{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-x746-7m8f-x49c", "name": "starlette: GHSA-x746-7m8f-x49c", "shortDescription": {"text": "starlette: GHSA-x746-7m8f-x49c"}, "fullDescription": {"text": "Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gc5v-m9x4-r6x2", "name": "requests: GHSA-gc5v-m9x4-r6x2", "shortDescription": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "fullDescription": {"text": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mf9w-mj56-hr94", "name": "python-dotenv: GHSA-mf9w-mj56-hr94", "shortDescription": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "fullDescription": {"text": "python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6w46-j5rx-g56g", "name": "pytest: GHSA-6w46-j5rx-g56g", "shortDescription": {"text": "pytest: GHSA-6w46-j5rx-g56g"}, "fullDescription": {"text": "pytest has vulnerable tmpdir handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-993g-76c3-p5m4", "name": "pyjwt: GHSA-993g-76c3-p5m4", "shortDescription": {"text": "pyjwt: GHSA-993g-76c3-p5m4"}, "fullDescription": {"text": "PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-rr7j-v2q5-chgv", "name": "langsmith: GHSA-rr7j-v2q5-chgv", "shortDescription": {"text": "langsmith: GHSA-rr7j-v2q5-chgv"}, "fullDescription": {"text": "LangSmith SDK: Streaming token events bypass output redaction"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gr75-jv2w-4656", "name": "langchain-anthropic: GHSA-gr75-jv2w-4656", "shortDescription": {"text": "langchain-anthropic: GHSA-gr75-jv2w-4656"}, "fullDescription": {"text": "LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrvj-v92f-53gj", "name": "dulwich: GHSA-xrvj-v92f-53gj", "shortDescription": {"text": "dulwich: GHSA-xrvj-v92f-53gj"}, "fullDescription": {"text": "Dulwich has unbounded memory allocation in receive-pack from crafted thin packs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "GHSA-jp82-jpqv-5vv3", "name": "starlette: GHSA-jp82-jpqv-5vv3", "shortDescription": {"text": "starlette: GHSA-jp82-jpqv-5vv3"}, "fullDescription": {"text": "Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5239-wwwm-4pmq", "name": "pygments: GHSA-5239-wwwm-4pmq", "shortDescription": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "fullDescription": {"text": "Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-73h3-mf4w-8647", "name": "poetry: GHSA-73h3-mf4w-8647", "shortDescription": {"text": "poetry: GHSA-73h3-mf4w-8647"}, "fullDescription": {"text": "Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-555p-6grf-mh7f", "name": "dulwich: GHSA-555p-6grf-mh7f", "shortDescription": {"text": "dulwich: GHSA-555p-6grf-mh7f"}, "fullDescription": {"text": "Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_write_result` has cognitive complexity 8 (SonarSource scale). Cognitive ", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_write_result` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-142", "name": "urllib3: PYSEC-2026-142", "shortDescription": {"text": "urllib3: PYSEC-2026-142"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-141", "name": "urllib3: PYSEC-2026-141", "shortDescription": {"text": "urllib3: PYSEC-2026-141"}, "fullDescription": {"text": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wqp7-x3pw-xc5r", "name": "starlette: GHSA-wqp7-x3pw-xc5r", "shortDescription": {"text": "starlette: GHSA-wqp7-x3pw-xc5r"}, "fullDescription": {"text": "Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-82w8-qh3p-5jfq", "name": "starlette: GHSA-82w8-qh3p-5jfq", "shortDescription": {"text": "starlette: GHSA-82w8-qh3p-5jfq"}, "fullDescription": {"text": "Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-161", "name": "starlette: PYSEC-2026-161", "shortDescription": {"text": "starlette: PYSEC-2026-161"}, "fullDescription": {"text": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-179", "name": "pyjwt: PYSEC-2026-179", "shortDescription": {"text": "pyjwt: PYSEC-2026-179"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-178", "name": "pyjwt: PYSEC-2026-178", "shortDescription": {"text": "pyjwt: PYSEC-2026-178"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (\"b64\": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled \u201cwork amplifier\u201d: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-177", "name": "pyjwt: PYSEC-2026-177", "shortDescription": {"text": "pyjwt: PYSEC-2026-177"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-176", "name": "pyjwt: PYSEC-2026-176", "shortDescription": {"text": "pyjwt: PYSEC-2026-176"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-175", "name": "pyjwt: PYSEC-2026-175", "shortDescription": {"text": "pyjwt: PYSEC-2026-175"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained \"plant a JWKS to forge tokens\" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-120", "name": "pyjwt: PYSEC-2026-120", "shortDescription": {"text": "pyjwt: PYSEC-2026-120"}, "fullDescription": {"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2599-h6xx-hpxp", "name": "poetry: GHSA-2599-h6xx-hpxp", "shortDescription": {"text": "poetry: GHSA-2599-h6xx-hpxp"}, "fullDescription": {"text": "Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3644-q5cj-c5c7", "name": "langsmith: GHSA-3644-q5cj-c5c7", "shortDescription": {"text": "langsmith: GHSA-3644-q5cj-c5c7"}, "fullDescription": {"text": "LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-76", "name": "langchain-openai: PYSEC-2026-76", "shortDescription": {"text": "langchain-openai: PYSEC-2026-76"}, "fullDescription": {"text": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-215", "name": "idna: PYSEC-2026-215", "shortDescription": {"text": "idna: PYSEC-2026-215"}, "fullDescription": {"text": "Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `\"\\u0660\" * N` or `\"\\u30fb\" * N + \"\\u6f22\"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If thi"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9277-mp7x-85jf", "name": "dulwich: GHSA-9277-mp7x-85jf", "shortDescription": {"text": "dulwich: GHSA-9277-mp7x-85jf"}, "fullDescription": {"text": "Dulwich Vulnerable to Command Injection via Merge Driver Path"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-897w-fcg9-f6xj", "name": "dulwich: GHSA-897w-fcg9-f6xj", "shortDescription": {"text": "dulwich: GHSA-897w-fcg9-f6xj"}, "fullDescription": {"text": "Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r6ph-v2qm-q3c2", "name": "cryptography: GHSA-r6ph-v2qm-q3c2", "shortDescription": {"text": "cryptography: GHSA-r6ph-v2qm-q3c2"}, "fullDescription": {"text": "cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-537c-gmf6-5ccf", "name": "cryptography: GHSA-537c-gmf6-5ccf", "shortDescription": {"text": "cryptography: GHSA-537c-gmf6-5ccf"}, "fullDescription": {"text": "Vulnerable OpenSSL included in cryptography wheels"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "PYSEC-2026-35", "name": "cryptography: PYSEC-2026-35", "shortDescription": {"text": "cryptography: PYSEC-2026-35"}, "fullDescription": {"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.2`", "shortDescription": {"text": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.2`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.15.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.12-slim-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.base_prompt` used but never assigned in __init__", "shortDescription": {"text": "`self.base_prompt` used but never assigned in __init__"}, "fullDescription": {"text": "Method `build_prompt` of class `LLMMetaAnalyzer` reads `self.base_prompt`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_cleanup_idempotent", "shortDescription": {"text": "Phantom test coverage: test_cleanup_idempotent"}, "fullDescription": {"text": "Test function `test_cleanup_idempotent` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/30719"}, "properties": {"repository": "NVIDIA/SkillSpector", "repoUrl": "https://github.com/NVIDIA/SkillSpector.git", "branch": "main"}, "results": [{"ruleId": "GHSA-x746-7m8f-x49c", "level": "warning", "message": {"text": "starlette: GHSA-x746-7m8f-x49c"}, "properties": {"repobilityId": 225325, "scanner": "osv-scanner", "fingerprint": "89743f8ede04415be52a2909d26bc987899a2d0e449333b001a53675b29f9aa7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48817"], "package": "starlette", "rule_id": "GHSA-x746-7m8f-x49c", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48817|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gc5v-m9x4-r6x2", "level": "warning", "message": {"text": "requests: GHSA-gc5v-m9x4-r6x2"}, "properties": {"repobilityId": 225320, "scanner": "osv-scanner", "fingerprint": "e884985e28f71ca0fc1c2b7bb4ab3804118148f9826bc4963d61cc8124554f58", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25645"], "package": "requests", "rule_id": "GHSA-gc5v-m9x4-r6x2", "scanner": "osv-scanner", "correlation_key": "vuln|requests|CVE-2026-25645|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mf9w-mj56-hr94", "level": "warning", "message": {"text": "python-dotenv: GHSA-mf9w-mj56-hr94"}, "properties": {"repobilityId": 225319, "scanner": "osv-scanner", "fingerprint": "9fa45bb35d6c42713aa5ad20c133330f7651c7c5a59abc07a1c90866c86a92fa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-28684"], "package": "python-dotenv", "rule_id": "GHSA-mf9w-mj56-hr94", "scanner": "osv-scanner", "correlation_key": "vuln|python-dotenv|CVE-2026-28684|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6w46-j5rx-g56g", "level": "warning", "message": {"text": "pytest: GHSA-6w46-j5rx-g56g"}, "properties": {"repobilityId": 225318, "scanner": "osv-scanner", "fingerprint": "33dc2cc48895af7411c54c511d78df7905a11a77117f845a8d70612b5d14e52f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-71176"], "package": "pytest", "rule_id": "GHSA-6w46-j5rx-g56g", "scanner": "osv-scanner", "correlation_key": "vuln|pytest|CVE-2025-71176|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-993g-76c3-p5m4", "level": "warning", "message": {"text": "pyjwt: GHSA-993g-76c3-p5m4"}, "properties": {"repobilityId": 225317, "scanner": "osv-scanner", "fingerprint": "6f2803bd43271cfcaf387745d14e8414bc415f3a33966c9fbf4ce93552cc3ded", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "PYSEC-2026-175"], "package": "pyjwt", "rule_id": "GHSA-993g-76c3-p5m4", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2024-21643|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-rr7j-v2q5-chgv", "level": "warning", "message": {"text": "langsmith: GHSA-rr7j-v2q5-chgv"}, "properties": {"repobilityId": 225307, "scanner": "osv-scanner", "fingerprint": "a919238152fe4549a787e12addb1178cc44124e24b739995a59b52984c7b85e0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41182"], "package": "langsmith", "rule_id": "GHSA-rr7j-v2q5-chgv", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-41182|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gr75-jv2w-4656", "level": "warning", "message": {"text": "langchain-anthropic: GHSA-gr75-jv2w-4656"}, "properties": {"repobilityId": 225304, "scanner": "osv-scanner", "fingerprint": "1978f27067732daf775f3647a74096df6ff416844c4aaca6d8697cfa465a4a42", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "langchain-anthropic", "rule_id": "GHSA-gr75-jv2w-4656", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-anthropic|GHSA-GR75-JV2W-4656|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrvj-v92f-53gj", "level": "warning", "message": {"text": "dulwich: GHSA-xrvj-v92f-53gj"}, "properties": {"repobilityId": 225302, "scanner": "osv-scanner", "fingerprint": "e213e178922e70064aea6558f3bf87cea32e840613e682f7cb1e4d47871c9d3e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47734"], "package": "dulwich", "rule_id": "GHSA-xrvj-v92f-53gj", "scanner": "osv-scanner", "correlation_key": "vuln|dulwich|CVE-2026-47734|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 225293, "scanner": "repobility-docker", "fingerprint": "ca65742e81d61b7a273c861057311223038147a2589bd2d039ba6d5530cfda30", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ca65742e81d61b7a273c861057311223038147a2589bd2d039ba6d5530cfda30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 225289, "scanner": "repobility-threat-engine", "fingerprint": "342094d5c640b2cb147b296501d6688193d97bf73aa423e32bbae64e5a39e2d6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|73|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/behavioral_ast.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 225285, "scanner": "repobility-threat-engine", "fingerprint": "a5431e7d4d35fdf97495c1adc214ed45e796831ef53581ac4464883ee93244dd", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|182|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/input_handler.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 225278, "scanner": "repobility-agent-runtime", "fingerprint": "ff3149638cd7f2974a746336d44903a82b562cf974fb7312e014d0fadf95f7b0", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ff3149638cd7f2974a746336d44903a82b562cf974fb7312e014d0fadf95f7b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/mcp_tool_poisoning.py"}, "region": {"startLine": 507}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 225277, "scanner": "repobility-agent-runtime", "fingerprint": "e5df71c4586794779aa8a33de60f7a1f7063331d83a4145ea4b1983f4500aede", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e5df71c4586794779aa8a33de60f7a1f7063331d83a4145ea4b1983f4500aede"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/B.3.2-mcp-tool-poisoning.md"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 225273, "scanner": "repobility-ast-engine", "fingerprint": "749fc12622877847c3fd32818dad373f367889017cf1f9a31353c0f468f94ebc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|749fc12622877847c3fd32818dad373f367889017cf1f9a31353c0f468f94ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/mcp_tool_poisoning.py"}, "region": {"startLine": 269}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 225267, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "GHSA-jp82-jpqv-5vv3", "level": "note", "message": {"text": "starlette: GHSA-jp82-jpqv-5vv3"}, "properties": {"repobilityId": 225323, "scanner": "osv-scanner", "fingerprint": "04c6be90e1c7d4b93e21b01bec4572ba0a151898d21e426b6b01cd86b33ac38d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-54282"], "package": "starlette", "rule_id": "GHSA-jp82-jpqv-5vv3", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-54282|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5239-wwwm-4pmq", "level": "note", "message": {"text": "pygments: GHSA-5239-wwwm-4pmq"}, "properties": {"repobilityId": 225310, "scanner": "osv-scanner", "fingerprint": "db0fef0ab784fa7e288e01a475a731d75b5105247b655bdfac2babc124377da9", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4539"], "package": "pygments", "rule_id": "GHSA-5239-wwwm-4pmq", "scanner": "osv-scanner", "correlation_key": "vuln|pygments|CVE-2026-4539|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-73h3-mf4w-8647", "level": "note", "message": {"text": "poetry: GHSA-73h3-mf4w-8647"}, "properties": {"repobilityId": 225309, "scanner": "osv-scanner", "fingerprint": "7668fba8a55791bfdee792d79f5fa55a4d7c79a7ff522e93ee3e6b22dcca14d7", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41140"], "package": "poetry", "rule_id": "GHSA-73h3-mf4w-8647", "scanner": "osv-scanner", "correlation_key": "vuln|poetry|CVE-2026-41140|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-555p-6grf-mh7f", "level": "note", "message": {"text": "dulwich: GHSA-555p-6grf-mh7f"}, "properties": {"repobilityId": 225299, "scanner": "osv-scanner", "fingerprint": "a08156bd3a7c7d9afab34e6cdc5593df2f3b9abcac15ad16c26a0f948c1eef84", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47712"], "package": "dulwich", "rule_id": "GHSA-555p-6grf-mh7f", "scanner": "osv-scanner", "correlation_key": "vuln|dulwich|CVE-2026-47712|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 225294, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_write_result` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=2, if=3, nested_bonus=1, or=1."}, "properties": {"repobilityId": 225282, "scanner": "repobility-threat-engine", "fingerprint": "af2f85547c8f7b58fd6195395f3b1a4579f811f0f2c0ed91a585e494ecf21f94", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_write_result", "breakdown": {"if": 3, "or": 1, "elif": 1, "else": 2, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|af2f85547c8f7b58fd6195395f3b1a4579f811f0f2c0ed91a585e494ecf21f94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/cli.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `scan` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=3, if=4, nested_bonus=1, ternary=1."}, "properties": {"repobilityId": 225281, "scanner": "repobility-threat-engine", "fingerprint": "bb6be2a3ad07bb09f0633ca93485a49515083dd87a5e564963dad7207fab7c94", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "scan", "breakdown": {"if": 4, "else": 1, "except": 3, "ternary": 1, "nested_bonus": 1}, "complexity": 10, "correlation_key": "fp|bb6be2a3ad07bb09f0633ca93485a49515083dd87a5e564963dad7207fab7c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/cli.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 225269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6011db24a562b83cf00287eafe26a3e8c37d9a645f1211f102759a3ce47b869", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/skillspector/nodes/analyzers/static_runner.py", "duplicate_line": 9, "correlation_key": "fp|e6011db24a562b83cf00287eafe26a3e8c37d9a645f1211f102759a3ce47b869"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/build_context.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 225268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bcee7c452c9652d0f0cce5f823099bfdaf28c77ce5107a618c61e2e0f48d4fd9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/skillspector/nodes/analyzers/behavioral_ast.py", "duplicate_line": 163, "correlation_key": "fp|bcee7c452c9652d0f0cce5f823099bfdaf28c77ce5107a618c61e2e0f48d4fd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/behavioral_taint_tracking.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 225288, "scanner": "repobility-threat-engine", "fingerprint": "b951b091b2b295496eb4d4d051eb75796a0f5c8e29746aa39f3807fb0ff1dba6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b951b091b2b295496eb4d4d051eb75796a0f5c8e29746aa39f3807fb0ff1dba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/osv_client.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 225287, "scanner": "repobility-threat-engine", "fingerprint": "a32c79a442f93ded4dd80e6ea9a60ed9d6d15bdc54eb8c016dd8ad5939a05742", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a32c79a442f93ded4dd80e6ea9a60ed9d6d15bdc54eb8c016dd8ad5939a05742"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/models.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 225286, "scanner": "repobility-threat-engine", "fingerprint": "256cd2a6850900de1da60d2dd6f06659b8f0ec80afbadc0801fb6999adb92db9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|256cd2a6850900de1da60d2dd6f06659b8f0ec80afbadc0801fb6999adb92db9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/input_handler.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 225284, "scanner": "repobility-threat-engine", "fingerprint": "26623a4384c15353821760bd652659c8310cb263e68e02d0d97e21365c6a16f3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "scan", "breakdown": {"if": 4, "else": 1, "except": 3, "ternary": 1, "nested_bonus": 1}, "aggregated": true, "complexity": 10, "correlation_key": "fp|26623a4384c15353821760bd652659c8310cb263e68e02d0d97e21365c6a16f3", "aggregated_count": 27}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 225280, "scanner": "repobility-threat-engine", "fingerprint": "fa0fa0b8eb5e7f61e1ccdf9ec2a9cfe81f8ad2b5ea4ae2e88c35aba8c2c21917", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa0fa0b8eb5e7f61e1ccdf9ec2a9cfe81f8ad2b5ea4ae2e88c35aba8c2c21917"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/static_yara.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 225279, "scanner": "repobility-threat-engine", "fingerprint": "67dfd62d57e561d005c6c09377c91e36c3adc836aa5e0822a7dd3d804c71e9ab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67dfd62d57e561d005c6c09377c91e36c3adc836aa5e0822a7dd3d804c71e9ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/cli.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "PYSEC-2026-142", "level": "error", "message": {"text": "urllib3: PYSEC-2026-142"}, "properties": {"repobilityId": 225327, "scanner": "osv-scanner", "fingerprint": "66e1b1aa9022c519776ddad0df70ff61566d315478a0e1d4db634530c7bec89d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44432", "GHSA-mf9v-mfxr-j63j"], "package": "urllib3", "rule_id": "PYSEC-2026-142", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44432|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-mf9v-mfxr-j63j", "PYSEC-2026-142"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["66e1b1aa9022c519776ddad0df70ff61566d315478a0e1d4db634530c7bec89d", "a381e5d6707c9f75030a22ee814aac9c80fbfaca862e6fa548c90d2b0d78e00f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-141", "level": "error", "message": {"text": "urllib3: PYSEC-2026-141"}, "properties": {"repobilityId": 225326, "scanner": "osv-scanner", "fingerprint": "202e502152aa0eef57a4c3f3a01e648d30977c8aa06b2acc05a839706b0597b4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-44431", "GHSA-qccp-gfcp-xxvc"], "package": "urllib3", "rule_id": "PYSEC-2026-141", "scanner": "osv-scanner", "correlation_key": "vuln|urllib3|CVE-2026-44431|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["202e502152aa0eef57a4c3f3a01e648d30977c8aa06b2acc05a839706b0597b4", "b78af741547635e5ed59316b870c20991733a249d6cd722bd682d0d24fc35efa"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wqp7-x3pw-xc5r", "level": "error", "message": {"text": "starlette: GHSA-wqp7-x3pw-xc5r"}, "properties": {"repobilityId": 225324, "scanner": "osv-scanner", "fingerprint": "6be511c8e01afa4c0cc2324867cb32ac0bcc528602e7c8508f3d15fdcfc01e95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48818"], "package": "starlette", "rule_id": "GHSA-wqp7-x3pw-xc5r", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48818|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-82w8-qh3p-5jfq", "level": "error", "message": {"text": "starlette: GHSA-82w8-qh3p-5jfq"}, "properties": {"repobilityId": 225322, "scanner": "osv-scanner", "fingerprint": "71f5fbda3743e66d919253a7b7b08b112a9a99ec0f6bbb13b2ce68cc93ea09f0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-54283"], "package": "starlette", "rule_id": "GHSA-82w8-qh3p-5jfq", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-54283|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-161", "level": "error", "message": {"text": "starlette: PYSEC-2026-161"}, "properties": {"repobilityId": 225321, "scanner": "osv-scanner", "fingerprint": "993c965e051ac08384f28c004ed2828303fa08d6e623c80da1211dbce5cea7ce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48710", "GHSA-86qp-5c8j-p5mr", "X41-2026-002"], "package": "starlette", "rule_id": "PYSEC-2026-161", "scanner": "osv-scanner", "correlation_key": "vuln|starlette|CVE-2026-48710|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-86qp-5c8j-p5mr", "PYSEC-2026-161"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["20d0e73bab623b5772bb5ee81b54e26f25bfd7b3f632ca3aec483536eb176c89", "993c965e051ac08384f28c004ed2828303fa08d6e623c80da1211dbce5cea7ce"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-179", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-179"}, "properties": {"repobilityId": 225316, "scanner": "osv-scanner", "fingerprint": "3a8c92a4bc42452ab63c8b780593c12b550761e77665f811c437dd35791069ae", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48526", "GHSA-xgmm-8j9v-c9wx"], "package": "pyjwt", "rule_id": "PYSEC-2026-179", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48526|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-xgmm-8j9v-c9wx", "PYSEC-2026-179"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3a8c92a4bc42452ab63c8b780593c12b550761e77665f811c437dd35791069ae", "da86ce6a38ff47e3e8bec1678d81dfa2db14f43446b528d8ea50a2d7a662c412"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-178", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-178"}, "properties": {"repobilityId": 225315, "scanner": "osv-scanner", "fingerprint": "529afc49608a001ef35ca72e2e5bf2ab615fb9fdf39e2d3fc621ae3c7274698b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48525", "GHSA-w7vc-732c-9m39"], "package": "pyjwt", "rule_id": "PYSEC-2026-178", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48525|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-w7vc-732c-9m39", "PYSEC-2026-178"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["529afc49608a001ef35ca72e2e5bf2ab615fb9fdf39e2d3fc621ae3c7274698b", "ae58e877d7147892fc1cdc33ade0f9016eaf354cb32906917c75e770d828a48e"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-177", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-177"}, "properties": {"repobilityId": 225314, "scanner": "osv-scanner", "fingerprint": "e4a57bf8d7416024fd079256b08e268bcee4f11f05b7eaee044fc1d8b95a1189", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48524", "GHSA-fhv5-28vv-h8m8"], "package": "pyjwt", "rule_id": "PYSEC-2026-177", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48524|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-fhv5-28vv-h8m8", "PYSEC-2026-177"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3affda48f7eba44140d4227d3cd700b9b3d4400c3666331fce79b27f7b8baf8b", "e4a57bf8d7416024fd079256b08e268bcee4f11f05b7eaee044fc1d8b95a1189"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-176", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-176"}, "properties": {"repobilityId": 225313, "scanner": "osv-scanner", "fingerprint": "5eb9f4f10fe839d0ad0a3fb8daefa7a7e3a6bbba63914240c43c676f67443b58", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-48523", "GHSA-jq35-7prp-9v3f"], "package": "pyjwt", "rule_id": "PYSEC-2026-176", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48523|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-jq35-7prp-9v3f", "PYSEC-2026-176"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["5eb9f4f10fe839d0ad0a3fb8daefa7a7e3a6bbba63914240c43c676f67443b58", "ace751b2018152d2488e4ca021afd52594284e143740f90d3dcdd247c0ddeff4"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-175", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-175"}, "properties": {"repobilityId": 225312, "scanner": "osv-scanner", "fingerprint": "5008712fe3bda523fafb9d2d087e037a86c42cd2bee1401e12b9c2d636db62f1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-48522", "GHSA-993g-76c3-p5m4"], "package": "pyjwt", "rule_id": "PYSEC-2026-175", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-48522|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-120", "level": "error", "message": {"text": "pyjwt: PYSEC-2026-120"}, "properties": {"repobilityId": 225311, "scanner": "osv-scanner", "fingerprint": "b81b67e8ab2cf04164f57838dc7c92ed537f13d09c8d538c92b1e563ff5e9dbf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-32597", "GHSA-752w-5fwx-jx9f"], "package": "pyjwt", "rule_id": "PYSEC-2026-120", "scanner": "osv-scanner", "correlation_key": "vuln|pyjwt|CVE-2026-32597|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-752w-5fwx-jx9f", "PYSEC-2026-120"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["097ffc8c319dbda74296c2d822fb7e784a728bbe5818ffd4fdf2ff87b23dc8a6", "b81b67e8ab2cf04164f57838dc7c92ed537f13d09c8d538c92b1e563ff5e9dbf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2599-h6xx-hpxp", "level": "error", "message": {"text": "poetry: GHSA-2599-h6xx-hpxp"}, "properties": {"repobilityId": 225308, "scanner": "osv-scanner", "fingerprint": "21260ee4fa7737b6fba8350ba8ef5c1ba2c04eae6249ff2907844441c0b30d76", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34591"], "package": "poetry", "rule_id": "GHSA-2599-h6xx-hpxp", "scanner": "osv-scanner", "correlation_key": "vuln|poetry|CVE-2026-34591|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3644-q5cj-c5c7", "level": "error", "message": {"text": "langsmith: GHSA-3644-q5cj-c5c7"}, "properties": {"repobilityId": 225306, "scanner": "osv-scanner", "fingerprint": "44f40e87c7d000c8fe81dc7d244ac6d97f20823a201b37061a5f52a33aa0883b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45134"], "package": "langsmith", "rule_id": "GHSA-3644-q5cj-c5c7", "scanner": "osv-scanner", "correlation_key": "vuln|langsmith|CVE-2026-45134|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-76", "level": "error", "message": {"text": "langchain-openai: PYSEC-2026-76"}, "properties": {"repobilityId": 225305, "scanner": "osv-scanner", "fingerprint": "23a48840e0723c568c96340dbf266074841b672e2b31e55905c4aabed83d6b95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-41488", "GHSA-r7w7-9xr2-qq2r"], "package": "langchain-openai", "rule_id": "PYSEC-2026-76", "scanner": "osv-scanner", "correlation_key": "vuln|langchain-openai|CVE-2026-41488|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-r7w7-9xr2-qq2r", "PYSEC-2026-76"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["0c8374d8758001b183cc2a328ee932ba95b1a46b6d84b1d4ca0d47ee8d18f93b", "23a48840e0723c568c96340dbf266074841b672e2b31e55905c4aabed83d6b95"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-215", "level": "error", "message": {"text": "idna: PYSEC-2026-215"}, "properties": {"repobilityId": 225303, "scanner": "osv-scanner", "fingerprint": "1ea079cb1f6d31c6a9957d030eeea3ee85932f00d4e09b856c4f8edd1cf46668", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-45409", "GHSA-65pc-fj4g-8rjx"], "package": "idna", "rule_id": "PYSEC-2026-215", "scanner": "osv-scanner", "correlation_key": "vuln|idna|CVE-2024-3651|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-65pc-fj4g-8rjx", "PYSEC-2026-215"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1ea079cb1f6d31c6a9957d030eeea3ee85932f00d4e09b856c4f8edd1cf46668", "3cb0e6e51097792f0802522bd5a1c534f3c96b9d90576d70a538075f8c4d5bb0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9277-mp7x-85jf", "level": "error", "message": {"text": "dulwich: GHSA-9277-mp7x-85jf"}, "properties": {"repobilityId": 225301, "scanner": "osv-scanner", "fingerprint": "3303ada7795d18b6e7a9521b0c2d27dd3d1aa3218ef070bbe8abf69a747f6006", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42563"], "package": "dulwich", "rule_id": "GHSA-9277-mp7x-85jf", "scanner": "osv-scanner", "correlation_key": "vuln|dulwich|CVE-2026-42563|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-897w-fcg9-f6xj", "level": "error", "message": {"text": "dulwich: GHSA-897w-fcg9-f6xj"}, "properties": {"repobilityId": 225300, "scanner": "osv-scanner", "fingerprint": "945e519646278f426283a249ce15f6c9c01df3ea0dc08af463f0bb58aff19d07", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42305"], "package": "dulwich", "rule_id": "GHSA-897w-fcg9-f6xj", "scanner": "osv-scanner", "correlation_key": "vuln|dulwich|CVE-2026-42305|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r6ph-v2qm-q3c2", "level": "error", "message": {"text": "cryptography: GHSA-r6ph-v2qm-q3c2"}, "properties": {"repobilityId": 225298, "scanner": "osv-scanner", "fingerprint": "722e27eed0144115cd0298bc726f8236cafe94d3d15748aaaaaf81108f8fd367", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26007"], "package": "cryptography", "rule_id": "GHSA-r6ph-v2qm-q3c2", "scanner": "osv-scanner", "correlation_key": "vuln|cryptography|CVE-2026-26007|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-537c-gmf6-5ccf", "level": "error", "message": {"text": "cryptography: GHSA-537c-gmf6-5ccf"}, "properties": {"repobilityId": 225297, "scanner": "osv-scanner", "fingerprint": "af943e2fe3ba1a79e5ec053949ece37897bdfafdca8c5f7b95b5f2d633d34331", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "cryptography", "rule_id": "GHSA-537c-gmf6-5ccf", "scanner": "osv-scanner", "correlation_key": "vuln|cryptography|GHSA-537C-GMF6-5CCF|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "PYSEC-2026-35", "level": "error", "message": {"text": "cryptography: PYSEC-2026-35"}, "properties": {"repobilityId": 225296, "scanner": "osv-scanner", "fingerprint": "3fd8d9848bacdad5903a884d7310d0805d4bce36b57f995ee47ab10e8dfdd579", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-34073", "GHSA-m959-cc7f-wv43"], "package": "cryptography", "rule_id": "PYSEC-2026-35", "scanner": "osv-scanner", "correlation_key": "vuln|cryptography|CVE-2026-34073|uv.lock", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-m959-cc7f-wv43", "PYSEC-2026-35"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3fd8d9848bacdad5903a884d7310d0805d4bce36b57f995ee47ab10e8dfdd579", "ade6b32d35c983f0ffbc31a6ab03f799856be16faa591ee1be7218c20fc627bf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 225292, "scanner": "repobility-threat-engine", "fingerprint": "2afe028eb3e89f5f8a30c94ebf68531abc733ae8b44c92d88a5d88c1d374eb4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2afe028eb3e89f5f8a30c94ebf68531abc733ae8b44c92d88a5d88c1d374eb4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/static_yara.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 225291, "scanner": "repobility-threat-engine", "fingerprint": "b7f689c203d4a7a5bc53ace146b392fffaac7a09a6f68fc8bfca3b254dc3e0eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7f689c203d4a7a5bc53ace146b392fffaac7a09a6f68fc8bfca3b254dc3e0eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/semantic_developer_intent.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 225290, "scanner": "repobility-threat-engine", "fingerprint": "6d5c7a87b385d816ee78a7eabafc9674c5ab8f9189ddfac34c943dcba9aae068", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d5c7a87b385d816ee78a7eabafc9674c5ab8f9189ddfac34c943dcba9aae068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/behavioral_ast.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `_analyze_python` has cognitive complexity 45 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, elif=6, except=1, for=1, if=10, nested_bonus=25."}, "properties": {"repobilityId": 225283, "scanner": "repobility-threat-engine", "fingerprint": "d03fb7cabb138e624df325308acc7c4fee6827e356682f94a245978cdcdcef9c", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 45 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_analyze_python", "breakdown": {"if": 10, "for": 1, "elif": 6, "except": 1, "continue": 2, "nested_bonus": 25}, "complexity": 45, "correlation_key": "fp|d03fb7cabb138e624df325308acc7c4fee6827e356682f94a245978cdcdcef9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/analyzers/behavioral_ast.py"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.2`"}, "properties": {"repobilityId": 225276, "scanner": "repobility-supply-chain", "fingerprint": "343be8408b93cdc3ad912f521cc5d4af81ce4dddcc4254096e41fef5753df889", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|343be8408b93cdc3ad912f521cc5d4af81ce4dddcc4254096e41fef5753df889"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest"}, "properties": {"repobilityId": 225275, "scanner": "repobility-supply-chain", "fingerprint": "2c4065b48c73e455fcf279a305e06f5eb7c17b75f515d90ea388bdd2953becd3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c4065b48c73e455fcf279a305e06f5eb7c17b75f515d90ea388bdd2953becd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim-bookworm` not pinned by digest"}, "properties": {"repobilityId": 225274, "scanner": "repobility-supply-chain", "fingerprint": "e90f1564090220fef703b4c0d7960120961d984992da342bda8241f9c3b5d71e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e90f1564090220fef703b4c0d7960120961d984992da342bda8241f9c3b5d71e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.base_prompt` used but never assigned in __init__"}, "properties": {"repobilityId": 225272, "scanner": "repobility-ast-engine", "fingerprint": "f74d4b340898e24b718c4259680adadb66873d35cb12328fa72fd3f5abdf54de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f74d4b340898e24b718c4259680adadb66873d35cb12328fa72fd3f5abdf54de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/skillspector/nodes/meta_analyzer.py"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_cleanup_idempotent"}, "properties": {"repobilityId": 225271, "scanner": "repobility-ast-engine", "fingerprint": "a2fcf48935b3b911ba4c620982a76d829fb46d97f779bd2fc710cf85d18a1a76", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2fcf48935b3b911ba4c620982a76d829fb46d97f779bd2fc710cf85d18a1a76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/test_input_handler.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_sarif_report_accepts_valid"}, "properties": {"repobilityId": 225270, "scanner": "repobility-ast-engine", "fingerprint": "e784b5e434f168ebc1c5e50362b15fcd7a883cbdea5c2f4e21ec36c4ba479901", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e784b5e434f168ebc1c5e50362b15fcd7a883cbdea5c2f4e21ec36c4ba479901"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/test_sarif.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 225295, "scanner": "gitleaks", "fingerprint": "4b72f3ea55ed4ad2d86b708cba982515da05bff59d9abc9fde00deeac6ffa904", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "NEWSAPI_KEY=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|41|newsapi_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/plans/2026-04-03-skilltrap-integration.md"}, "region": {"startLine": 418}}}]}]}]}