{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/264"}, "properties": {"repository": "agenticmail/agenticmail", "repoUrl": "https://github.com/agenticmail/agenticmail", "branch": "main"}, "results": [{"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8195, "scanner": "repobility-threat-engine", "fingerprint": "c2d78fe6b3ab7d288b363b8f5c3fcd404d3f2e5935ea789de35f3d6d40c7eba8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c2d78fe6b3ab7d288b363b8f5c3fcd404d3f2e5935ea789de35f3d6d40c7eba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/claudecode/src/dispatcher.ts"}, "region": {"startLine": 2121}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8194, "scanner": "repobility-threat-engine", "fingerprint": "d3c19ec67695946f9ec9e3c6f678c345fbee809c3a9ecf1b3b104f3c9aef26c9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d3c19ec67695946f9ec9e3c6f678c345fbee809c3a9ecf1b3b104f3c9aef26c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/claudecode/src/mail-hook.ts"}, "region": {"startLine": 503}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8193, "scanner": "repobility-threat-engine", "fingerprint": "a01dae1b75d506a61cad4b950e3366940d7b77f37e32fe3cddd5f563d6db74fc", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a01dae1b75d506a61cad4b950e3366940d7b77f37e32fe3cddd5f563d6db74fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/mail.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 8183, "scanner": "repobility-agent-runtime", "fingerprint": "b368035b1d56109efbbb64b4ca10d60b919d614aa6460f238a7b10511ba6e7ad", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|b368035b1d56109efbbb64b4ca10d60b919d614aa6460f238a7b10511ba6e7ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openclaw/src/tools.ts"}, "region": {"startLine": 229}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 8182, "scanner": "repobility-agent-runtime", "fingerprint": "2c98492ed992b0198466905eb5a65c2c94cf432bdc2ee76e995738e9f239acfc", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2c98492ed992b0198466905eb5a65c2c94cf432bdc2ee76e995738e9f239acfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/setup/installer.ts"}, "region": {"startLine": 406}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 8181, "scanner": "repobility-agent-runtime", "fingerprint": "398c1b42341ee45685acc268ea9907f0541e0c9938d1d69e5379749625d70b93", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|398c1b42341ee45685acc268ea9907f0541e0c9938d1d69e5379749625d70b93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/setup/index.ts"}, "region": {"startLine": 215}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 8180, "scanner": "repobility-agent-runtime", "fingerprint": "8ea92e8459639a8169d0604c09c2853943e62ff99a0403c71dbea26092118bed", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8ea92e8459639a8169d0604c09c2853943e62ff99a0403c71dbea26092118bed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/index.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 8179, "scanner": "repobility-agent-runtime", "fingerprint": "a222125f2d1cbb8d4731dc3e5d815a1ff2e794f24ca9438b2acb1f4a90c1b0aa", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|a222125f2d1cbb8d4731dc3e5d815a1ff2e794f24ca9438b2acb1f4a90c1b0aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/public/js/sse.js"}, "region": {"startLine": 64}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 8178, "scanner": "repobility-agent-runtime", "fingerprint": "c1c1e559948198d95c7b3e87d1e168c889a49090209c4f7cf02bfef7ab5c15bf", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|c1c1e559948198d95c7b3e87d1e168c889a49090209c4f7cf02bfef7ab5c15bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/public/js/sound.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 8177, "scanner": "repobility-agent-runtime", "fingerprint": "b41f59bbc8065a3c0f464ad6a7e7f7bd2956154b6ffdb60d6a99e1afc744537f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|b41f59bbc8065a3c0f464ad6a7e7f7bd2956154b6ffdb60d6a99e1afc744537f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/public/js/app.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 8176, "scanner": "repobility-agent-runtime", "fingerprint": "b195669f19bff4fbdb0d6ee2a87cb55bad019f55b5280199a6941194b08b957c", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b195669f19bff4fbdb0d6ee2a87cb55bad019f55b5280199a6941194b08b957c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/stalwart/config/stalwart.toml"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 8175, "scanner": "repobility-agent-runtime", "fingerprint": "505d8132c01c201c58d161febe707fbc155abbd71c37c92edb331b405aa0b98e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|505d8132c01c201c58d161febe707fbc155abbd71c37c92edb331b405aa0b98e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CLAUDE.md"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8174, "scanner": "repobility-ai-code-hygiene", "fingerprint": "471a43b412abdba66dce97871a85c3d4ba91a2570ffed3e17367205c18a0fe32", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mcp/src/pending-followup.ts", "duplicate_line": 88, "correlation_key": "fp|471a43b412abdba66dce97871a85c3d4ba91a2570ffed3e17367205c18a0fe32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openclaw/src/pending-followup.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8173, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d543d2f7d4f52bacd8059b259e2c3837a3416c3132be1ce017c6849b56c8b79", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/openclaw/index.ts", "duplicate_line": 63, "correlation_key": "fp|2d543d2f7d4f52bacd8059b259e2c3837a3416c3132be1ce017c6849b56c8b79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openclaw/src/channel.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8172, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e7a7fd220e214f000254128bfbebf35866dcfd218fb47b59b78d214a0d40a94", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/gateway/relay.ts", "duplicate_line": 137, "correlation_key": "fp|4e7a7fd220e214f000254128bfbebf35866dcfd218fb47b59b78d214a0d40a94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/mail/sender.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8171, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd091ba14283b168a1225f988ef90dec7e1deb2be1b0fca8a112704ad078507d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/inbox/watcher.ts", "duplicate_line": 38, "correlation_key": "fp|bd091ba14283b168a1225f988ef90dec7e1deb2be1b0fca8a112704ad078507d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/mail/receiver.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 8201, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "stalwart", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 8200, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "stalwart", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 8191, "scanner": "repobility-threat-engine", "fingerprint": "796385818ea54db72688aa13f1210396499a888dced995353c0aaa335e589eb0", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|30|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/public/js/compose.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 8190, "scanner": "repobility-threat-engine", "fingerprint": "1afa4a323b3469c49547f1a62f5367067215ace016004b544aabefbff17f3b34", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = l", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|65|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/public/js/activity-badges.js"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 8189, "scanner": "repobility-threat-engine", "fingerprint": "ac426ca0346a579491a144e1c50f24246b6c4fc9d26787f8d0cadf0a112a6ac8", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = v", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|39|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/public/js/sidebar.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 8199, "scanner": "repobility-threat-engine", "fingerprint": "f78b05f3525efdc18a5d1983ba1263e47eaa8a772967c623a7aa23730bd5139a", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f78b05f3525efdc18a5d1983ba1263e47eaa8a772967c623a7aa23730bd5139a"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8198, "scanner": "repobility-threat-engine", "fingerprint": "2a8a53bf9fbeaa4fb4f0d5edcdf197927ea6e57b2e332937e295e4170d94aa7a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|1806|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/claudecode/src/dispatcher.ts"}, "region": {"startLine": 1806}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8197, "scanner": "repobility-threat-engine", "fingerprint": "6a1af0bf8b35bb55d424318cce57629f2af02f5ed37e58d13832485a696034b7", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|193|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/threading/thread-cache.ts"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8196, "scanner": "repobility-threat-engine", "fingerprint": "fb269eb657f1a2b0c8ad512d3d3a7d0fb9741e15eb3bb1ec8885ca2f3d356be3", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|295|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/sms/manager.ts"}, "region": {"startLine": 295}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 8192, "scanner": "repobility-threat-engine", "fingerprint": "ba3aacacd2a33ee50afdca6450d1bdf5da55ce372033095b443ee81ae02c9f49", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ba3aacacd2a33ee50afdca6450d1bdf5da55ce372033095b443ee81ae02c9f49"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 8188, "scanner": "repobility-threat-engine", "fingerprint": "3c1512ec1e531167a3aa928d567398e9cb8cbf7ff40fccf993810ebf40229e88", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3c1512ec1e531167a3aa928d567398e9cb8cbf7ff40fccf993810ebf40229e88"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8187, "scanner": "repobility-threat-engine", "fingerprint": "fabfc85453076830b09fb0994a264badb5dce9e01e77ee0708611dc32b11e04e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('[agenticmail] Warning: Neither apiKey nor masterKey is configured')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|packages/openclaw/index.ts|23|console.error agenticmail warning: neither apikey nor masterkey is configured"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/openclaw/index.ts"}, "region": {"startLine": 237}}}]}, {"ruleId": "SEC002", "level": "none", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 8184, "scanner": "repobility-threat-engine", "fingerprint": "06fe96687a7e9bef313de780a5fa9c30aa85f746ec45994822ab82c187c4786f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "API_KEY = '<redacted>'", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/sms-verification.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8186, "scanner": "repobility-threat-engine", "fingerprint": "1263af86cda5db15ed951efc49929245d14b28757f23f7a7898ba25e263e43f2", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Console output includes a credential-bearing template expression.", "evidence": {"match": "console.log(`   Stalwart Admin Password: <redacted>}`)", "reason": "Console output includes a credential-bearing template expression.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|scripts/init-local.ts|6|console.log stalwart admin password: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/init-local.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8185, "scanner": "repobility-threat-engine", "fingerprint": "3eaa8dadf61573ed4562e620cb5efaf49655441c5a45d655ba9b66eaaba3b3fd", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Console output includes a credential-bearing template expression.", "evidence": {"match": "console.log(`  researcher: ${researcher.email} (key: ${researcher.apiKey})", "reason": "Console output includes a credential-bearing template expression.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|examples/multi-agent.ts|2|console.log researcher: researcher.email key: researcher.apikey"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/multi-agent.ts"}, "region": {"startLine": 30}}}]}]}]}