{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resol", "shortDescription": {"text": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible inst"}, "fullDescription": {"text": "Replace `requests` with `requests==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `call_addkey` (list): `def call_addkey(... = []/{}/set())` \u2014 Python's default val", "shortDescription": {"text": "[MINED109] Mutable default argument in `call_addkey` (list): `def call_addkey(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for e"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def call_addkey(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 24.3% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 24.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `add_extra_keys` has cognitive complexity 21 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `add_extra_keys` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 21."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 32 more): Same pattern found in 32 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 67 more): Same pattern found in 67 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 67 more): Same pattern found in 67 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 298 more): Same pattern found in 298 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 298 more): Same pattern found in 298 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 85 more): Same pattern found in 85 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 85 more): Same pattern found in 85 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `runtime/runtime-params-estimator/emu-cost/counter_plugin/libcounter.so` committed in source repo", "shortDescription": {"text": "[MINED134] Binary file `runtime/runtime-params-estimator/emu-cost/counter_plugin/libcounter.so` committed in source repo: `runtime/runtime-params-estimator/emu-cost/counter_plugin/libcounter.so` is a .so binary (16,536 bytes) committed to a"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `nginx:1.25.4-alpine` not pinned by digest: `FROM nginx:1.25.4-alpine` resolves the tag at bu", "shortDescription": {"text": "[MINED118] Dockerfile FROM `nginx:1.25.4-alpine` not pinned by digest: `FROM nginx:1.25.4-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Producti"}, "fullDescription": {"text": "Replace with: `FROM nginx:1.25.4-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "[MINED119] Dockerfile `ADD https://s3-us-west-1.amazonaws.com/build.nearprotocol.com/nearcore/Linux-aarch64/${VERSION}/n", "shortDescription": {"text": "[MINED119] Dockerfile `ADD https://s3-us-west-1.amazonaws.com/build.nearprotocol.com/nearcore/Linux-aarch64/${VERSION}/near-sandbox.tar.gz`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the h"}, "fullDescription": {"text": "Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_deploy_global_contract: Test function `test_deploy_global_contract` runs code but", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_deploy_global_contract: Test function `test_deploy_global_contract` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying any"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.deserialize_struct` used but never assigned in __init__: Method `deserialize_field` of class `BinarySer", "shortDescription": {"text": "[MINED108] `self.deserialize_struct` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_struct`, but no assignment to it exists in __init__ (and no class-level fallback). This"}, "fullDescription": {"text": "Initialize `self.deserialize_struct = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /debug/api/epoch_info_light/{e"}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED039", "name": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path.", "shortDescription": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.NAYDUCK_CODE` on a `pull_request` trigger: This workflow triggers on `pull_request`, w", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.NAYDUCK_CODE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NAYDUCK_CODE }` lets a PR from any fork exfiltrate the secret ("}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `time` used but not imported: The file uses `time.something(...)` but never imports `time`. T", "shortDescription": {"text": "[MINED107] Missing import: `time` used but not imported: The file uses `time.something(...)` but never imports `time`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import time` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1274"}, "properties": {"repository": "near/nearcore", "repoUrl": "https://github.com/near/nearcore", "branch": "master"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129201, "scanner": "repobility-supply-chain", "fingerprint": "bc93ab316b2e9cfa5eea9459e10704f0bb937fc435d707a8a245462d3f2e3f26", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc93ab316b2e9cfa5eea9459e10704f0bb937fc435d707a8a245462d3f2e3f26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/mocknet/helpers/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `psutil` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129200, "scanner": "repobility-supply-chain", "fingerprint": "8844ec86bd60090a8ceb20768e75f04d62b6e8a3dbd2c37d63224b595d231d4f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8844ec86bd60090a8ceb20768e75f04d62b6e8a3dbd2c37d63224b595d231d4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/mocknet/helpers/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `json-rpc` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129199, "scanner": "repobility-supply-chain", "fingerprint": "6a79797625cc59db183ffa763bf971923625533d14dc3cfad8afcdb4c22964dd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a79797625cc59db183ffa763bf971923625533d14dc3cfad8afcdb4c22964dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/mocknet/helpers/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `jmespath` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129193, "scanner": "repobility-supply-chain", "fingerprint": "1ce1077f1edd09a9cd1e49ea1c8f954a517e63a64bb03c2e662db579e9a7096c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ce1077f1edd09a9cd1e49ea1c8f954a517e63a64bb03c2e662db579e9a7096c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `datetime` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129192, "scanner": "repobility-supply-chain", "fingerprint": "69ba132156fc7514dff3101f0e58b05d19e214091daa08d750f0fc001b8cba38", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|69ba132156fc7514dff3101f0e58b05d19e214091daa08d750f0fc001b8cba38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `urllib3<2` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129191, "scanner": "repobility-supply-chain", "fingerprint": "45b4800a40d6c714a46742574765758eac86f4a00b3d6bf939f59277e0111887", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45b4800a40d6c714a46742574765758eac86f4a00b3d6bf939f59277e0111887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `tqdm` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129190, "scanner": "repobility-supply-chain", "fingerprint": "3a330f37e4228738208b0def56b5932bbe4a1359962ab8d4f0ecf92e718fc170", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a330f37e4228738208b0def56b5932bbe4a1359962ab8d4f0ecf92e718fc170"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `toml` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129189, "scanner": "repobility-supply-chain", "fingerprint": "d145430d2f5f3e8e3984cf305f6907a783ee68885d616d674d8142674887c870", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d145430d2f5f3e8e3984cf305f6907a783ee68885d616d674d8142674887c870"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `semver` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129188, "scanner": "repobility-supply-chain", "fingerprint": "98a37b397fa09b640a8aef3232497416dc1de37cd2aafc1f082ee2bc7ace4b6b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98a37b397fa09b640a8aef3232497416dc1de37cd2aafc1f082ee2bc7ace4b6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `scipy` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129187, "scanner": "repobility-supply-chain", "fingerprint": "75e3c32c81ae5340ef0eda7659a1bf315097674e141667ef7237de20a1e543bc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75e3c32c81ae5340ef0eda7659a1bf315097674e141667ef7237de20a1e543bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `scikit-learn` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129186, "scanner": "repobility-supply-chain", "fingerprint": "a4d30e3fb9e3e9cc0a42a9eaf68807cd12fb3fb77682d47df83a0b2a9c196ec5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4d30e3fb9e3e9cc0a42a9eaf68807cd12fb3fb77682d47df83a0b2a9c196ec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `retrying` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129185, "scanner": "repobility-supply-chain", "fingerprint": "181166fbaa6b9ca4136e866516cab961c9f76cee82fcf9faf5272abf458a4390", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|181166fbaa6b9ca4136e866516cab961c9f76cee82fcf9faf5272abf458a4390"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129184, "scanner": "repobility-supply-chain", "fingerprint": "121de9be28cb9c5878d0c5a70e7be473f8e07906ba412f35d10e17a8ec06dd3a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|121de9be28cb9c5878d0c5a70e7be473f8e07906ba412f35d10e17a8ec06dd3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pynacl` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129183, "scanner": "repobility-supply-chain", "fingerprint": "efbc185339e932b82e12d7b5932cb62d0f4a262eaca9a4c9bcb33bb6055d99a1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|efbc185339e932b82e12d7b5932cb62d0f4a262eaca9a4c9bcb33bb6055d99a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pydantic` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129182, "scanner": "repobility-supply-chain", "fingerprint": "a9c3a67fc06bfcd039c644846df93b15d2ed4f3bfa570031ed6674871ec40f82", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9c3a67fc06bfcd039c644846df93b15d2ed4f3bfa570031ed6674871ec40f82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `psutil` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129181, "scanner": "repobility-supply-chain", "fingerprint": "5222586cac5d8332533f3aa054fd62fec3e03df17ed9d22d32b08eb1dfb87b72", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5222586cac5d8332533f3aa054fd62fec3e03df17ed9d22d32b08eb1dfb87b72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `prometheus-client` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129180, "scanner": "repobility-supply-chain", "fingerprint": "9b1f0e4367595d4c4aca49fb83308ee7d62e5e91a1b573a30e1a273c41bca537", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b1f0e4367595d4c4aca49fb83308ee7d62e5e91a1b573a30e1a273c41bca537"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `numpy` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129179, "scanner": "repobility-supply-chain", "fingerprint": "12370ccebbec039e381a397377922553d64d3a96eefd0b90d338ac7986b78d43", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12370ccebbec039e381a397377922553d64d3a96eefd0b90d338ac7986b78d43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `nearup` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129178, "scanner": "repobility-supply-chain", "fingerprint": "2ef07e714796ddd5c142b7435b8c7d8aeeab82d432f21f8254d09af9bda5c72b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ef07e714796ddd5c142b7435b8c7d8aeeab82d432f21f8254d09af9bda5c72b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `json-rpc` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129177, "scanner": "repobility-supply-chain", "fingerprint": "fcdc143774a1584f917db381587a118a603ebf3023d6d323ead16920740b7241", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcdc143774a1584f917db381587a118a603ebf3023d6d323ead16920740b7241"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `deepdiff` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129176, "scanner": "repobility-supply-chain", "fingerprint": "dab8e1eca73808c28ca97549eee23b815abd4ebbdec17f945ead7e827456467d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dab8e1eca73808c28ca97549eee23b815abd4ebbdec17f945ead7e827456467d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `cython` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129175, "scanner": "repobility-supply-chain", "fingerprint": "4b230fe46f87d33e360b3aee83442777326fe215becc82c8fcd91ee90b7b0ebc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b230fe46f87d33e360b3aee83442777326fe215becc82c8fcd91ee90b7b0ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `cachetools` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129174, "scanner": "repobility-supply-chain", "fingerprint": "11e4b83ecf5bd2eff524b2c7b431ead56c5cd57928c50910217d295f0561ed7a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11e4b83ecf5bd2eff524b2c7b431ead56c5cd57928c50910217d295f0561ed7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `base58` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129173, "scanner": "repobility-supply-chain", "fingerprint": "521f2d8e1625e60a44b9fcdb6f3ce6b1e40b5e8f45660c53a155b64a32f42998", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|521f2d8e1625e60a44b9fcdb6f3ce6b1e40b5e8f45660c53a155b64a32f42998"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `PyGithub` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 129172, "scanner": "repobility-supply-chain", "fingerprint": "b699ff4fc41cf833b0341d7bbef4e6b377211273b9d8bdc0f2494095e1d699d4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b699ff4fc41cf833b0341d7bbef4e6b377211273b9d8bdc0f2494095e1d699d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `call_addkey` (list): `def call_addkey(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 129166, "scanner": "repobility-ast-engine", "fingerprint": "4eba1eb979ad19ac587dca94856dc5e10594a6d2726902f4b2baf5671a513004", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4eba1eb979ad19ac587dca94856dc5e10594a6d2726902f4b2baf5671a513004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tools/mirror/mirror_utils.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129164, "scanner": "repobility-ast-engine", "fingerprint": "e4868dc52e68af33f92bdddc9c9028523bdda0f66b88ec78fade8bee2d3b37cf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4868dc52e68af33f92bdddc9c9028523bdda0f66b88ec78fade8bee2d3b37cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/adversarial/fork_sync.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `neard_runner_jsonrpc` (list): `def neard_runner_jsonrpc(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 129162, "scanner": "repobility-ast-engine", "fingerprint": "0ec3f2dd77fcd3720574ae63aa4b6260f4d5735a06fc8b32726f435871a2ddc2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ec3f2dd77fcd3720574ae63aa4b6260f4d5735a06fc8b32726f435871a2ddc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/mocknet/node_handle.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `neard_runner_jsonrpc_nocheck` (list): `def neard_runner_jsonrpc_nocheck(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 129161, "scanner": "repobility-ast-engine", "fingerprint": "4e9fbc40f1a5c441c2e54a908d0b14bf76776a85174d05820d8fa7dce8ec37c1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e9fbc40f1a5c441c2e54a908d0b14bf76776a85174d05820d8fa7dce8ec37c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/mocknet/node_handle.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129160, "scanner": "repobility-ast-engine", "fingerprint": "11effac1c5a9c53f59f81bf09a351dafd3fded9e8e7a24d23342880b4e7401a1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11effac1c5a9c53f59f81bf09a351dafd3fded9e8e7a24d23342880b4e7401a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/rpc_missing_block.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `docker_run` (dict): `def docker_run(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 129157, "scanner": "repobility-ast-engine", "fingerprint": "be049036d304bef296c94c85ebd011ace14e8b848ea4f10fb45ed96231b87ee8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be049036d304bef296c94c85ebd011ace14e8b848ea4f10fb45ed96231b87ee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/docker.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129156, "scanner": "repobility-ast-engine", "fingerprint": "de3ded676f14738adb90d44db77c5cffc83b2e71ad5d9b3c4ddeafb9a4e62eeb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de3ded676f14738adb90d44db77c5cffc83b2e71ad5d9b3c4ddeafb9a4e62eeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/congestion_control.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129155, "scanner": "repobility-ast-engine", "fingerprint": "55a1231466635dcdb93898aef441ce1035f387accb875506d7dfd55544ae2891", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|55a1231466635dcdb93898aef441ce1035f387accb875506d7dfd55544ae2891"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/validator_switch_key_quick.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129154, "scanner": "repobility-ast-engine", "fingerprint": "87b6b5104be3c90e41897f20d9be9e3e93a80a55e8941dee54dc4c1bbf6300b1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|87b6b5104be3c90e41897f20d9be9e3e93a80a55e8941dee54dc4c1bbf6300b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/validator_switch.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `doit` (list): `def doit(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 129153, "scanner": "repobility-ast-engine", "fingerprint": "59d83eab66e1f72ad95decbf45231fa59bdb3f9fcaef1a41a4df5a5a52727bca", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|59d83eab66e1f72ad95decbf45231fa59bdb3f9fcaef1a41a4df5a5a52727bca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/staking2.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129149, "scanner": "repobility-ast-engine", "fingerprint": "c26a625a27bae605ae72120177a9f9de86b85284ac151ebd824d67ae97848159", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c26a625a27bae605ae72120177a9f9de86b85284ac151ebd824d67ae97848159"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/replay_chain_from_archive.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129148, "scanner": "repobility-ast-engine", "fingerprint": "ee454db009ef1237da5ff659d0ffae4f994ff35dd5e83c4a058b5c3b68e50014", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee454db009ef1237da5ff659d0ffae4f994ff35dd5e83c4a058b5c3b68e50014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/cluster.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129147, "scanner": "repobility-ast-engine", "fingerprint": "3ac994f6d3112efb1960ec4b21db359236a111dfd6b1229242c65374a388dbf1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3ac994f6d3112efb1960ec4b21db359236a111dfd6b1229242c65374a388dbf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/mocknet_helpers.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129121, "scanner": "repobility-ast-engine", "fingerprint": "ab87a2e348c9b81a4a657625f5fcf8b6df52ddbb0266cbaa2d80c08496427682", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ab87a2e348c9b81a4a657625f5fcf8b6df52ddbb0266cbaa2d80c08496427682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/merge_queue_health.py"}, "region": {"startLine": 255}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 129120, "scanner": "repobility-ast-engine", "fingerprint": "75845fa821463fc5a16feaee050349af06a9007ccc5df0c1a48c20057b5f585e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75845fa821463fc5a16feaee050349af06a9007ccc5df0c1a48c20057b5f585e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/merge_queue_health.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 24.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 129116, "scanner": "repobility-access-control", "fingerprint": "0961098656d4e395cdbb90d91aec8a05a1d7a5bbdd2fe8cf2a194a2e62e5132d", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 37, "correlation_key": "fp|0961098656d4e395cdbb90d91aec8a05a1d7a5bbdd2fe8cf2a194a2e62e5132d", "auth_visible_percent": 24.3}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 129115, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 129110, "scanner": "repobility-docker", "fingerprint": "402f257613e08d29df964eb0a48e9be326bf340c7e0ac286a1c11340437d4c82", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongo-express", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|402f257613e08d29df964eb0a48e9be326bf340c7e0ac286a1c11340437d4c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 129107, "scanner": "repobility-docker", "fingerprint": "39a3b8d0211d09987ff4ebe5b5f3cf791486b96e403ed4eff34796a2f9f17828", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|39a3b8d0211d09987ff4ebe5b5f3cf791486b96e403ed4eff34796a2f9f17828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 129103, "scanner": "repobility-docker", "fingerprint": "1703c68fd2b61a7d923741f941c1847a8418a64557d1eb2012b333dca7d3c60f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bullseye-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1703c68fd2b61a7d923741f941c1847a8418a64557d1eb2012b333dca7d3c60f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 129102, "scanner": "repobility-docker", "fingerprint": "1b07b0c1f19c9a6caf68c12f448d20cce883ee2607e570fb18414e7959764614", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:1.25.4-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1b07b0c1f19c9a6caf68c12f448d20cce883ee2607e570fb18414e7959764614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 129101, "scanner": "repobility-docker", "fingerprint": "86f52407a5014efe798b03a38d65f6b2f9963d4a29bfbb4731e7db828ba1292e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker.io/rust:1.86.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|86f52407a5014efe798b03a38d65f6b2f9963d4a29bfbb4731e7db828ba1292e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/runtime-params-estimator/emu-cost/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 129098, "scanner": "repobility-docker", "fingerprint": "47e7e60c5cffef1aa84b7038ff5b545d85f1fe11d451ce42ee0dffb531f9423f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "download-${TARGETARCH}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|47e7e60c5cffef1aa84b7038ff5b545d85f1fe11d451ce42ee0dffb531f9423f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sandbox/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 129096, "scanner": "repobility-docker", "fingerprint": "83baca03316e2d380ee9243cd3f0dd709cfc44670151d0bcb8764b074e1d3051", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|83baca03316e2d380ee9243cd3f0dd709cfc44670151d0bcb8764b074e1d3051"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sandbox/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 129095, "scanner": "repobility-docker", "fingerprint": "0b7908cc8943394237a329361f8774b791469da8fae736ff0b8e8ab9cef8ba78", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0b7908cc8943394237a329361f8774b791469da8fae736ff0b8e8ab9cef8ba78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sandbox/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 129094, "scanner": "repobility-docker", "fingerprint": "91186a528904d35a34db20ed2daca19ca760c501d71696d4591ea7b4ab7cb9ba", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|91186a528904d35a34db20ed2daca19ca760c501d71696d4591ea7b4ab7cb9ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 129091, "scanner": "repobility-docker", "fingerprint": "7f98b5b190749309e6df171ab1b374475786f00d8ef25b00b73fe137ffd0aa49", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7f98b5b190749309e6df171ab1b374475786f00d8ef25b00b73fe137ffd0aa49", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 129086, "scanner": "repobility-agent-runtime", "fingerprint": "aaa9d8ec1a71bd1418463bec5e68e8874afb5886e902b68756468141f64b66a4", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|aaa9d8ec1a71bd1418463bec5e68e8874afb5886e902b68756468141f64b66a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/cluster.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 129055, "scanner": "repobility-ai-code-hygiene", "fingerprint": "412bfbe2a14e4a8a7b92411f983e16a777a408dae55f01e14241d7133bfdfe72", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|412bfbe2a14e4a8a7b92411f983e16a777a408dae55f01e14241d7133bfdfe72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/store/src/trie/trie_storage_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 129053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbc88a262d0ba3d857e189c4594aad8233ba8a0e86887774b3b9bd18c1dcb592", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "core/store/src/trie/trie_storage.rs", "correlation_key": "fp|cbc88a262d0ba3d857e189c4594aad8233ba8a0e86887774b3b9bd18c1dcb592"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/store/src/trie/trie_storage_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 129052, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a2e6394094f69e7d2a9a4370a6905fbc65b9ad96d5080d1f5128eff9ca07f156", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "chain/chain/src/chain.rs", "correlation_key": "fp|a2e6394094f69e7d2a9a4370a6905fbc65b9ad96d5080d1f5128eff9ca07f156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/chain/src/chain_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 129048, "scanner": "repobility-threat-engine", "fingerprint": "ecd2855b34ad52f7bee15d6ee9a02bfc29ccb02aa8b16a9a524d2a309e568076", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|tools/themis/src/utils.rs|19|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/themis/src/utils.rs"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 129047, "scanner": "repobility-threat-engine", "fingerprint": "a2f64fcf861c91bdb0c9e37fa69059978d9b58c5ae3a5c437243a30324c3dc7f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|61|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/log_visualizer/events.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 129032, "scanner": "repobility-threat-engine", "fingerprint": "b2d379eb0f39383710c6fe6d451b638b9f19ccd5fba6cc0151d35f7ecf0103ca", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(benchmark_command, cwd=repo_dir, shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|scripts/run-ft-benchmark.py|31|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/run-ft-benchmark.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 129031, "scanner": "repobility-threat-engine", "fingerprint": "7fb58e2377b6d0f513fbbbf375b3eae42d9dcba8ef412dec77929695d3bab66c", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(\n        [\n            f\"gcloud compute instances list \\\n        --project={project}", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|5|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/remote_diff/utils.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 129030, "scanner": "repobility-threat-engine", "fingerprint": "281b6c261f0c19eb9de81e17eb4848022facd3f4333b7e09f1ba22d369c03d78", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(f\"cargo run -p cli -- insert-ft-transfer {fp.name}\",\n                       shell=Tru", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|94|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ft-benchmark-data-sender.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `add_extra_keys` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, continue=1, elif=1, for=2, if=4, nested_bonus=12."}, "properties": {"repobilityId": 129014, "scanner": "repobility-threat-engine", "fingerprint": "6ef5c164a62820ebe117e7a2e5d5c9fece8417a5bd64e4cc03c595cedb9f757a", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 21 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "add_extra_keys", "breakdown": {"if": 4, "for": 2, "elif": 1, "break": 1, "continue": 1, "nested_bonus": 12}, "complexity": 21, "correlation_key": "fp|6ef5c164a62820ebe117e7a2e5d5c9fece8417a5bd64e4cc03c595cedb9f757a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tools/mirror/fork_network.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 129119, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 129114, "scanner": "repobility-docker", "fingerprint": "817344eaeec4b747edb9e8ceb3cd7df660f5a8ff62aa81fd5bb23cc108909799", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "querier", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|817344eaeec4b747edb9e8ceb3cd7df660f5a8ff62aa81fd5bb23cc108909799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 129113, "scanner": "repobility-docker", "fingerprint": "e56328c64c0bc20e9d5d2c6a508f72362a97e76021840fdc9f6441ff340a99e7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "querier", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e56328c64c0bc20e9d5d2c6a508f72362a97e76021840fdc9f6441ff340a99e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 129112, "scanner": "repobility-docker", "fingerprint": "66a8be5855f46cf78f430be98a47eeb2abd5a8cd9cbed804ef2d1dc2eafd3668", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|66a8be5855f46cf78f430be98a47eeb2abd5a8cd9cbed804ef2d1dc2eafd3668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 129111, "scanner": "repobility-docker", "fingerprint": "ea5604165c2ebbeb356b48f226fc9f07c27057377b218de6e288a0fa5dffe0ad", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ea5604165c2ebbeb356b48f226fc9f07c27057377b218de6e288a0fa5dffe0ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 129100, "scanner": "repobility-docker", "fingerprint": "74ba69c5494fd2741f9ac94222a9f15fdba29ff8c9172721d4bc058b589a9cfc", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|74ba69c5494fd2741f9ac94222a9f15fdba29ff8c9172721d4bc058b589a9cfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/runtime-params-estimator/emu-cost/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 129099, "scanner": "repobility-docker", "fingerprint": "820af2a74e90584ab2b491b9817dad32b73b894fe56123189a265368b80198da", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|820af2a74e90584ab2b491b9817dad32b73b894fe56123189a265368b80198da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/runtime-params-estimator/emu-cost/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 129093, "scanner": "repobility-docker", "fingerprint": "c51ea10b9ee5970b796f88e061245487240c2d7d99ff36deec93339cda048e0c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c51ea10b9ee5970b796f88e061245487240c2d7d99ff36deec93339cda048e0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 129090, "scanner": "repobility-docker", "fingerprint": "9b98c31c66d05ff92a3082f57028ffbc20d12d3a4071dd10933d751c96b47d7b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9b98c31c66d05ff92a3082f57028ffbc20d12d3a4071dd10933d751c96b47d7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 129089, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8db34bf9f279f243467c486543083957cebeb4dbb4e5ce17f6f17ee28a36ce7d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/async/src/multithread/test.rs", "duplicate_line": 11, "correlation_key": "fp|8db34bf9f279f243467c486543083957cebeb4dbb4e5ce17f6f17ee28a36ce7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/async/src/tokio/test.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1df535819c9a40a3258eef7c7e7124322e32e5758aeafca2f14b3adc827cec10", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/async/src/multithread/sender.rs", "duplicate_line": 47, "correlation_key": "fp|1df535819c9a40a3258eef7c7e7124322e32e5758aeafca2f14b3adc827cec10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/async/src/tokio/sender.rs"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97c71868ecdbbfaad6160b0d15165131834050908f3a0c0bfea8c5a6cda08070", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "core/async/benches/instrumentation.rs", "duplicate_line": 22, "correlation_key": "fp|97c71868ecdbbfaad6160b0d15165131834050908f3a0c0bfea8c5a6cda08070"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/async/src/instrumentation/tests.rs"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129082, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed4171c15ed5a3ba84e6d04ad31860a32e94dc3c40977c6876c0ede25a8cfdea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/add_key.rs", "duplicate_line": 16, "correlation_key": "fp|ed4171c15ed5a3ba84e6d04ad31860a32e94dc3c40977c6876c0ede25a8cfdea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/withdraw_from_gas_key.rs"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129081, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b090ff8ab074668a255035e5802741ebdb4f326526fa190bc2aa331bb4ac161", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/stake.rs", "duplicate_line": 10, "correlation_key": "fp|9b090ff8ab074668a255035e5802741ebdb4f326526fa190bc2aa331bb4ac161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/withdraw_from_gas_key.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129080, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ad9df8798a7a4085c28c879dfa366c177cfd593c791b658fbab20cb1bd65a0e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/add_key.rs", "duplicate_line": 16, "correlation_key": "fp|7ad9df8798a7a4085c28c879dfa366c177cfd593c791b658fbab20cb1bd65a0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/transfer_to_gas_key.rs"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd647b158874c6895d767995d4c2c02fd129f8d1d9258e778f8cd883705d8369", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/stake.rs", "duplicate_line": 10, "correlation_key": "fp|dd647b158874c6895d767995d4c2c02fd129f8d1d9258e778f8cd883705d8369"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/transfer_to_gas_key.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b1a27e181b806bd830e403b34bb1417a84a7dec318749e6a09c85dd7a617cff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/add_key.rs", "duplicate_line": 16, "correlation_key": "fp|0b1a27e181b806bd830e403b34bb1417a84a7dec318749e6a09c85dd7a617cff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/stake.rs"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe7ca14dc02f89d478a34adc4432dbe97109bdfaf8c4aad550b23e93299203ae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|fe7ca14dc02f89d478a34adc4432dbe97109bdfaf8c4aad550b23e93299203ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_withdraw_from_gas_key.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b3f6eb9c2af20e7725be8b576d6fdd83afe8352f60dbab1b752a80096f51da9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|6b3f6eb9c2af20e7725be8b576d6fdd83afe8352f60dbab1b752a80096f51da9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_transfer_to_gas_key.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f5a2a7800b29f7cb16133fdd4b22ccc0780bf58ef139aeef91d8222873df578b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|f5a2a7800b29f7cb16133fdd4b22ccc0780bf58ef139aeef91d8222873df578b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_signed_delegate_action.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b39b1d44aa7f0ea12a3c2bcfc55a0c2eee6bbada20d5db60dd721be0de391e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|5b39b1d44aa7f0ea12a3c2bcfc55a0c2eee6bbada20d5db60dd721be0de391e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_function_call.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9288c968b5119beb1592017d3af971a8dc16aadf7febeae556bd85f6deaf30a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|f9288c968b5119beb1592017d3af971a8dc16aadf7febeae556bd85f6deaf30a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_deploy_contract.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40aaa6454c6f3f1f806a4e14e5edcdbb7bf8c3a6ee00fb4b6eae87810ce67873", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|40aaa6454c6f3f1f806a4e14e5edcdbb7bf8c3a6ee00fb4b6eae87810ce67873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_delete_key.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8eca167496a4e2ede1de2b4b72649491cc955d8bbd19bb2b637c20a4b421ed4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|8eca167496a4e2ede1de2b4b72649491cc955d8bbd19bb2b637c20a4b421ed4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_delete_account.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129070, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9646daf0a4c5c71ab1b91cf5e2869bcfa6695d3e857c7791ad940b1c8776a6b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|9646daf0a4c5c71ab1b91cf5e2869bcfa6695d3e857c7791ad940b1c8776a6b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_delegate_action.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129069, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e6b0cf2c2d4189d04c7b685ca432e028dd79e9e5a1e1e743da02b7ac105eb0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_add_key.rs", "duplicate_line": 8, "correlation_key": "fp|9e6b0cf2c2d4189d04c7b685ca432e028dd79e9e5a1e1e743da02b7ac105eb0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/initiate_create_account.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129068, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e155ac27ccd922f8bd2eb19ddfb00976ae81843872cf5c0cd9b3949c46e9743f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/add_key.rs", "duplicate_line": 8, "correlation_key": "fp|e155ac27ccd922f8bd2eb19ddfb00976ae81843872cf5c0cd9b3949c46e9743f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/delete_key.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129067, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c6ef8be362447d2a5fa2f49d5af4bc4e935b738520bb5bd9174b30d7a08d847", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/rosetta-rpc/src/adapters/validated_operations/create_account.rs", "duplicate_line": 8, "correlation_key": "fp|7c6ef8be362447d2a5fa2f49d5af4bc4e935b738520bb5bd9174b30d7a08d847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/rosetta-rpc/src/adapters/validated_operations/delete_account.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129066, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a42464b4fdbbac3a377fb94134f5e8badd418b9943f30228df1182371e2fc54a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc/res/congestion_control.js", "duplicate_line": 80, "correlation_key": "fp|a42464b4fdbbac3a377fb94134f5e8badd418b9943f30228df1182371e2fc54a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc/res/last_blocks.js"}, "region": {"startLine": 196}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129065, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60cc5d75a2e0ec6abb7af2320f564260f1db645375a9e29c6a2930dec7cf5183", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc-primitives/src/types/call_function.rs", "duplicate_line": 13, "correlation_key": "fp|60cc5d75a2e0ec6abb7af2320f564260f1db645375a9e29c6a2930dec7cf5183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/view_state.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129064, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0081fa4c803a7a84abc5fb20af1633a4d995059775e2d13ace752ad5b0f71be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc-primitives/src/types/call_function.rs", "duplicate_line": 13, "correlation_key": "fp|b0081fa4c803a7a84abc5fb20af1633a4d995059775e2d13ace752ad5b0f71be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/view_gas_key_nonces.rs"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129063, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c9b08bfbb53a6217c0ebd9fb52118e34536eeabe829f108cdc25c2dc29f1e3b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc-primitives/src/types/call_function.rs", "duplicate_line": 13, "correlation_key": "fp|2c9b08bfbb53a6217c0ebd9fb52118e34536eeabe829f108cdc25c2dc29f1e3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/view_code.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129062, "scanner": "repobility-ai-code-hygiene", "fingerprint": "691026371e0db6f775d93a01e7b395f1f4e9af0787eca0845b40a317c21ac9c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc-primitives/src/types/view_access_key_list.rs", "duplicate_line": 13, "correlation_key": "fp|691026371e0db6f775d93a01e7b395f1f4e9af0787eca0845b40a317c21ac9c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/view_account.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129061, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23c2ea0532f90d1d4727b092a944c4a77fd905c1eb790de79075aa198cb586ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc-primitives/src/types/call_function.rs", "duplicate_line": 13, "correlation_key": "fp|23c2ea0532f90d1d4727b092a944c4a77fd905c1eb790de79075aa198cb586ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/view_account.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129060, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac052ef8823c42e45606eac4b251121d677565822a97dfe1cbbc53773a976a13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc-primitives/src/types/call_function.rs", "duplicate_line": 13, "correlation_key": "fp|ac052ef8823c42e45606eac4b251121d677565822a97dfe1cbbc53773a976a13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/view_access_key_list.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129059, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b5a34948f5c3e7625fb530a6526fa1acf33de4ad89aa784a54cccddae986350", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc-primitives/src/types/call_function.rs", "duplicate_line": 13, "correlation_key": "fp|9b5a34948f5c3e7625fb530a6526fa1acf33de4ad89aa784a54cccddae986350"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/view_access_key.rs"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129058, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0155163993ee40b0099d8302ed2009c31bfaa9a9e0f129e415771d999708456", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/chain-primitives/src/error.rs", "duplicate_line": 25, "correlation_key": "fp|c0155163993ee40b0099d8302ed2009c31bfaa9a9e0f129e415771d999708456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/query.rs"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129057, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c662dceae0e8c0e9197b5c57a4f12809863335b60ddf50571f4697478a2f91b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/jsonrpc-primitives/src/types/call_function.rs", "duplicate_line": 13, "correlation_key": "fp|3c662dceae0e8c0e9197b5c57a4f12809863335b60ddf50571f4697478a2f91b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/query.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 129056, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2613cc7cce1ae9a6a77f8e15cbe5a9d04087389d9e100402cd9dd4021d5a776e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chain/client-primitives/src/types.rs", "duplicate_line": 533, "correlation_key": "fp|2613cc7cce1ae9a6a77f8e15cbe5a9d04087389d9e100402cd9dd4021d5a776e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/types/light_client.rs"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 129054, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a55a74f074acbc400fafff014783ebbabd6e05365385d91bfdd829ed2fa184d8", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|a55a74f074acbc400fafff014783ebbabd6e05365385d91bfdd829ed2fa184d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/store/src/trie/mem/memtrie_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC022", "level": "note", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 129050, "scanner": "repobility-threat-engine", "fingerprint": "6a094635236fae5915ac6831a379a03eb40333a276846f8017ed07a01efdd659", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value contains development/placeholder marker", "evidence": {"match": "mongodb://root:insecure@", "reason": "Value contains development/placeholder marker", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "secret|tracing/docker-compose.yml|2|mongodb://root:insecure"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 129036, "scanner": "repobility-threat-engine", "fingerprint": "0c81a04c62def6248d871c1022f80cead54670b669f1491ac1f35bdf34452083", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(LOCK_FILE):\n        with open(LOCK_FILE, 'r') as f:\n            running_user = f.read", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0c81a04c62def6248d871c1022f80cead54670b669f1491ac1f35bdf34452083"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/run-ft-benchmark.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `send_txs` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, for=2, if=2, nested_bonus=3."}, "properties": {"repobilityId": 129015, "scanner": "repobility-threat-engine", "fingerprint": "07467bd8f67f00c1a6309690a05df8825a04c445e9931cf083e3bfd1014b365b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "send_txs", "breakdown": {"if": 2, "for": 2, "break": 1, "nested_bonus": 3}, "complexity": 8, "correlation_key": "fp|07467bd8f67f00c1a6309690a05df8825a04c445e9931cf083e3bfd1014b365b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tools/mirror/fork_network.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `find_best_voting_hour` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, continue=1, else=1, for=2, if=4, nested_bonus=4."}, "properties": {"repobilityId": 129013, "scanner": "repobility-threat-engine", "fingerprint": "de96d11243c5df27aedfe39cecc9b3f9f4573a172a3d239bd227bbbf241fe741", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "find_best_voting_hour", "breakdown": {"if": 4, "for": 2, "else": 1, "break": 1, "continue": 1, "nested_bonus": 4}, "complexity": 13, "correlation_key": "fp|de96d11243c5df27aedfe39cecc9b3f9f4573a172a3d239bd227bbbf241fe741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "debug_scripts/estimate_epoch_start_time.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 129097, "scanner": "repobility-docker", "fingerprint": "f76287f4f4d0d7471718a5a4fb451f82b43f0e55d535ab1cabd8db3dbfb21a64", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "download-${TARGETARCH}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f76287f4f4d0d7471718a5a4fb451f82b43f0e55d535ab1cabd8db3dbfb21a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sandbox/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 129051, "scanner": "repobility-threat-engine", "fingerprint": "9e19faa2b5539052f12daff81dd4969902ff0f2a82e6333a5aedb962024ecb48", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "evidence": {"match": "'foo bar'", "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|9e19faa2b5539052f12daff81dd4969902ff0f2a82e6333a5aedb962024ecb48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/fmt/src/lib.rs"}, "region": {"startLine": 260}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 129046, "scanner": "repobility-threat-engine", "fingerprint": "7a722fdceea768588f4fda7b2f3cb5d67fd09485c387d832465cc20f01421a54", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a722fdceea768588f4fda7b2f3cb5d67fd09485c387d832465cc20f01421a54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/entity_debug/EntityQueryComposer.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 129045, "scanner": "repobility-threat-engine", "fingerprint": "bdaf6f29b8ebc30a2c1aa2cce49a49f588638bbb2f4fae6e5fcdf324ea61369d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bdaf6f29b8ebc30a2c1aa2cce49a49f588638bbb2f4fae6e5fcdf324ea61369d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/entity_debug/EntityDataValueView.tsx"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 129044, "scanner": "repobility-threat-engine", "fingerprint": "e892b9603c811470c7d54e2dc31d936bf9042761eddf73fa35d2e3c182a71668", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e892b9603c811470c7d54e2dc31d936bf9042761eddf73fa35d2e3c182a71668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/entity_debug/fields.tsx"}, "region": {"startLine": 314}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 129043, "scanner": "repobility-threat-engine", "fingerprint": "8fe64651749b445aa2a91a6c3da7733096e28e16a355784dc71de9f15fa0e061", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8fe64651749b445aa2a91a6c3da7733096e28e16a355784dc71de9f15fa0e061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/actors/canvas_utils.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 129042, "scanner": "repobility-threat-engine", "fingerprint": "608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "aggregated_count": 13}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 129041, "scanner": "repobility-threat-engine", "fingerprint": "d5c1919ff3c0f46ddbe628b5492344586a5ba105657e91787a5514e60e6d5235", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5c1919ff3c0f46ddbe628b5492344586a5ba105657e91787a5514e60e6d5235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/ConnectionStorageView.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 129040, "scanner": "repobility-threat-engine", "fingerprint": "084d88e7ca53df0a1c247294a08a8fcfb09aabcbf274e5b0fe75605b61f66bb9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|084d88e7ca53df0a1c247294a08a8fcfb09aabcbf274e5b0fe75605b61f66bb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/ChainInfoSummaryView.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 129039, "scanner": "repobility-threat-engine", "fingerprint": "04d34473553ec133d45f5a544ed1be79c9790c281d48250a6559773ee45bcf63", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04d34473553ec133d45f5a544ed1be79c9790c281d48250a6559773ee45bcf63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/BlocksView.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 129038, "scanner": "repobility-threat-engine", "fingerprint": "2c1a5f4fd4233991ca851e8c9f37074730ef586803a2480ed25394617d1f308c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c1a5f4fd4233991ca851e8c9f37074730ef586803a2480ed25394617d1f308c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/scripts/compare_tries.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 129037, "scanner": "repobility-threat-engine", "fingerprint": "59686b71e5292eccb88c62dd4cad4bf29ddff95e4e371498981fa18b65b3127b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59686b71e5292eccb88c62dd4cad4bf29ddff95e4e371498981fa18b65b3127b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/run-ft-benchmark.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 129026, "scanner": "repobility-threat-engine", "fingerprint": "b6bc7fea4b9d312cc0abc7b13523f0c18b329ed181586d22f4b92593d4edfa11", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6bc7fea4b9d312cc0abc7b13523f0c18b329ed181586d22f4b92593d4edfa11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/runtime-params-estimator/emu-cost/counter_plugin/test.c"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 129022, "scanner": "repobility-threat-engine", "fingerprint": "4fec2fef69470ffed0292a685dafeea92e6d9b099a4fc3d1481f567d3ae98399", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4fec2fef69470ffed0292a685dafeea92e6d9b099a4fc3d1481f567d3ae98399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_nightly.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 129021, "scanner": "repobility-threat-engine", "fingerprint": "c35a94f3837517041919b7a8d284d12ebebcaaba2b0d60d04e98eff0dcf42445", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c35a94f3837517041919b7a8d284d12ebebcaaba2b0d60d04e98eff0dcf42445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_import_blocks.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 129020, "scanner": "repobility-threat-engine", "fingerprint": "d8e5e361084698df60c52025511ae98d327d02933e9244d1fbf2d143f2a75984", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8e5e361084698df60c52025511ae98d327d02933e9244d1fbf2d143f2a75984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tools/mirror/fork_network.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 129017, "scanner": "repobility-threat-engine", "fingerprint": "c9c0e6b75513a2b78bf6131c96c5066c06e25595b5e3cb6ab1b15795e719e89a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.info(f'Sending 0 tokens from {account_id} to itself')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|pytest/endtoend/endtoend.py|5|logger.info f sending 0 tokens from account_id to itself"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/endtoend/endtoend.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 129016, "scanner": "repobility-threat-engine", "fingerprint": "8d1502acd42cce6119d839e48acbcfd7f61fd37700295976e1fa3a0ac15210ab", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "find_best_voting_hour", "breakdown": {"if": 4, "for": 2, "else": 1, "break": 1, "continue": 1, "nested_bonus": 4}, "aggregated": true, "complexity": 13, "correlation_key": "fp|8d1502acd42cce6119d839e48acbcfd7f61fd37700295976e1fa3a0ac15210ab", "aggregated_count": 11}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 129012, "scanner": "repobility-threat-engine", "fingerprint": "1361ffa9c3e6bba8c756f3d556d7d430ee765c8d57ea666109adf6c3be4e2cb1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1361ffa9c3e6bba8c756f3d556d7d430ee765c8d57ea666109adf6c3be4e2cb1", "aggregated_count": 2}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 129011, "scanner": "repobility-threat-engine", "fingerprint": "59f2faddf7d2899829c7de4e3348378a606eb9504e138a4e6ce538485710abf2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59f2faddf7d2899829c7de4e3348378a606eb9504e138a4e6ce538485710abf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tools/prober/prober_util.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 129010, "scanner": "repobility-threat-engine", "fingerprint": "0f5ad225692d0adc55860669a42b2a0a93222be3b79af24fea04111f348dce0d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f5ad225692d0adc55860669a42b2a0a93222be3b79af24fea04111f348dce0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "debug_scripts/request_chain_info.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 129009, "scanner": "repobility-threat-engine", "fingerprint": "00acdb4ad04a8527379b6a513282b989c55f84b18634fd958d293c638c278118", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|00acdb4ad04a8527379b6a513282b989c55f84b18634fd958d293c638c278118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "debug_scripts/estimate_epoch_start_time.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 129008, "scanner": "repobility-threat-engine", "fingerprint": "130c5045baecd0b9524abd6870aed08fddb81812daa325ac97b261216d6966ee", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|130c5045baecd0b9524abd6870aed08fddb81812daa325ac97b261216d6966ee"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 129004, "scanner": "repobility-threat-engine", "fingerprint": "cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd0c8e85bd308a46f755f44bc6ab20955e3c28a1f9d626cb3a3bf09c3b5d92c7", "aggregated_count": 5}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 129003, "scanner": "repobility-threat-engine", "fingerprint": "0a86daea5d7a5309ad3f52be1d95aa6db37a464d004d7bd26716beef130c6069", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a86daea5d7a5309ad3f52be1d95aa6db37a464d004d7bd26716beef130c6069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/src/user/rpc_user.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 129002, "scanner": "repobility-threat-engine", "fingerprint": "60362ea14a40dc29042db81cd76b616db49853bdeaffa260cec44b1b89c0f5e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60362ea14a40dc29042db81cd76b616db49853bdeaffa260cec44b1b89c0f5e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/src/node/process_node.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 129001, "scanner": "repobility-threat-engine", "fingerprint": "ae9c0863f5cc686458adbbf1c44bd14cbd0a007bab5ce31f07e67683879966b5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ae9c0863f5cc686458adbbf1c44bd14cbd0a007bab5ce31f07e67683879966b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc/res/network_info.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 129000, "scanner": "repobility-threat-engine", "fingerprint": "6f29a49537bea627ab6a257fe5e36f59f1b6024722ac97214fa811a5ef73ad6c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6f29a49537bea627ab6a257fe5e36f59f1b6024722ac97214fa811a5ef73ad6c", "aggregated_count": 4}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 128999, "scanner": "repobility-threat-engine", "fingerprint": "d81fdde24553d994a9fe2f246f2918acb668d869eb09161acf93ebeb7d653ba6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d81fdde24553d994a9fe2f246f2918acb668d869eb09161acf93ebeb7d653ba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/EpochShardsView.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 128998, "scanner": "repobility-threat-engine", "fingerprint": "82a8ec52c78f5d469f5fcf7368ea8866b0d99d24c2c947dc45b4799298dbfbe3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|82a8ec52c78f5d469f5fcf7368ea8866b0d99d24c2c947dc45b4799298dbfbe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/ActorsView.tsx"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 128997, "scanner": "repobility-threat-engine", "fingerprint": "3285c6321101c029c551c5921844ddaf0e9b6f5bd2e5670de97ecd4c7cd802b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3285c6321101c029c551c5921844ddaf0e9b6f5bd2e5670de97ecd4c7cd802b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc/res/congestion_control.js"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 128996, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 128992, "scanner": "repobility-threat-engine", "fingerprint": "c7b5321c9958cfa20c3d01f90af153d0caae1dada32e62cf00ae976f9a1b0f83", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c7b5321c9958cfa20c3d01f90af153d0caae1dada32e62cf00ae976f9a1b0f83", "aggregated_count": 32}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 128991, "scanner": "repobility-threat-engine", "fingerprint": "a2c94e40ccb8268f0f211ba34f54e8bd0ff7524126931c488cfbb9c76fbf263e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2c94e40ccb8268f0f211ba34f54e8bd0ff7524126931c488cfbb9c76fbf263e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/o11y/benches/metrics.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 128990, "scanner": "repobility-threat-engine", "fingerprint": "eb3d93685f56f62703d5f2ff30fd87688726c9cf7e80b70db7892071d343910a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb3d93685f56f62703d5f2ff30fd87688726c9cf7e80b70db7892071d343910a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/crypto/src/key_conversion.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 128989, "scanner": "repobility-threat-engine", "fingerprint": "7b4f488bf0493c6550a8dd991b1e3a818f9aadff0dbcc4b85ccc68778ea565bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b4f488bf0493c6550a8dd991b1e3a818f9aadff0dbcc4b85ccc68778ea565bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc-primitives/src/errors.rs"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 128988, "scanner": "repobility-threat-engine", "fingerprint": "719f16a1467677730b367baa2144dabfe702dd229dc13e6f3e8747ec0afa970d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|719f16a1467677730b367baa2144dabfe702dd229dc13e6f3e8747ec0afa970d"}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 67 more): Same pattern found in 67 additional files. Review if needed."}, "properties": {"repobilityId": 128984, "scanner": "repobility-threat-engine", "fingerprint": "a6afd74376d3cf2bbd12f4dd322785bd42ea1cd4556db1c8e11e227c2f472479", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 67 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a6afd74376d3cf2bbd12f4dd322785bd42ea1cd4556db1c8e11e227c2f472479", "aggregated_count": 67}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 128983, "scanner": "repobility-threat-engine", "fingerprint": "8cb7264765c5fa65aeeb002a9590e58722bdb78ba18cd09b0d36dc5f365e50d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8cb7264765c5fa65aeeb002a9590e58722bdb78ba18cd09b0d36dc5f365e50d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/chain/src/pending_shard_jobs.rs"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 128982, "scanner": "repobility-threat-engine", "fingerprint": "94e302c6f0154b93b481368c427902c4177c562df509c9ca302fa429270bcd5a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94e302c6f0154b93b481368c427902c4177c562df509c9ca302fa429270bcd5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/chain/src/flat_storage_init.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 128981, "scanner": "repobility-threat-engine", "fingerprint": "cc21daade50577774305ae4406b447418547c4cdab7dd803fcea3b28b640dc2a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc21daade50577774305ae4406b447418547c4cdab7dd803fcea3b28b640dc2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/synth-bm/src/rpc.rs"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED041", "level": "none", "message": {"text": "[MINED041] Rust Unimplemented Macro (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 128980, "scanner": "repobility-threat-engine", "fingerprint": "f52bef8e9466c10dd0b35f5b6834010088fccb2d9ec4c5c860d60ad81ecbf6c9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f52bef8e9466c10dd0b35f5b6834010088fccb2d9ec4c5c860d60ad81ecbf6c9", "aggregated_count": 7}}}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 298 more): Same pattern found in 298 additional files. Review if needed."}, "properties": {"repobilityId": 128976, "scanner": "repobility-threat-engine", "fingerprint": "40fbad70a4ebddb2e20bf0f932fa95e4b8fe4a60f4d92de3c3ac12575ce79ec5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 298 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|40fbad70a4ebddb2e20bf0f932fa95e4b8fe4a60f4d92de3c3ac12575ce79ec5", "aggregated_count": 298}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 85 more): Same pattern found in 85 additional files. Review if needed."}, "properties": {"repobilityId": 128972, "scanner": "repobility-threat-engine", "fingerprint": "2cee5dafdb1f1ec91e33705939a7a353dc3f53124e95d7c86896f3202d97b513", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 85 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2cee5dafdb1f1ec91e33705939a7a353dc3f53124e95d7c86896f3202d97b513", "aggregated_count": 85}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 128971, "scanner": "repobility-threat-engine", "fingerprint": "1a2bd1a8417315f9fccf85e83e3575d30438a4ced54bcfbdd0d4ac155dde6530", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a2bd1a8417315f9fccf85e83e3575d30438a4ced54bcfbdd0d4ac155dde6530"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/synth-bm/src/block_service.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 128970, "scanner": "repobility-threat-engine", "fingerprint": "5037b167096ce39f6d90a5fd69691e55197e65fd84e30a1d9376044d645e8943", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5037b167096ce39f6d90a5fd69691e55197e65fd84e30a1d9376044d645e8943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/synth-bm/src/account.rs"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 128969, "scanner": "repobility-threat-engine", "fingerprint": "4d5e8a40d3e923b6eef1e3a2fbf25cc734bb26e872a57f00979e5dee50885279", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d5e8a40d3e923b6eef1e3a2fbf25cc734bb26e872a57f00979e5dee50885279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/continuous/db/tool/orm/src/lib.rs"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `runtime/runtime-params-estimator/emu-cost/counter_plugin/libcounter.so` committed in source repo: `runtime/runtime-params-estimator/emu-cost/counter_plugin/libcounter.so` is a .so binary (16,536 bytes) committed to a repo that otherwise has 1590 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 129231, "scanner": "repobility-supply-chain", "fingerprint": "1e5bc49e435df5320732368b4bc141336a3bc148b038abd8d15e5bc70330874d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e5bc49e435df5320732368b4bc141336a3bc148b038abd8d15e5bc70330874d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/runtime-params-estimator/emu-cost/counter_plugin/libcounter.so"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129229, "scanner": "repobility-supply-chain", "fingerprint": "a6d99ac4ade93ce031c6a740c83718e10923153624ad2c344548af1c961f673c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6d99ac4ade93ce031c6a740c83718e10923153624ad2c344548af1c961f673c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_custom_binary.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `uses: aws-actions/configure-aws-credentials@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129228, "scanner": "repobility-supply-chain", "fingerprint": "d24f18350e0243456b1a07c342ffe8c661b1d9665d401e215c954f110fa6439c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d24f18350e0243456b1a07c342ffe8c661b1d9665d401e215c954f110fa6439c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_custom_binary.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peaceiris/actions-gh-pages` pinned to mutable ref `@v3`: `uses: peaceiris/actions-gh-pages@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129227, "scanner": "repobility-supply-chain", "fingerprint": "b620d525c951cf5ae42bc889034b6f766bacba66b03856d072885af1108f94cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b620d525c951cf5ae42bc889034b6f766bacba66b03856d072885af1108f94cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/book.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129226, "scanner": "repobility-supply-chain", "fingerprint": "b2a93fa1df8e641609a6ca7bc6465b105e6b15dc5cb0b198ba002951faf036f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2a93fa1df8e641609a6ca7bc6465b105e6b15dc5cb0b198ba002951faf036f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/book.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129225, "scanner": "repobility-supply-chain", "fingerprint": "982580214acc38cde08cf5de0785d3822a3725ba235b5c7d65b70e95c6d1d283", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|982580214acc38cde08cf5de0785d3822a3725ba235b5c7d65b70e95c6d1d283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/book.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v2`: `uses: actions/checkout@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129224, "scanner": "repobility-supply-chain", "fingerprint": "50e78c6a17171dcdf15e4ca5f31693097c2b85788ad2c8bd3f26d4add47a54b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50e78c6a17171dcdf15e4ca5f31693097c2b85788ad2c8bd3f26d4add47a54b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/book.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129223, "scanner": "repobility-supply-chain", "fingerprint": "fea4d052478606f4c1eeda4467c14b59983bb41964a1baa0866430781747eeff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fea4d052478606f4c1eeda4467c14b59983bb41964a1baa0866430781747eeff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nayduck_ci_dev.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129222, "scanner": "repobility-supply-chain", "fingerprint": "2841f3ef7663d7393c0b733d8ec5218be7c36731422baef53cea0e0af5ea0406", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2841f3ef7663d7393c0b733d8ec5218be7c36731422baef53cea0e0af5ea0406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mac_m1_binary.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129221, "scanner": "repobility-supply-chain", "fingerprint": "983466e68f209b6cc67802f3c6b1a865cd0b6301be049bcd4c6b928f454b9ff0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|983466e68f209b6cc67802f3c6b1a865cd0b6301be049bcd4c6b928f454b9ff0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mac_m1_binary.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `uses: aws-actions/configure-aws-credentials@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129220, "scanner": "repobility-supply-chain", "fingerprint": "45371f1733c9be32f358a31ae4b8390973ee9dee077db4b677fb800ed7048044", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45371f1733c9be32f358a31ae4b8390973ee9dee077db4b677fb800ed7048044"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mac_m1_binary.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129219, "scanner": "repobility-supply-chain", "fingerprint": "eb0e3e282743f26af6bb1fbfa88f131073434e8ea8d1cb63c7e74bdb7a464cad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb0e3e282743f26af6bb1fbfa88f131073434e8ea8d1cb63c7e74bdb7a464cad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_nightly_binary.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `uses: aws-actions/configure-aws-credentials@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129218, "scanner": "repobility-supply-chain", "fingerprint": "38cb8d7e32a2747b6acf79b9b26d80e9d3c555107a515d81fa91414693c04129", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38cb8d7e32a2747b6acf79b9b26d80e9d3c555107a515d81fa91414693c04129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_nightly_binary.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129217, "scanner": "repobility-supply-chain", "fingerprint": "b7b4e8338b405a340f2aa61591be1ec9df3f892696e8386baacbfb3cda1a9322", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b7b4e8338b405a340f2aa61591be1ec9df3f892696e8386baacbfb3cda1a9322"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/master_fuzzer_binaries.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129216, "scanner": "repobility-supply-chain", "fingerprint": "80e6dcefe385479a314185f6ddda2ef1c9b95db3036bebd847a72441385227b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80e6dcefe385479a314185f6ddda2ef1c9b95db3036bebd847a72441385227b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_assertion_binary.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129215, "scanner": "repobility-supply-chain", "fingerprint": "6578c6b54603da07b1925d992c9ec036d104cafbc12d488e5e98481ff56fb9af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6578c6b54603da07b1925d992c9ec036d104cafbc12d488e5e98481ff56fb9af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_assertion_binary.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `uses: aws-actions/configure-aws-credentials@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129214, "scanner": "repobility-supply-chain", "fingerprint": "3c1f13f86e9e5c77178788b75dd4208d74c9627f6ab6ee8a5475225d9f8419e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c1f13f86e9e5c77178788b75dd4208d74c9627f6ab6ee8a5475225d9f8419e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_assertion_binary.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129213, "scanner": "repobility-supply-chain", "fingerprint": "c58fe87e7d5e4af6de6ae279276ecdc1a78e4518e168d6c97c079cdcc963165e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c58fe87e7d5e4af6de6ae279276ecdc1a78e4518e168d6c97c079cdcc963165e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129212, "scanner": "repobility-supply-chain", "fingerprint": "16db333eb8660cad8db39bab64d693d8a762e044082034bc77d0f196daed1f22", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16db333eb8660cad8db39bab64d693d8a762e044082034bc77d0f196daed1f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129211, "scanner": "repobility-supply-chain", "fingerprint": "b9422782c81d3325f5057d88ebd23ca28d8dbb99d930758fe5e19a3dc0fbc5bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9422782c81d3325f5057d88ebd23ca28d8dbb99d930758fe5e19a3dc0fbc5bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Warpbuilds/build-push-action` pinned to mutable ref `@v6`: `uses: Warpbuilds/build-push-action@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129210, "scanner": "repobility-supply-chain", "fingerprint": "414040755709891e5ec3e5b1b6126743c7c4231319c76a1fead82fa99a0d60a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|414040755709891e5ec3e5b1b6126743c7c4231319c76a1fead82fa99a0d60a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129209, "scanner": "repobility-supply-chain", "fingerprint": "5ffdb208758c7250eee4cc7343f939010629fdfd4ecc92807cc0c5da6bf4cdea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ffdb208758c7250eee4cc7343f939010629fdfd4ecc92807cc0c5da6bf4cdea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129208, "scanner": "repobility-supply-chain", "fingerprint": "1903d8ba3cc4246cfe3b1e2da9e592d83cb78ab58ad34eaa734d713c6626e335", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1903d8ba3cc4246cfe3b1e2da9e592d83cb78ab58ad34eaa734d713c6626e335"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `uses: aws-actions/configure-aws-credentials@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129207, "scanner": "repobility-supply-chain", "fingerprint": "b79006c3e2f6c2ab26b0e51c379981f8da0e23d4815d6ec6cb3d4e715234c6c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b79006c3e2f6c2ab26b0e51c379981f8da0e23d4815d6ec6cb3d4e715234c6c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129206, "scanner": "repobility-supply-chain", "fingerprint": "0efd9dffa1bea5496241e3582635798d5f2ab51a779de83ab6b9aab78052715d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0efd9dffa1bea5496241e3582635798d5f2ab51a779de83ab6b9aab78052715d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 129205, "scanner": "repobility-supply-chain", "fingerprint": "fa5283587cc716d58da1d8171bf8f7bb2e41e79c489c40669734ec4ec24c465f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa5283587cc716d58da1d8171bf8f7bb2e41e79c489c40669734ec4ec24c465f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/neard_release.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:1.25.4-alpine` not pinned by digest: `FROM nginx:1.25.4-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129204, "scanner": "repobility-supply-chain", "fingerprint": "e8c65528c21c33bb6f3950dcbbe277e492e5c2fad89403a27ce4f5c3a8cada4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8c65528c21c33bb6f3950dcbbe277e492e5c2fad89403a27ce4f5c3a8cada4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:19-alpine` not pinned by digest: `FROM node:19-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129203, "scanner": "repobility-supply-chain", "fingerprint": "a07861632c5db8f1c2ff81a37c350f6a1bad50c3806a8f17caecbf1d35077e43", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a07861632c5db8f1c2ff81a37c350f6a1bad50c3806a8f17caecbf1d35077e43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.io/rust:1.86.0` not pinned by digest: `FROM docker.io/rust:1.86.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129202, "scanner": "repobility-supply-chain", "fingerprint": "566bfbc75d048b8dd5e46023541bf2237dc4ff01e114389791cd7c59e204987f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|566bfbc75d048b8dd5e46023541bf2237dc4ff01e114389791cd7c59e204987f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/runtime-params-estimator/emu-cost/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://s3-us-west-1.amazonaws.com/build.nearprotocol.com/nearcore/Linux-aarch64/${VERSION}/near-sandbox.tar.gz`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 129198, "scanner": "repobility-supply-chain", "fingerprint": "01b2fe5b26e35178992ec7688c6f32d95e98656403c75bba9113b630b345283d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01b2fe5b26e35178992ec7688c6f32d95e98656403c75bba9113b630b345283d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sandbox/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://s3-us-west-1.amazonaws.com/build.nearprotocol.com/nearcore/Linux-x86_64/${VERSION}/near-sandbox.tar.gz`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 129197, "scanner": "repobility-supply-chain", "fingerprint": "1209ec6ae8afa015805682af88aaeba11d2148a26cb8831eb06a6037a7e29e48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1209ec6ae8afa015805682af88aaeba11d2148a26cb8831eb06a6037a7e29e48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sandbox/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129196, "scanner": "repobility-supply-chain", "fingerprint": "875872cf1bca6870df32a58e83096e12828d9b124a6b636219bdfda9b6547c25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|875872cf1bca6870df32a58e83096e12828d9b124a6b636219bdfda9b6547c25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sandbox/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129195, "scanner": "repobility-supply-chain", "fingerprint": "9666d370e7513823ef743b2bbc780de7727d0766217f87b6d69fea35f80ea14b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9666d370e7513823ef743b2bbc780de7727d0766217f87b6d69fea35f80ea14b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/sandbox/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129194, "scanner": "repobility-supply-chain", "fingerprint": "37dadcc460aa218e5bdf2cdf5f1498038cbdd9cede535d679c078915150918d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37dadcc460aa218e5bdf2cdf5f1498038cbdd9cede535d679c078915150918d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bullseye-slim` not pinned by digest: `FROM debian:bullseye-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129171, "scanner": "repobility-supply-chain", "fingerprint": "bf0d0f84777e5ad8f5ca0a73ad4272abdab6eea13cc3ab43cb02b44c514eb2f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf0d0f84777e5ad8f5ca0a73ad4272abdab6eea13cc3ab43cb02b44c514eb2f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1.86.0-bullseye` not pinned by digest: `FROM rust:1.86.0-bullseye` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129170, "scanner": "repobility-supply-chain", "fingerprint": "00df7f1425da82f745b02a63fc1b3b5f6986707d28590e6c816bf78956a65202", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|00df7f1425da82f745b02a63fc1b3b5f6986707d28590e6c816bf78956a65202"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gitpod/workspace-full (no tag)` not pinned by digest: `FROM gitpod/workspace-full (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129169, "scanner": "repobility-supply-chain", "fingerprint": "be0292132c916b2ea4ace99f8b95f4d927c4f68501dec9bfdf6daa5db0c1f1fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be0292132c916b2ea4ace99f8b95f4d927c4f68501dec9bfdf6daa5db0c1f1fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gitpod.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129168, "scanner": "repobility-supply-chain", "fingerprint": "b4998de2f9ad523ccb56325ea5d100f2b589b06ac1f60156e6017f26c7224665", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4998de2f9ad523ccb56325ea5d100f2b589b06ac1f60156e6017f26c7224665"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 129167, "scanner": "repobility-supply-chain", "fingerprint": "a1e8205cd239b55b8793acf0325128374c9dddc0ceea65e679e0ebd996c0a16f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1e8205cd239b55b8793acf0325128374c9dddc0ceea65e679e0ebd996c0a16f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_deploy_global_contract: Test function `test_deploy_global_contract` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 129163, "scanner": "repobility-ast-engine", "fingerprint": "7def453bab532d840d2e55920c6c82dbd91cfb5a59312d5c4aab6de153b3e901", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7def453bab532d840d2e55920c6c82dbd91cfb5a59312d5c4aab6de153b3e901"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/contracts/deploy_call_global_smart_contract.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_block_hash_latest: Test function `test_block_hash_latest` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 129159, "scanner": "repobility-ast-engine", "fingerprint": "9f4b81315fdfddf26efc52b8bdc07388d72e600a6f63d26fdf79621eba8e0fd2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9f4b81315fdfddf26efc52b8bdc07388d72e600a6f63d26fdf79621eba8e0fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/rpc_hash.py"}, "region": {"startLine": 315}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_fungible_token_transfer: Test function `test_fungible_token_transfer` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 129158, "scanner": "repobility-ast-engine", "fingerprint": "4c81ac477633a2c5a7fcd0dbceebb8463f8419aa24ee450b079be3035a2c5e92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c81ac477633a2c5a7fcd0dbceebb8463f8419aa24ee450b079be3035a2c5e92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/rosetta.py"}, "region": {"startLine": 656}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_custom: Test function `test_custom` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 129152, "scanner": "repobility-ast-engine", "fingerprint": "9127164f79b2ad797453067ced5ed8bd4e9660282d2744ba161b2d0c109a2565", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9127164f79b2ad797453067ced5ed8bd4e9660282d2744ba161b2d0c109a2565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/simple.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_simple: Test function `test_simple` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 129151, "scanner": "repobility-ast-engine", "fingerprint": "7f0d1bbbab5196bab34ec6fa3531a72e7c8c5bd46846fe963ee33a58a79f5363", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f0d1bbbab5196bab34ec6fa3531a72e7c8c5bd46846fe963ee33a58a79f5363"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/simple.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_changes_with_new_account_with_access_key: Test function `test_changes_with_new_account_with_access_key` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 129150, "scanner": "repobility-ast-engine", "fingerprint": "a3d4f3799a8182160ebc7de99d8c1d492f5f8fe3010df946504f3a49be9880e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3d4f3799a8182160ebc7de99d8c1d492f5f8fe3010df946504f3a49be9880e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tests/sanity/rpc_state_changes.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_struct` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_struct`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129146, "scanner": "repobility-ast-engine", "fingerprint": "9a8261d69f8d4327b86efcbe15374c2e3dc9c60f81b6600ddcc63abe410a58b2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a8261d69f8d4327b86efcbe15374c2e3dc9c60f81b6600ddcc63abe410a58b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_field` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_field`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129145, "scanner": "repobility-ast-engine", "fingerprint": "116878b6675a5c923673d0a5f3c8c4e5c9b510d47a5ccdf513dbfd338cd822cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|116878b6675a5c923673d0a5f3c8c4e5c9b510d47a5ccdf513dbfd338cd822cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_num` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129144, "scanner": "repobility-ast-engine", "fingerprint": "707c0c358a863d957c6bba83e88b2d31dcc8eecf134f274e788c9c92b9bddf62", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|707c0c358a863d957c6bba83e88b2d31dcc8eecf134f274e788c9c92b9bddf62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_field` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_field`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129143, "scanner": "repobility-ast-engine", "fingerprint": "5c2adbdf1f96811eea32fc7613262c571c5d1fb8014ef3b389bbe6b660fef0c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5c2adbdf1f96811eea32fc7613262c571c5d1fb8014ef3b389bbe6b660fef0c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.read_bytes` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.read_bytes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129142, "scanner": "repobility-ast-engine", "fingerprint": "ea61fc6d50ea41ea9e6587a37521aa8b82a259e2726b3651c06873e6f236056e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ea61fc6d50ea41ea9e6587a37521aa8b82a259e2726b3651c06873e6f236056e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_num` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129141, "scanner": "repobility-ast-engine", "fingerprint": "7773afea226d547f0df9f15499bedf94ff6c138fd734930b969efb2579c94242", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7773afea226d547f0df9f15499bedf94ff6c138fd734930b969efb2579c94242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_num` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129140, "scanner": "repobility-ast-engine", "fingerprint": "d71fb0ce43abad1884be69536e77da75880c2fb8c38a7baedf623eba1e112fcd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d71fb0ce43abad1884be69536e77da75880c2fb8c38a7baedf623eba1e112fcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_num` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129139, "scanner": "repobility-ast-engine", "fingerprint": "f85106544c05a3e67d69d27dc51f75e6489715881214e0115e52fac7cd82a131", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f85106544c05a3e67d69d27dc51f75e6489715881214e0115e52fac7cd82a131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_field` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_field`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129138, "scanner": "repobility-ast-engine", "fingerprint": "1b3dc43ecbf1e717f5d4ce2dcc8fbebf4cc603ff6014e05a05d5e034abcf646d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1b3dc43ecbf1e717f5d4ce2dcc8fbebf4cc603ff6014e05a05d5e034abcf646d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize_num` used but never assigned in __init__: Method `deserialize_field` of class `BinarySerializer` reads `self.deserialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129137, "scanner": "repobility-ast-engine", "fingerprint": "324d4feb841d522839bccddc2223d0121febf6d658799889ebdf511a834b8d11", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|324d4feb841d522839bccddc2223d0121febf6d658799889ebdf511a834b8d11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_struct` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_struct`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129136, "scanner": "repobility-ast-engine", "fingerprint": "6cb04b23813e436e408892c54402a6928c3980496d28069b9ebffefa44000157", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cb04b23813e436e408892c54402a6928c3980496d28069b9ebffefa44000157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_field` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_field`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129135, "scanner": "repobility-ast-engine", "fingerprint": "19da6318dbb7e9c0bf7d9b20d0b99bf37ff74fbb8dec422cac6ef9b494c60240", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|19da6318dbb7e9c0bf7d9b20d0b99bf37ff74fbb8dec422cac6ef9b494c60240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_num` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129134, "scanner": "repobility-ast-engine", "fingerprint": "ffb8dea34d65b1c9924c7e71d162d95ee6af80d1b44c5357a1c010f37a036329", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ffb8dea34d65b1c9924c7e71d162d95ee6af80d1b44c5357a1c010f37a036329"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_num` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129133, "scanner": "repobility-ast-engine", "fingerprint": "754779e6b5d0866ec7e77baec32aab6a696826d077df6e4f6775357ec47f79ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|754779e6b5d0866ec7e77baec32aab6a696826d077df6e4f6775357ec47f79ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_field` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_field`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129132, "scanner": "repobility-ast-engine", "fingerprint": "0ebce918dfc3d9c63651468ce4652678b531ccdd9e04367da050a6a63b27d124", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ebce918dfc3d9c63651468ce4652678b531ccdd9e04367da050a6a63b27d124"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_num` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129131, "scanner": "repobility-ast-engine", "fingerprint": "c21f01f5f9bf43a98cddb5d0bca8f4da56035c780b5e997531de9be01a2f684c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c21f01f5f9bf43a98cddb5d0bca8f4da56035c780b5e997531de9be01a2f684c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_num` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129130, "scanner": "repobility-ast-engine", "fingerprint": "a9da46481fc85af5e1015cc40b7215d8ce92bff1ac53722a9de60a30edd94345", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9da46481fc85af5e1015cc40b7215d8ce92bff1ac53722a9de60a30edd94345"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_num` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129129, "scanner": "repobility-ast-engine", "fingerprint": "9990268d76308813ceaf64b153ece621c66881ed28390e7b765df84367bc3e8a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9990268d76308813ceaf64b153ece621c66881ed28390e7b765df84367bc3e8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_num` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_num`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129128, "scanner": "repobility-ast-engine", "fingerprint": "a2f0bef619fcbd3e1bd34c81b2543029eae506a0800b9d1dda24a35316fb8590", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2f0bef619fcbd3e1bd34c81b2543029eae506a0800b9d1dda24a35316fb8590"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.serialize_field` used but never assigned in __init__: Method `serialize_field` of class `BinarySerializer` reads `self.serialize_field`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129127, "scanner": "repobility-ast-engine", "fingerprint": "7c7a402b82806e5ba8f3afb10fa86587a07376c9d7c344959f847e024a0e24fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c7a402b82806e5ba8f3afb10fa86587a07376c9d7c344959f847e024a0e24fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.read_bytes` used but never assigned in __init__: Method `deserialize_num` of class `BinarySerializer` reads `self.read_bytes`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129126, "scanner": "repobility-ast-engine", "fingerprint": "512ece74799238ccedc06e5465556487b9d6e6621b412f8b0d1786ca97cce000", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|512ece74799238ccedc06e5465556487b9d6e6621b412f8b0d1786ca97cce000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.offset` used but never assigned in __init__: Method `read_bytes` of class `BinarySerializer` reads `self.offset`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129125, "scanner": "repobility-ast-engine", "fingerprint": "7571d2bfb0326eae99ae88a9f6cbc7d127e0d90b46adba278cdfaf4f8260af7a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7571d2bfb0326eae99ae88a9f6cbc7d127e0d90b46adba278cdfaf4f8260af7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.offset` used but never assigned in __init__: Method `read_bytes` of class `BinarySerializer` reads `self.offset`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129124, "scanner": "repobility-ast-engine", "fingerprint": "cd99682bf6d0d78616f8eb8566b59c37d7c52591318cd41c2f85665a0612d527", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd99682bf6d0d78616f8eb8566b59c37d7c52591318cd41c2f85665a0612d527"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.offset` used but never assigned in __init__: Method `read_bytes` of class `BinarySerializer` reads `self.offset`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129123, "scanner": "repobility-ast-engine", "fingerprint": "5cde614d16c23f51486c3afdcacf47c23a9a0668230434af98c5b76c9a8773df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cde614d16c23f51486c3afdcacf47c23a9a0668230434af98c5b76c9a8773df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.offset` used but never assigned in __init__: Method `read_bytes` of class `BinarySerializer` reads `self.offset`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 129122, "scanner": "repobility-ast-engine", "fingerprint": "dfc75006d70cd7c6770b50ecc4a873c32bbc16470ecdbc282c3eda648a1f9827", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dfc75006d70cd7c6770b50ecc4a873c32bbc16470ecdbc282c3eda648a1f9827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/lib/serializer.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /debug/api/epoch_info_light/{epoch_id}."}, "properties": {"repobilityId": 129118, "scanner": "repobility-access-control", "fingerprint": "a80afbc39eead22e4ca1ebfc7e1ef371d27279adf9ebedfd9232399ba7d6a696", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/api/epoch_info_light/{epoch_id}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|chain/jsonrpc/src/lib.rs|3029|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc/src/lib.rs"}, "region": {"startLine": 3029}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /debug/api/epoch_info/{epoch_id}."}, "properties": {"repobilityId": 129117, "scanner": "repobility-access-control", "fingerprint": "36cca245aab403de0e9b43734f535a6d38a543c0e67e9ff9908d262863bda948", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/api/epoch_info/{epoch_id}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Axum", "correlation_key": "code|auth|chain/jsonrpc/src/lib.rs|3028|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc/src/lib.rs"}, "region": {"startLine": 3028}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 129109, "scanner": "repobility-docker", "fingerprint": "2fd8f6799b1d9f9ef5a3cac8a1ac07947baaaa9c37ae1db24bbe5a492084605e", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo-express", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|2fd8f6799b1d9f9ef5a3cac8a1ac07947baaaa9c37ae1db24bbe5a492084605e", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 129108, "scanner": "repobility-docker", "fingerprint": "409fe33bbbdb1b9950a1ab27de366680baa8a45a5ef3dfc9b0b0a31dec6b1e3b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${MONGO_EXPRESS_PORT:-8081}:8081", "target": "8081", "host_ip": "${MONGO_EXPRESS_PORT", "published": "-8081}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongo-express", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|409fe33bbbdb1b9950a1ab27de366680baa8a45a5ef3dfc9b0b0a31dec6b1e3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 129106, "scanner": "repobility-docker", "fingerprint": "344c45b2c2dd4930dabbb3284b03e4e0b3df8151417c0dfba5e59e5e02e1f3e7", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|344c45b2c2dd4930dabbb3284b03e4e0b3df8151417c0dfba5e59e5e02e1f3e7", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 129105, "scanner": "repobility-docker", "fingerprint": "336746e46ce7a6587f702f8d0574f62e9e87c1bbe2ae2302e9f72fc436f7a762", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|336746e46ce7a6587f702f8d0574f62e9e87c1bbe2ae2302e9f72fc436f7a762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 129092, "scanner": "repobility-docker", "fingerprint": "35438185eae7b093c8a83d7b3931cbb68dc04ff8fe103a5e7748045ca11cd79d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|35438185eae7b093c8a83d7b3931cbb68dc04ff8fe103a5e7748045ca11cd79d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 129088, "scanner": "repobility-docker", "fingerprint": "0b4326fb25079dde0da4dd3130aa42b43aa1ffd19a378f006786475fca14aeb5", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0b4326fb25079dde0da4dd3130aa42b43aa1ffd19a378f006786475fca14aeb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 129087, "scanner": "repobility-docker", "fingerprint": "d31a30cc688e53ab79d917a06a788a9b6dc7f49fd5eace2139d10f0ba154fec2", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d31a30cc688e53ab79d917a06a788a9b6dc7f49fd5eace2139d10f0ba154fec2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 129049, "scanner": "repobility-threat-engine", "fingerprint": "3a641f5663eac5e40595cf14e84103bed5209332e7851463356b8fe2016f1a61", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(afterFirstParens", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a641f5663eac5e40595cf14e84103bed5209332e7851463356b8fe2016f1a61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/debug-ui/src/log_visualizer/events.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 129035, "scanner": "repobility-threat-engine", "fingerprint": "f72c6205391b0ac4017f0c7e081738ce14cee2c8e2795c44d7b96c7bc3160899", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f72c6205391b0ac4017f0c7e081738ce14cee2c8e2795c44d7b96c7bc3160899"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/run-ft-benchmark.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 129034, "scanner": "repobility-threat-engine", "fingerprint": "e4195aa5edc2c943a846a6892e17fb26f681177bdd6b3b0ef25cd0973925efd0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4195aa5edc2c943a846a6892e17fb26f681177bdd6b3b0ef25cd0973925efd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/remote_diff/utils.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 129033, "scanner": "repobility-threat-engine", "fingerprint": "6ac95be2cdd44c7bd0b60b3f390d55318e4a3bd9b0edb2bfad39e0fbdb368803", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ac95be2cdd44c7bd0b60b3f390d55318e4a3bd9b0edb2bfad39e0fbdb368803"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ft-benchmark-data-sender.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 129029, "scanner": "repobility-threat-engine", "fingerprint": "afc4e218d6b32ce93fa05e84afa5563738f2d7f94dab3982a09bcd3e3e558ce7", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|afc4e218d6b32ce93fa05e84afa5563738f2d7f94dab3982a09bcd3e3e558ce7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/runtime-params-estimator/src/estimator_params.rs"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 129025, "scanner": "repobility-threat-engine", "fingerprint": "68a1ad8cdc79ae794e062df4c1d3faaf0470d8b57b0b0ea76b5fa42b04fc2bc3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68a1ad8cdc79ae794e062df4c1d3faaf0470d8b57b0b0ea76b5fa42b04fc2bc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/near-vm/compiler-singlepass/src/x64_decl.rs"}, "region": {"startLine": 203}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 129024, "scanner": "repobility-threat-engine", "fingerprint": "674a860986ded9f5ba3f63653414b744dc2cb79dee3e646c864a36c74f91e13e", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"\\bfn\\s+([A-Za-z_][A-Za-z_0-9]*)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/check_nightly.py|54|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_nightly.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 129023, "scanner": "repobility-threat-engine", "fingerprint": "f605a1ea5c8af2e64c139592a2093f251f551ac5f5c8f031f0dad3363379e0de", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'wasm function block count\\s+code_index=(\\d+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|38|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/near-vm-runner/benchmarks/analyze_compilation_logs.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 129019, "scanner": "repobility-threat-engine", "fingerprint": "8a882e9ac0b5914e5ed1d71206ff6f33955e4563199def5c09124ea2e7a328f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a882e9ac0b5914e5ed1d71206ff6f33955e4563199def5c09124ea2e7a328f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check_nightly.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 129018, "scanner": "repobility-threat-engine", "fingerprint": "b71b64016e63be65547466797c8ae7e6e8dedd93778efbc1566e9182b8c8a41d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b71b64016e63be65547466797c8ae7e6e8dedd93778efbc1566e9182b8c8a41d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tools/mirror/fork_network.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 129007, "scanner": "repobility-threat-engine", "fingerprint": "a0382eaa7135e71ff6e6653a6b11105d282813fd852e6d63d248c46e410a61cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0382eaa7135e71ff6e6653a6b11105d282813fd852e6d63d248c46e410a61cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ft-benchmark-data-sender.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 129006, "scanner": "repobility-threat-engine", "fingerprint": "8d540314cfe1f88fe73b5d38cde331364278dfddd65372ecfd9a59e81fd19819", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d540314cfe1f88fe73b5d38cde331364278dfddd65372ecfd9a59e81fd19819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "debug_scripts/request_chain_info.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 129005, "scanner": "repobility-threat-engine", "fingerprint": "1facce843639a3f72f6926786aa4d5c4e243d33cf57d1486067993ff3c85bf56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1facce843639a3f72f6926786aa4d5c4e243d33cf57d1486067993ff3c85bf56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "debug_scripts/estimate_epoch_start_time.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128995, "scanner": "repobility-threat-engine", "fingerprint": "e9cfa6b0f44028aa80e9d38732e1b04bd04a6baade57794cff7683f772d92967", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(local_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9cfa6b0f44028aa80e9d38732e1b04bd04a6baade57794cff7683f772d92967"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ft-benchmark-data-sender.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128994, "scanner": "repobility-threat-engine", "fingerprint": "80d5668141598a51c896c0e80c0f6fd6428f132252da3f9e2b1a787b94ee3312", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80d5668141598a51c896c0e80c0f6fd6428f132252da3f9e2b1a787b94ee3312"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tools/prober/prober_split.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128993, "scanner": "repobility-threat-engine", "fingerprint": "c593511bc69b03d61b524a30691b9cbf00963b0b18e6e82328f03c841b574f73", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c593511bc69b03d61b524a30691b9cbf00963b0b18e6e82328f03c841b574f73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/jsonrpc/res/congestion_control.js"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128987, "scanner": "repobility-threat-engine", "fingerprint": "6f35b343a733b686835333d5c358e4748c659c555008cd7a012caf0e7fe35d66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.0.update(|mut inner| {\n            inner.remove_outbound(peer_id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f35b343a733b686835333d5c358e4748c659c555008cd7a012caf0e7fe35d66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/network/src/peer_manager/connection_store/mod.rs"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128986, "scanner": "repobility-threat-engine", "fingerprint": "f74a31872645f61171bbc68459a6725bfc688d1f2bd0f2745796ed8bce2d4149", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "m.update(|x| {\n            // Initial content of x should be the same as before update.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f74a31872645f61171bbc68459a6725bfc688d1f2bd0f2745796ed8bce2d4149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/network/src/concurrency/tests.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 128985, "scanner": "repobility-threat-engine", "fingerprint": "03ee9975bbb8ae2cc3bafe2405a0f2ee7037b194dc15686acdfa96ba576cabab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.sync_status.update(SyncStatus::HeaderSync {\n                    start_height: h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|03ee9975bbb8ae2cc3bafe2405a0f2ee7037b194dc15686acdfa96ba576cabab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/client/src/sync/handler.rs"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 128979, "scanner": "repobility-threat-engine", "fingerprint": "e013b4016d4002de3160f4bbdb79c26d81da56aafb9eef238714eac9f7f31a17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e013b4016d4002de3160f4bbdb79c26d81da56aafb9eef238714eac9f7f31a17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core/crypto/src/signer.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 128978, "scanner": "repobility-threat-engine", "fingerprint": "245e641274d55f4ee2e0fd621340ce91f075021ef695acd50216f504a84bf473", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|245e641274d55f4ee2e0fd621340ce91f075021ef695acd50216f504a84bf473"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chain/network/src/stun/testonly.rs"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 128977, "scanner": "repobility-threat-engine", "fingerprint": "c90ddc2886b35b0c19ad93618bfb3f3510b13b78437c176efef0341d2b657ce5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c90ddc2886b35b0c19ad93618bfb3f3510b13b78437c176efef0341d2b657ce5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/synth-bm/src/rpc.rs"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 128975, "scanner": "repobility-threat-engine", "fingerprint": "ce31589cc031308717611280df36af01c019d4374047c8bda17a38d6a652dab4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce31589cc031308717611280df36af01c019d4374047c8bda17a38d6a652dab4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/synth-bm/src/block_service.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 128974, "scanner": "repobility-threat-engine", "fingerprint": "d4bcf22d5c4d745511d21fd3329e18fc1f732a7ef580c2818aadf392e93870b7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d4bcf22d5c4d745511d21fd3329e18fc1f732a7ef580c2818aadf392e93870b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/synth-bm/src/account.rs"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 128973, "scanner": "repobility-threat-engine", "fingerprint": "834cc65ba1444347a9643152d152346a8a618d1ada9394bb30a897f0be538f4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|834cc65ba1444347a9643152d152346a8a618d1ada9394bb30a897f0be538f4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/rpc-probe/src/metrics.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NAYDUCK_CODE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NAYDUCK_CODE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 129230, "scanner": "repobility-supply-chain", "fingerprint": "86496a16a15d8c646d070405e00a025c525c93cbc6fb841639afa6aa75c271dc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86496a16a15d8c646d070405e00a025c525c93cbc6fb841639afa6aa75c271dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nayduck_ci.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `time` used but not imported: The file uses `time.something(...)` but never imports `time`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 129165, "scanner": "repobility-ast-engine", "fingerprint": "c04ddeadabe16fb5751063f70303d7a2402ddb4c9bbd011600e443845f600d15", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c04ddeadabe16fb5751063f70303d7a2402ddb4c9bbd011600e443845f600d15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pytest/tools/prober/prober_split.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 129104, "scanner": "repobility-docker", "fingerprint": "e261830c47939636bc501352876f6f4ff3ff57fa0f389f7483bb2926b123fafc", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mongo", "variable": "MONGO_INITDB_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|e261830c47939636bc501352876f6f4ff3ff57fa0f389f7483bb2926b123fafc", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 129028, "scanner": "repobility-threat-engine", "fingerprint": "5d53627e2c3395cd3bb0bc479d9c7ae61e2a882662b4f6f084202835c275253c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d53627e2c3395cd3bb0bc479d9c7ae61e2a882662b4f6f084202835c275253c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tracing/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 129027, "scanner": "repobility-threat-engine", "fingerprint": "217e5ca09b314f64f3d23ba24799cd0bae6c82883a3cd4eb552d804e15d638c7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|217e5ca09b314f64f3d23ba24799cd0bae6c82883a3cd4eb552d804e15d638c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "runtime/runtime-params-estimator/estimator-warehouse/src/zulip.rs"}, "region": {"startLine": 48}}}]}]}]}