHttpRequest & XhrExtra}\\n     * @p", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|4|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/drivers/scripts/bundledScripts.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7214, "scanner": "repobility-threat-engine", "fingerprint": "e56e1bd88d9ac6871fd643fa9a171e2fcd6206d70b7b8eebdeb4e3ab30580caf", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Console output includes a credential-bearing template expression.", "evidence": {"match": "logger.debug(`${name} is set: ${maskString(secret)", "reason": "Console output includes a credential-bearing template expression.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|token|33|logger.debug name is set: maskstring secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/typescript/src/server/LlmFactory.ts"}, "region": {"startLine": 335}}}]}]}]}