{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED080", "name": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace.", "shortDescription": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 33 more): Same pattern found in 33 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `installer/PowerToysSetupVNext/WebView2/MicrosoftEdgeWebview2Setup.exe` committed in source repo:", "shortDescription": {"text": "[MINED134] Binary file `installer/PowerToysSetupVNext/WebView2/MicrosoftEdgeWebview2Setup.exe` committed in source repo: `installer/PowerToysSetupVNext/WebView2/MicrosoftEdgeWebview2Setup.exe` is a .exe binary (1,815,368 bytes) committed to"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._calculate_projected_position` used but never assigned in __init__: Method `find_nearest_opposite_edge`", "shortDescription": {"text": "[MINED108] `self._calculate_projected_position` used but never assigned in __init__: Method `find_nearest_opposite_edge` of class `MonitorTopology` reads `self._calculate_projected_position`, but no assignment to it exists in __init__ (and "}, "fullDescription": {"text": "Initialize `self._calculate_projected_position = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_layout: Test function `test_layout` runs code but contains no assert / expect / s", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_layout: Test function `test_layout` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC061", "name": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from", "shortDescription": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "fullDescription": {"text": "If the JWT is live, invalidate by rotating the signing key. Move tokens out of source."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED017", "name": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.", "shortDescription": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC025", "name": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand externa", "shortDescription": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure a"}, "fullDescription": {"text": "Set XmlResolver = null on XmlDocument before Load. On XmlReader, pass XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null }. Prefer XDocument / XElement which don't expand external entities by default."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/735"}, "properties": {"repository": "microsoft/PowerToys", "repoUrl": "https://github.com/microsoft/PowerToys", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 60080, "scanner": "repobility-ast-engine", "fingerprint": "95b543808e39e90f7cae8c9bf5b9950bae58f9983d7564a4ccd8ac961434dec2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95b543808e39e90f7cae8c9bf5b9950bae58f9983d7564a4ccd8ac961434dec2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/wrap_simulator.py"}, "region": {"startLine": 1086}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 60079, "scanner": "repobility-ast-engine", "fingerprint": "6f527962c6be537eea95718aea826083c1f035a8616265f6edc5c9494927bf72", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f527962c6be537eea95718aea826083c1f035a8616265f6edc5c9494927bf72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/wrap_simulator.py"}, "region": {"startLine": 1808}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 60073, "scanner": "repobility-ast-engine", "fingerprint": "7c0627dd08dcf57fd0ce97c3c18fdcebb9966d38be38c16107c3c7f6eeb9ae9e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c0627dd08dcf57fd0ce97c3c18fdcebb9966d38be38c16107c3c7f6eeb9ae9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/test_new_algorithm.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 60071, "scanner": "repobility-ast-engine", "fingerprint": "fb87ef11c9c4b14242a21e00cc02b8f96d13f58ba66e6f0c2904d2fe343e1cbe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb87ef11c9c4b14242a21e00cc02b8f96d13f58ba66e6f0c2904d2fe343e1cbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/analyze_test_results.py"}, "region": {"startLine": 424}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 60050, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 60040, "scanner": "repobility-threat-engine", "fingerprint": "466edee60b00f04cc7b4dc1c1c8af8edc1f8e9cff42b1a26d94ba27bbbdf80f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (UnauthorizedAccessException)\n        {\n            return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|466edee60b00f04cc7b4dc1c1c8af8edc1f8e9cff42b1a26d94ba27bbbdf80f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/cmdpal/ext/Microsoft.CmdPal.Ext.Indexer/Helpers/DataPackageHelper.cs"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 60014, "scanner": "repobility-threat-engine", "fingerprint": "f4bf41cf0bb8c67b2a8395b36d032ce2f820c30ea3b578c7b300c880b14e319e", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\"^\\\\s*//\\\\s*#?region\\\\b\"),end:new RegExp(\"^\\\\s*//\\\\s*#?endregion\\\\b\")}}},o={defaultToken:", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f4bf41cf0bb8c67b2a8395b36d032ce2f820c30ea3b578c7b300c880b14e319e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Monaco/monacoSRC/min/vs/basic-languages/javascript/javascript.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 60013, "scanner": "repobility-threat-engine", "fingerprint": "91a7b75d791d075093b6b47364342f7b35337b42e9acf51aa004627181642d4e", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\"^\\\\s*//\\\\s*(?:(?:#?region\\\\b)|(?:<editor-fold\\\\b))\"),end:new RegExp(\"^\\\\s*//\\\\s*(?:(?:#?", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91a7b75d791d075093b6b47364342f7b35337b42e9acf51aa004627181642d4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Monaco/monacoSRC/min/vs/basic-languages/java/java.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 60012, "scanner": "repobility-threat-engine", "fingerprint": "d413425117012687418ef75c2b6a69e22edffec9d93fca885264c16bc4821984", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\"^\\\\s*//\\\\s*(?:(?:#?region\\\\b)|(?:<editor-fold\\\\b))\"),end:new RegExp(\"^\\\\s*//\\\\s*(?:(?:#?", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d413425117012687418ef75c2b6a69e22edffec9d93fca885264c16bc4821984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Monaco/monacoSRC/min/vs/basic-languages/apex/apex.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60049, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0a31f72fc16c6cd3e2e0af956ecb3283bc3bcf1d43697b6814c7485eb953fa0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/modules/CropAndLock/CropAndLock/ScreenshotCropAndLockWindow.cpp", "duplicate_line": 5, "correlation_key": "fp|a0a31f72fc16c6cd3e2e0af956ecb3283bc3bcf1d43697b6814c7485eb953fa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/CropAndLock/CropAndLock/ThumbnailCropAndLockWindow.cpp"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60048, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ab9fce296fc287d5d5b105e0134b83ef78851dff6dde48ae96bed9185865070", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/modules/CropAndLock/CropAndLock/ChildWindow.cpp", "duplicate_line": 9, "correlation_key": "fp|5ab9fce296fc287d5d5b105e0134b83ef78851dff6dde48ae96bed9185865070"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/CropAndLock/CropAndLock/ReparentCropAndLockWindow.cpp"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60047, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d255ff2606965f628fe40167336a8c00985b0692c831f33b02eb84c49bf1488a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/common/ManagedCommon/NativeMethods.cs", "duplicate_line": 72, "correlation_key": "fp|d255ff2606965f628fe40167336a8c00985b0692c831f33b02eb84c49bf1488a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/AdvancedPaste/AdvancedPaste/Helpers/NativeMethods.cs"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60046, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a504d1dc6234af026f1337db5e60b8bb2ea5946ae92a683007711934d0cd2d2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/common/logger/logger_settings.cpp", "duplicate_line": 8, "correlation_key": "fp|a504d1dc6234af026f1337db5e60b8bb2ea5946ae92a683007711934d0cd2d2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/utils/json.h"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60045, "scanner": "repobility-ai-code-hygiene", "fingerprint": "672c9855127d23afbcb0a557001cf8be486878fa54c2cca04c8bb824d8cc2f56", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/common/UITestAutomation/Element/Pane.cs", "duplicate_line": 35, "correlation_key": "fp|672c9855127d23afbcb0a557001cf8be486878fa54c2cca04c8bb824d8cc2f56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/UITestAutomation/Element/Tab.cs"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60044, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4686e39084a5903bb7ac79f72c34403cd08e43454c2347b2521f32f025666a41", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/common/UITestAutomation/Element/Element.cs", "duplicate_line": 85, "correlation_key": "fp|4686e39084a5903bb7ac79f72c34403cd08e43454c2347b2521f32f025666a41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/UITestAutomation/Element/NavigationViewItem.cs"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60043, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f0318f0b6d0edb703b5ccea1d284ee7d2b664c7fdc7348c293ae87a18814edfc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/common/Telemetry/EtwTrace/EtwTrace.cpp", "duplicate_line": 22, "correlation_key": "fp|f0318f0b6d0edb703b5ccea1d284ee7d2b664c7fdc7348c293ae87a18814edfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/Telemetry/TraceBase.h"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60042, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d2872eee21381fdf08daeb1a5ab97c3c86acd2e55c9698c554ccb7be2d5aebd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/common/SettingsAPI/settings_helpers.cpp", "duplicate_line": 11, "correlation_key": "fp|9d2872eee21381fdf08daeb1a5ab97c3c86acd2e55c9698c554ccb7be2d5aebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/Telemetry/EtwTrace/EtwTrace.cpp"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 60041, "scanner": "repobility-ai-code-hygiene", "fingerprint": "08405a0a683d6527d6f830c750e7f87e7c63a6e22a490cb0e028fb39febb953f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|08405a0a683d6527d6f830c750e7f87e7c63a6e22a490cb0e028fb39febb953f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Update/PowerToys.Update.cpp"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 60031, "scanner": "repobility-threat-engine", "fingerprint": "f0e545741af717dbfdc8457e67ff7983fcb4079448de65687315eabd80207a60", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Score = \" + Score + \", Item = \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f0e545741af717dbfdc8457e67ff7983fcb4079448de65687315eabd80207a60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/cmdpal/Microsoft.CmdPal.Common/Helpers/InternalListHelpers.cs"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 60030, "scanner": "repobility-threat-engine", "fingerprint": "2f8488f074e8aa2790c2176804cffa6d338b2b18ccebbb3ef954ee768f0ff4d6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Logger.LogDebug(\"CreateProcessInInputDesktopSession called, launching \" + commandLineWithArg + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f8488f074e8aa2790c2176804cffa6d338b2b18ccebbb3ef954ee768f0ff4d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseWithoutBorders/App/Core/Launch.cs"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 60027, "scanner": "repobility-threat-engine", "fingerprint": "f0dabdc6acb5549a4173e20a666054f2ed6a2a1ac068e87cbef9c7003212d572", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".InnerHtml = R", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|98|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/AdvancedPaste/AdvancedPaste/Helpers/MarkdownHelper.cs"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 60039, "scanner": "repobility-threat-engine", "fingerprint": "c5b55684d1b5a0cbbcc8d48e49e05cb2a49cb5e49dcaf62fc9474e0432bcd24b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5b55684d1b5a0cbbcc8d48e49e05cb2a49cb5e49dcaf62fc9474e0432bcd24b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/cmdpal/Microsoft.CmdPal.UI/Settings/InternalPage.SampleData.cs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 60037, "scanner": "repobility-threat-engine", "fingerprint": "fbbcecfca7306982ba567875e83c6c948017a7240bcb5f1661624baaa943e47d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fbbcecfca7306982ba567875e83c6c948017a7240bcb5f1661624baaa943e47d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/cmdpal/ExtensionTemplate/TemplateCmdPalExtension/TemplateCmdPalExtension/Pages/TemplateCmdPalExtensionPage.cs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 60035, "scanner": "repobility-threat-engine", "fingerprint": "133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "aggregated_count": 4}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 60034, "scanner": "repobility-threat-engine", "fingerprint": "35954b43798c9b57a19bbded4dbd4e2321a8635408dfc1902b40974226c5bbd8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35954b43798c9b57a19bbded4dbd4e2321a8635408dfc1902b40974226c5bbd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/cmdpal/Microsoft.CmdPal.UI.ViewModels/Commands/CreatedExtensionForm.cs"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 60033, "scanner": "repobility-threat-engine", "fingerprint": "538aa5bf5f4ed01959f1030e34a80b8d9b4491fcb913ffe4fa62338f75cb9a3f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|538aa5bf5f4ed01959f1030e34a80b8d9b4491fcb913ffe4fa62338f75cb9a3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/Workspaces/WorkspacesLib.UnitTests/AppUtilsTests.cpp"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 60032, "scanner": "repobility-threat-engine", "fingerprint": "3c367a4aaa174b62cce32cf66aeef7a4e378cfbe71021b61d816568853e963b6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c367a4aaa174b62cce32cf66aeef7a4e378cfbe71021b61d816568853e963b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseWithoutBorders/App/Helper/Program.cs"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 60029, "scanner": "repobility-threat-engine", "fingerprint": "480f99234efbc80155a9e33b80bb7f380b1a3b9d9fa5db1dc6c97d754d69bed9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|480f99234efbc80155a9e33b80bb7f380b1a3b9d9fa5db1dc6c97d754d69bed9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/Workspaces/WorkspacesLib/SteamGameHelper.cpp"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 60028, "scanner": "repobility-threat-engine", "fingerprint": "07cdad79d2508f35bf7bf010d910e56e8f1a7f74b6426ad7218b0130150f7b2a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|07cdad79d2508f35bf7bf010d910e56e8f1a7f74b6426ad7218b0130150f7b2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/LightSwitch/LightSwitchService/LightSwitchSettings.cpp"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 60026, "scanner": "repobility-threat-engine", "fingerprint": "f78485f10c2cb9d54d8499710981cd785d225a3af0081e9e28b2ede9cee3aeb4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f78485f10c2cb9d54d8499710981cd785d225a3af0081e9e28b2ede9cee3aeb4", "aggregated_count": 22}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 60025, "scanner": "repobility-threat-engine", "fingerprint": "02e0b9b36d15ad87470a706826fbd8db9ec991858b48f98fca24960fafc4174a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|02e0b9b36d15ad87470a706826fbd8db9ec991858b48f98fca24960fafc4174a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/UITestAutomation/VisualAssert.cs"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 60024, "scanner": "repobility-threat-engine", "fingerprint": "905a281836d86e5af2f26ed15d953f114b319f4e9205e4daf31577501b2d5ac5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|905a281836d86e5af2f26ed15d953f114b319f4e9205e4daf31577501b2d5ac5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/UITestAutomation/Element/By.cs"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 60023, "scanner": "repobility-threat-engine", "fingerprint": "8866af0ff663a4af84c05444d24fb0e43372206bda0e697f0aa67e5b9a0a768f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8866af0ff663a4af84c05444d24fb0e43372206bda0e697f0aa67e5b9a0a768f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/LanguageModelProvider/FoundryLocalModelProvider.cs"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 60022, "scanner": "repobility-threat-engine", "fingerprint": "b91ad3a3de252eaa547f9ced06f21aa908a1a2db3f0b72e8aee0b1c2de09ea29", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b91ad3a3de252eaa547f9ced06f21aa908a1a2db3f0b72e8aee0b1c2de09ea29"}}}, {"ruleId": "SEC031", "level": "none", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 60015, "scanner": "repobility-threat-engine", "fingerprint": "737c644650fb48be98c46b291a69035a7903b8a76e27a41c891e01bbff4d399f", "category": "redos", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|737c644650fb48be98c46b291a69035a7903b8a76e27a41c891e01bbff4d399f"}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 60011, "scanner": "repobility-threat-engine", "fingerprint": "e03e6a2b6b6ee41f1a74d67c56597122977a93f191919b444ee7dc3ea80d68bd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e03e6a2b6b6ee41f1a74d67c56597122977a93f191919b444ee7dc3ea80d68bd", "aggregated_count": 18}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 60010, "scanner": "repobility-threat-engine", "fingerprint": "d5bcdf75eaadca09cf074304ee30b40ac0307ce0964fb40200a65cbe865d7c2d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5bcdf75eaadca09cf074304ee30b40ac0307ce0964fb40200a65cbe865d7c2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/EnvironmentVariables/EnvironmentVariablesModuleInterface/dllmain.cpp"}, "region": {"startLine": 285}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 60009, "scanner": "repobility-threat-engine", "fingerprint": "5e6818fe2446fd8804413ed2b36515717f4666cb95c780ccc7200ecdfa7d9bef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e6818fe2446fd8804413ed2b36515717f4666cb95c780ccc7200ecdfa7d9bef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/interop/TwoWayPipeMessageIPCManaged.cpp"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 60008, "scanner": "repobility-threat-engine", "fingerprint": "88713dbd41e0e8240a75c42ad674cebe20f91a6f41c2bff9be83932a66d977a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88713dbd41e0e8240a75c42ad674cebe20f91a6f41c2bff9be83932a66d977a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "installer/PowerToysSetupVNext/SilentFilesInUseBA/SilentFilesInUseBAFunctions.cpp"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 60007, "scanner": "repobility-threat-engine", "fingerprint": "86caffc9095f814202dc69e94d7891ec368c28331c28f6486f60291c1da75cc7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|86caffc9095f814202dc69e94d7891ec368c28331c28f6486f60291c1da75cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/telemetry-pr-check.js"}, "region": {"startLine": 259}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 60006, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 60001, "scanner": "repobility-threat-engine", "fingerprint": "e30f4d511ed8589f85857803ed567206d151f2e5d6d3951dfdadd20712eec03b", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(`Event name: ${process.env.GITHUB_EVENT_NAME || 'unknown'}`)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|. token|28|console.log event name: token unknown"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/telemetry-pr-check.js"}, "region": {"startLine": 284}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `installer/PowerToysSetupVNext/WebView2/MicrosoftEdgeWebview2Setup.exe` committed in source repo: `installer/PowerToysSetupVNext/WebView2/MicrosoftEdgeWebview2Setup.exe` is a .exe binary (1,815,368 bytes) committed to a repo that otherwise has 4965 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 60092, "scanner": "repobility-supply-chain", "fingerprint": "5d4909690bee33644515db810baf74f16383353ab8d70c0d9183b9a87d1241f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d4909690bee33644515db810baf74f16383353ab8d70c0d9183b9a87d1241f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "installer/PowerToysSetupVNext/WebView2/MicrosoftEdgeWebview2Setup.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60091, "scanner": "repobility-supply-chain", "fingerprint": "9b3c9e7a35d9bfda23fe3d0613adad96d819053be0872d1205d03c2a9ac3b4b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b3c9e7a35d9bfda23fe3d0613adad96d819053be0872d1205d03c2a9ac3b4b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/telemetry-pr-check.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pelikhan/action-genai-issue-dedup` pinned to mutable ref `@v0`: `uses: pelikhan/action-genai-issue-dedup@v0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60090, "scanner": "repobility-supply-chain", "fingerprint": "fa7b5a727dcd712e54192aab05d7b74aa3080c9e225f4d3de08b1642b18335ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa7b5a727dcd712e54192aab05d7b74aa3080c9e225f4d3de08b1642b18335ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/manual-batch-issue-deduplication.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60089, "scanner": "repobility-supply-chain", "fingerprint": "113c9e55347efd86fb72f61811ebe2b69da48bffe2f70f2f35e7b27430af4fb1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|113c9e55347efd86fb72f61811ebe2b69da48bffe2f70f2f35e7b27430af4fb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/manual-batch-issue-deduplication.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60088, "scanner": "repobility-supply-chain", "fingerprint": "0792da04528dd03acd074d0ff398b1719de8a711fac48ef258411c7d307685c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0792da04528dd03acd074d0ff398b1719de8a711fac48ef258411c7d307685c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-label-issues.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pelikhan/action-genai-issue-dedup` pinned to mutable ref `@v0`: `uses: pelikhan/action-genai-issue-dedup@v0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60087, "scanner": "repobility-supply-chain", "fingerprint": "a8797e0b633b9d1f50524b945eceeccf570304cec296e7d3bb6a8da8491d642c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8797e0b633b9d1f50524b945eceeccf570304cec296e7d3bb6a8da8491d642c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/automatic-issue-deduplication.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/dependency-review-action` pinned to mutable ref `@v4`: `uses: actions/dependency-review-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60086, "scanner": "repobility-supply-chain", "fingerprint": "fa2823b8d8111ca6fcba92d0bb3c6cc4c8775c45f79968d03d7a02964b134351", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa2823b8d8111ca6fcba92d0bb3c6cc4c8775c45f79968d03d7a02964b134351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependency-review.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60085, "scanner": "repobility-supply-chain", "fingerprint": "ba06bc32c727028156516fae65ce79ac27ec261e3514995b0103895ac9aa99f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba06bc32c727028156516fae65ce79ac27ec261e3514995b0103895ac9aa99f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependency-review.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `azure/cli` pinned to mutable ref `@v3`: `uses: azure/cli@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60084, "scanner": "repobility-supply-chain", "fingerprint": "f61d3e6cefd10fe21ba435ecc018d7e3da1adfa845125652a90eac3957c542c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f61d3e6cefd10fe21ba435ecc018d7e3da1adfa845125652a90eac3957c542c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/msstore-submissions.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `microsoft/setup-msstore-cli` pinned to mutable ref `@v1`: `uses: microsoft/setup-msstore-cli@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60083, "scanner": "repobility-supply-chain", "fingerprint": "a1d2dea212a32a562c65477d6dfbec0cb8d0c77c0eb51fbd6086e40ca68f83c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1d2dea212a32a562c65477d6dfbec0cb8d0c77c0eb51fbd6086e40ca68f83c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/msstore-submissions.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60082, "scanner": "repobility-supply-chain", "fingerprint": "54698617c57d21b26d7d2d969481baad4bb9feb8e36a4b169a11e42038db9aef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54698617c57d21b26d7d2d969481baad4bb9feb8e36a4b169a11e42038db9aef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/msstore-submissions.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `azure/login` pinned to mutable ref `@v3`: `uses: azure/login@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 60081, "scanner": "repobility-supply-chain", "fingerprint": "99ea32c71f255c3f8157f26f8da46c7ecbff45842a4ceb4fab464f7ef165d96c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99ea32c71f255c3f8157f26f8da46c7ecbff45842a4ceb4fab464f7ef165d96c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/msstore-submissions.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._calculate_projected_position` used but never assigned in __init__: Method `find_nearest_opposite_edge` of class `MonitorTopology` reads `self._calculate_projected_position`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60078, "scanner": "repobility-ast-engine", "fingerprint": "cd1ed7513e76c95ed4078d4cf6f5d970896ff2e8a6146cdb6296bb490c548a10", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd1ed7513e76c95ed4078d4cf6f5d970896ff2e8a6146cdb6296bb490c548a10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/wrap_simulator.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.find_opposite_outer_edge` used but never assigned in __init__: Method `find_nearest_opposite_edge` of class `MonitorTopology` reads `self.find_opposite_outer_edge`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60077, "scanner": "repobility-ast-engine", "fingerprint": "a3441e87db7072fe59a62c472debc60c39685b199707b2e1b6f85b75d003e371", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3441e87db7072fe59a62c472debc60c39685b199707b2e1b6f85b75d003e371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/wrap_simulator.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._edges_are_adjacent` used but never assigned in __init__: Method `_identify_outer_edges` of class `MonitorTopology` reads `self._edges_are_adjacent`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60076, "scanner": "repobility-ast-engine", "fingerprint": "b388a9215da1220ce2ce3365b31c1b98b32ceaf62d8c9f4c7e9bb3819b814c5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b388a9215da1220ce2ce3365b31c1b98b32ceaf62d8c9f4c7e9bb3819b814c5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/wrap_simulator.py"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._identify_outer_edges` used but never assigned in __init__: Method `initialize` of class `MonitorTopology` reads `self._identify_outer_edges`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60075, "scanner": "repobility-ast-engine", "fingerprint": "52e5e85c87871341a1b17b52e5850c2ffbfc49e9ad86c4a8548401cf1013280b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52e5e85c87871341a1b17b52e5850c2ffbfc49e9ad86c4a8548401cf1013280b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/wrap_simulator.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._build_edge_map` used but never assigned in __init__: Method `initialize` of class `MonitorTopology` reads `self._build_edge_map`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60074, "scanner": "repobility-ast-engine", "fingerprint": "cac00de29de4fa357f1dab02c4c42ce2fa0a3df94d0988820252a0dadbceb8c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cac00de29de4fa357f1dab02c4c42ce2fa0a3df94d0988820252a0dadbceb8c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/wrap_simulator.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_layout: Test function `test_layout` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 60072, "scanner": "repobility-ast-engine", "fingerprint": "035846f3db7b9921564abe55a7b3c91c0d4ed48e1822ae8fbff97e4602afa824", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|035846f3db7b9921564abe55a7b3c91c0d4ed48e1822ae8fbff97e4602afa824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/WrapSimulator/test_new_algorithm.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.detailed_failure_dump` used but never assigned in __init__: Method `run_analysis` of class `TestResultAnalyzer` reads `self.detailed_failure_dump`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60070, "scanner": "repobility-ast-engine", "fingerprint": "3a9e07d517fb8ac4169fd3aa86de8bfc45ea3abfdb08ecf76546b33418dbfa62", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a9e07d517fb8ac4169fd3aa86de8bfc45ea3abfdb08ecf76546b33418dbfa62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/analyze_test_results.py"}, "region": {"startLine": 382}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.analyze_wrap_calculation_failures` used but never assigned in __init__: Method `run_analysis` of class `TestResultAnalyzer` reads `self.analyze_wrap_calculation_failures`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60069, "scanner": "repobility-ast-engine", "fingerprint": "c20f6da8d1aa35037c96234e9a33c614660a7221485ed399018e00c589817987", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c20f6da8d1aa35037c96234e9a33c614660a7221485ed399018e00c589817987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/analyze_test_results.py"}, "region": {"startLine": 376}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generate_github_copilot_prompt` used but never assigned in __init__: Method `run_analysis` of class `TestResultAnalyzer` reads `self.generate_github_copilot_prompt`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60068, "scanner": "repobility-ast-engine", "fingerprint": "281eae6823b390fc31c34786b2b1b999ae48b40cc2bfb28b7ed7b0294c0d03ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|281eae6823b390fc31c34786b2b1b999ae48b40cc2bfb28b7ed7b0294c0d03ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/analyze_test_results.py"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_recommendations` used but never assigned in __init__: Method `run_analysis` of class `TestResultAnalyzer` reads `self.print_recommendations`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60067, "scanner": "repobility-ast-engine", "fingerprint": "57f2df89ad44015c9af1cc83c6cbe8bfadc9cf024dcfe70eff069a21fb08b1f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57f2df89ad44015c9af1cc83c6cbe8bfadc9cf024dcfe70eff069a21fb08b1f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/analyze_test_results.py"}, "region": {"startLine": 379}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.explain_common_issues` used but never assigned in __init__: Method `run_analysis` of class `TestResultAnalyzer` reads `self.explain_common_issues`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60066, "scanner": "repobility-ast-engine", "fingerprint": "df9967bf81f462d1f17c0c39ab30adb9b3fd9dc45ba45873be99a5318e1b91b2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df9967bf81f462d1f17c0c39ab30adb9b3fd9dc45ba45873be99a5318e1b91b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/analyze_test_results.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.analyze_failure_patterns` used but never assigned in __init__: Method `run_analysis` of class `TestResultAnalyzer` reads `self.analyze_failure_patterns`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60065, "scanner": "repobility-ast-engine", "fingerprint": "f56766bd6f33b6756c8fc4e219e86b17e95c3acf258f88e8f034271d24debeb8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f56766bd6f33b6756c8fc4e219e86b17e95c3acf258f88e8f034271d24debeb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/analyze_test_results.py"}, "region": {"startLine": 372}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.print_overview` used but never assigned in __init__: Method `run_analysis` of class `TestResultAnalyzer` reads `self.print_overview`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60064, "scanner": "repobility-ast-engine", "fingerprint": "7e4a4be5101a1cbabbe4f9fdc6858b6a51ae38a238acf32eaf1b6d9c276884cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e4a4be5101a1cbabbe4f9fdc6858b6a51ae38a238acf32eaf1b6d9c276884cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/analyze_test_results.py"}, "region": {"startLine": 366}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._generate_recommendations` used but never assigned in __init__: Method `_save_report` of class `TestRunner` reads `self._generate_recommendations`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60063, "scanner": "repobility-ast-engine", "fingerprint": "18f6416db3ad686c2b401804cb7523643581f4cf19ebb6dc0b744cb234f8a1a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|18f6416db3ad686c2b401804cb7523643581f4cf19ebb6dc0b744cb234f8a1a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 802}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._print_layout_diagram` used but never assigned in __init__: Method `run_all_tests` of class `TestRunner` reads `self._print_layout_diagram`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60062, "scanner": "repobility-ast-engine", "fingerprint": "d1e0897ccdb9e35cef2ad413a0bd5cbdb8561788ef28bc8117b0342e9d206001", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1e0897ccdb9e35cef2ad413a0bd5cbdb8561788ef28bc8117b0342e9d206001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 691}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._run_test_config` used but never assigned in __init__: Method `run_all_tests` of class `TestRunner` reads `self._run_test_config`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60061, "scanner": "repobility-ast-engine", "fingerprint": "1278542ea737fcbc4a0d79131c61575bc2131dd0172c03f39363eef8a2e90d53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1278542ea737fcbc4a0d79131c61575bc2131dd0172c03f39363eef8a2e90d53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 702}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._save_report` used but never assigned in __init__: Method `run_all_tests` of class `TestRunner` reads `self._save_report`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60060, "scanner": "repobility-ast-engine", "fingerprint": "caf6bb1385d44a013b4edbbf3d29a7f64e140e8ae3f0b57c4836143bdcbab897", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|caf6bb1385d44a013b4edbbf3d29a7f64e140e8ae3f0b57c4836143bdcbab897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 706}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._print_summary` used but never assigned in __init__: Method `run_all_tests` of class `TestRunner` reads `self._print_summary`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60059, "scanner": "repobility-ast-engine", "fingerprint": "d147575c2237b27ac20cd9174ab5d32d79ff37de9124c1f7a54be64dc4c4ef62", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d147575c2237b27ac20cd9174ab5d32d79ff37de9124c1f7a54be64dc4c4ef62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 705}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._point_in_range` used but never assigned in __init__: Method `_wrap_from_edge` of class `MonitorTopology` reads `self._point_in_range`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60058, "scanner": "repobility-ast-engine", "fingerprint": "7dbe65bd25b378d1ae8b1f85235dbcc23362253ab126247a154b0ef09a2d56a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7dbe65bd25b378d1ae8b1f85235dbcc23362253ab126247a154b0ef09a2d56a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_opposite_edge_type` used but never assigned in __init__: Method `_wrap_from_edge` of class `MonitorTopology` reads `self._get_opposite_edge_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60057, "scanner": "repobility-ast-engine", "fingerprint": "516458122339a23e7d8b212b2bd8f63ac901864e644427ea6628e5d59c4049cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|516458122339a23e7d8b212b2bd8f63ac901864e644427ea6628e5d59c4049cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._wrap_from_edge` used but never assigned in __init__: Method `calculate_wrap_position` of class `MonitorTopology` reads `self._wrap_from_edge`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60056, "scanner": "repobility-ast-engine", "fingerprint": "7f0e1128cff6a4c165527d927ff0f46c37d88f883fcd3464db65982537c488d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f0e1128cff6a4c165527d927ff0f46c37d88f883fcd3464db65982537c488d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_on_edge` used but never assigned in __init__: Method `calculate_wrap_position` of class `MonitorTopology` reads `self._is_on_edge`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60055, "scanner": "repobility-ast-engine", "fingerprint": "c170353abc0d79cb8eac045cb23b642c2bcb65de7026cb80fb5f08ab1a90cc02", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c170353abc0d79cb8eac045cb23b642c2bcb65de7026cb80fb5f08ab1a90cc02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ranges_overlap` used but never assigned in __init__: Method `_is_outer_edge` of class `MonitorTopology` reads `self._ranges_overlap`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60054, "scanner": "repobility-ast-engine", "fingerprint": "29e725b6d5b03537906cdc2ed6a8607f9906183c9ca941bfcec23a5c84900a1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29e725b6d5b03537906cdc2ed6a8607f9906183c9ca941bfcec23a5c84900a1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_opposite_edge_type` used but never assigned in __init__: Method `_is_outer_edge` of class `MonitorTopology` reads `self._get_opposite_edge_type`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60053, "scanner": "repobility-ast-engine", "fingerprint": "f8d44a2e742afa1205b5fe83c9d52365ed3c45dd62a3622da57c6c19aaed9dfe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f8d44a2e742afa1205b5fe83c9d52365ed3c45dd62a3622da57c6c19aaed9dfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_outer_edge` used but never assigned in __init__: Method `_detect_outer_edges` of class `MonitorTopology` reads `self._is_outer_edge`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60052, "scanner": "repobility-ast-engine", "fingerprint": "1a17f726e71a7b36469ad1adfaebf2a891b6cdaf501891e44aeb39d8fd4d2ea4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1a17f726e71a7b36469ad1adfaebf2a891b6cdaf501891e44aeb39d8fd4d2ea4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._collect_all_edges` used but never assigned in __init__: Method `_detect_outer_edges` of class `MonitorTopology` reads `self._collect_all_edges`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60051, "scanner": "repobility-ast-engine", "fingerprint": "b95b670ec8b6bfc2f66134ff29aed29a2ab07c944e6d6872903fd838ada5b5ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b95b670ec8b6bfc2f66134ff29aed29a2ab07c944e6d6872903fd838ada5b5ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseUtils/CursorWrap/CursorWrapTests/monitor_layout_tests.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC061", "level": "error", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 60038, "scanner": "repobility-threat-engine", "fingerprint": "999f27f31fd381dec7dece80cf3100ad4c3adbb9dcf0e092c427bfc6ffa540e7", "category": "secret", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnR", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|3|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/cmdpal/Microsoft.CmdPal.UI/Settings/InternalPage.SampleData.cs"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 60036, "scanner": "repobility-threat-engine", "fingerprint": "3fa2ee6b910659a091ef1e23c6563e166f4af2b61e6817f87915a36081b6e4ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3fa2ee6b910659a091ef1e23c6563e166f4af2b61e6817f87915a36081b6e4ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/cmdNotFound/CmdNotFoundModuleInterface/dllmain.cpp"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60021, "scanner": "repobility-threat-engine", "fingerprint": "8d62a0f57bc01deb86e27827311c8686740ca915e2556b8833ff2ba5e13b24b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Directory.Delete(directory.FullName, true);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d62a0f57bc01deb86e27827311c8686740ca915e2556b8833ff2ba5e13b24b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/ManagedCommon/Logger.cs"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60020, "scanner": "repobility-threat-engine", "fingerprint": "c53a46087e162abb7aba103dc3a962294392f0bae85358d8f36788c70eb629d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "file.Delete();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c53a46087e162abb7aba103dc3a962294392f0bae85358d8f36788c70eb629d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/FilePreviewCommon/Helper.cs"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60019, "scanner": "repobility-threat-engine", "fingerprint": "4e51a8342b457842290a2d6d28a011799e5072deb6f9d50cefc764f24205e907", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "xmlDocument.Save(xmlWriter);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4e51a8342b457842290a2d6d28a011799e5072deb6f9d50cefc764f24205e907"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/FilePreviewCommon/Formatters/XmlFormatter.cs"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC025", "level": "error", "message": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure and SSRF via XXE."}, "properties": {"repobilityId": 60018, "scanner": "repobility-threat-engine", "fingerprint": "e65b9e510b799740bedc3d0fe525a170cf1cd0e1b147f606bca500df8d84daf9", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new XmlDocument()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC025", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e65b9e510b799740bedc3d0fe525a170cf1cd0e1b147f606bca500df8d84daf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/FilePreviewCommon/Formatters/XmlFormatter.cs"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 60017, "scanner": "repobility-threat-engine", "fingerprint": "911dca83f7baf8ff679ea8173673a073b523965d735e3b442aed32b75101ffa2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|911dca83f7baf8ff679ea8173673a073b523965d735e3b442aed32b75101ffa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Monaco/monacoSRC/min/vs/basic-languages/sparql/sparql.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 60016, "scanner": "repobility-threat-engine", "fingerprint": "b7b0fde0da99bee7891d48d54a8faa933da1e83d9f0cb6ed1c6dd7e4b38d7434", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7b0fde0da99bee7891d48d54a8faa933da1e83d9f0cb6ed1c6dd7e4b38d7434"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Monaco/monacoSRC/min/vs/basic-languages/hcl/hcl.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60005, "scanner": "repobility-threat-engine", "fingerprint": "59e5c392a40688cfb45c5be1f55058246f8e7571b66fde73778bfaade6cf9af7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|59e5c392a40688cfb45c5be1f55058246f8e7571b66fde73778bfaade6cf9af7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/cmdpal/Microsoft.CmdPal.Common/WinGet/Services/WinGetPackageMetadataHelper.cs"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60004, "scanner": "repobility-threat-engine", "fingerprint": "21b8454c1e86543db6f88f3a28b7bcc36acc8dbb54559c6c2871d3531fe47603", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21b8454c1e86543db6f88f3a28b7bcc36acc8dbb54559c6c2871d3531fe47603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/common/updating/updating.cpp"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60003, "scanner": "repobility-threat-engine", "fingerprint": "4cb9129f68d6f129456b3787ec29f72eba9aa8db19f65f054b1bcb7a425b102b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4cb9129f68d6f129456b3787ec29f72eba9aa8db19f65f054b1bcb7a425b102b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/telemetry-pr-check.js"}, "region": {"startLine": 276}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 60002, "scanner": "repobility-threat-engine", "fingerprint": "93b23267182915a1f1105ccbb280e23982bc82692f7a751e378614e46c9cb791", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "Logger.LogDebug($\"{nameof(NativeMethods.WTSQueryUserToken)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|5|logger.logdebug nameof token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/modules/MouseWithoutBorders/App/Core/Launch.cs"}, "region": {"startLine": 54}}}]}]}]}