{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `extract_custom_errors_from_file` has cognitive complexity 25 (SonarSource", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `extract_custom_errors_from_file` has cognitive complexity 25 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean cha"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 25."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` witho", "shortDescription": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chai"}, "fullDescription": {"text": "Replace with `redis:7-alpine@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `python:3.11.13-trixie` not pinned by digest: `FROM python:3.11.13-trixie` resolves the tag a", "shortDescription": {"text": "[MINED118] Dockerfile FROM `python:3.11.13-trixie` not pinned by digest: `FROM python:3.11.13-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Prod"}, "fullDescription": {"text": "Replace with: `FROM python:3.11.13-trixie@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_validate_python_package_name_invalid: Test function `test_validate_python_package", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_validate_python_package_name_invalid: Test function `test_validate_python_package_name_invalid` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line co"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._git_checkout` used but never assigned in __init__: Method `_git_logs` of class `GitLogs` reads `self._", "shortDescription": {"text": "[MINED108] `self._git_checkout` used but never assigned in __init__: Method `_git_logs` of class `GitLogs` reads `self._git_checkout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the "}, "fullDescription": {"text": "Initialize `self._git_checkout = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the se"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`", "shortDescription": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import queue` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/822"}, "properties": {"repository": "apache/superset", "repoUrl": "https://github.com/apache/superset", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 72462, "scanner": "repobility-ast-engine", "fingerprint": "5d43409082c3ab0a345f275c8b50c696c51a56d0430f57926227f6dce583ff83", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d43409082c3ab0a345f275c8b50c696c51a56d0430f57926227f6dce583ff83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/src/superset_extensions_cli/cli.py"}, "region": {"startLine": 489}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 72461, "scanner": "repobility-ast-engine", "fingerprint": "7bb18b6d4a87165efcc8b52636e69125f77fb8be9df39c02036089a97ceae11a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7bb18b6d4a87165efcc8b52636e69125f77fb8be9df39c02036089a97ceae11a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/src/superset_extensions_cli/cli.py"}, "region": {"startLine": 605}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 72460, "scanner": "repobility-ast-engine", "fingerprint": "72137797268fb5d9e58f2f9527fcc62ae72b58581a2240213ba9d8c76335d201", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72137797268fb5d9e58f2f9527fcc62ae72b58581a2240213ba9d8c76335d201"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/src/superset_extensions_cli/cli.py"}, "region": {"startLine": 454}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 72459, "scanner": "repobility-ast-engine", "fingerprint": "3644682cafc45fd04cfea501fef4834a90808121067887e628826123460fd897", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3644682cafc45fd04cfea501fef4834a90808121067887e628826123460fd897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/src/superset_extensions_cli/cli.py"}, "region": {"startLine": 310}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 72418, "scanner": "repobility-ast-engine", "fingerprint": "87cc1d9c233d3eecce05adf52cf331004fd1ca647652069bbc242c3a1a1d4904", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|87cc1d9c233d3eecce05adf52cf331004fd1ca647652069bbc242c3a1a1d4904"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 72417, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 72416, "scanner": "repobility-journey-contract", "fingerprint": "8123812017bbc655cba62433caeb535bead97866af7e4fb277410e3ad9e46c28", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|427|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/cypress-base/cypress/support/e2e.ts"}, "region": {"startLine": 427}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 72415, "scanner": "repobility-journey-contract", "fingerprint": "5aec837a2c9bbee19844d2f93cfb294028e245b09acee6976ade855a9704e30d", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|372|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/cypress-base/cypress/support/e2e.ts"}, "region": {"startLine": 372}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 72414, "scanner": "repobility-journey-contract", "fingerprint": "f4224bb298177a58f5ad1a9e59160b1a714d227636202c23e8da30084a80b8ec", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|337|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/cypress-base/cypress/support/e2e.ts"}, "region": {"startLine": 337}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 72413, "scanner": "repobility-journey-contract", "fingerprint": "b8848575023be7a46a9bf25c34da911349b8eabe5318251d37bae16041f63864", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|314|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/cypress-base/cypress/support/e2e.ts"}, "region": {"startLine": 314}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 72412, "scanner": "repobility-journey-contract", "fingerprint": "f39c19c6ec8014d191d1e57af025be6ea4269269334a1935701a2e213795555f", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|230|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/cypress-base/cypress/support/e2e.ts"}, "region": {"startLine": 230}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 72411, "scanner": "repobility-journey-contract", "fingerprint": "b186cd1e77c6f4a0279300d106fd0621dc068688bcab5b4e9b07c9964dd98b3b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|151|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/cypress-base/cypress/support/e2e.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 72410, "scanner": "repobility-journey-contract", "fingerprint": "74baeed1fe1bba4e9d8dd825daa1f71dfc26c1aa509ef96a32260cc2d77a620b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|121|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/cypress-base/cypress/support/e2e.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 72409, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "Flask"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 72408, "scanner": "repobility-docker", "fingerprint": "448527a071101083fcd9981fd7ec34243d3c4dfaf67438d819bdb6c824323e27", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 19 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 19, "correlation_key": "fp|448527a071101083fcd9981fd7ec34243d3c4dfaf67438d819bdb6c824323e27", "dependency_install_line": 21}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-websocket/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 72399, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 72398, "scanner": "repobility-docker", "fingerprint": "4da6bec71d31c7c85504298a31927f47fb8a01850be5732c44c0ca0e80e3a8fc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11.13-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4da6bec71d31c7c85504298a31927f47fb8a01850be5732c44c0ca0e80e3a8fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 72391, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 72389, "scanner": "repobility-threat-engine", "fingerprint": "70c9a41cac9662476e937f9aa45923127560b952cf21f45ee76ced1c19430273", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|39|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/packages/superset-ui-chart-controls/src/operators/boxplotOperator.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 72388, "scanner": "repobility-threat-engine", "fingerprint": "c0669b4e49e45c53d23e50317b84fd5c262a551f7c046da89059dae9e64ab9dc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0669b4e49e45c53d23e50317b84fd5c262a551f7c046da89059dae9e64ab9dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/packages/superset-core/src/components/Alert/Alert.stories.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 72375, "scanner": "repobility-threat-engine", "fingerprint": "19d3aad3baf1fc3066ebd08a410878791d28f64962d6d410cd52a226387789f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def name(self) -> str:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|19d3aad3baf1fc3066ebd08a410878791d28f64962d6d410cd52a226387789f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-core/src/superset_core/common/models.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 72363, "scanner": "repobility-threat-engine", "fingerprint": "5253619b0bda476efb1c96f1333f683cdf0d9ada5268159c79593ff13e363300", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.Popen(  # noqa: S602\n            cmd,\n            shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|scripts/cypress_run.py|81|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cypress_run.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 72362, "scanner": "repobility-threat-engine", "fingerprint": "f252dad420f43437d4b9d79fec9b7cadf6265403803c797ab1fe942fe507b200", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.check_output(self.command, shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|scripts/check-env.py|50|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-env.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `extract_custom_errors_from_file` has cognitive complexity 25 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, except=1, for=2, if=4, nested_bonus=17."}, "properties": {"repobilityId": 72353, "scanner": "repobility-threat-engine", "fingerprint": "eb95be351798a161944f126a1c431f2e9accd0b9569dadc74545aa12cfd1192a", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 25 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "extract_custom_errors_from_file", "breakdown": {"if": 4, "for": 2, "elif": 1, "except": 1, "nested_bonus": 17}, "complexity": 25, "correlation_key": "fp|eb95be351798a161944f126a1c431f2e9accd0b9569dadc74545aa12cfd1192a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/scripts/extract_custom_errors.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 72406, "scanner": "repobility-docker", "fingerprint": "179f8ef466c7ccd279820d872bd11a66199cfdb01eabd9bd20f4c6f9fd1eded0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|179f8ef466c7ccd279820d872bd11a66199cfdb01eabd9bd20f4c6f9fd1eded0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 285}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 72405, "scanner": "repobility-docker", "fingerprint": "c5a25246aa3ca252d63cf0e8f2222952d20bee4b7ab0e3260cc0028e2394090c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c5a25246aa3ca252d63cf0e8f2222952d20bee4b7ab0e3260cc0028e2394090c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 276}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 72404, "scanner": "repobility-docker", "fingerprint": "9cba0f45d6f37dc1dda6e2dbf872961033ceb088a7041c667cdbeedcfe05b355", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9cba0f45d6f37dc1dda6e2dbf872961033ceb088a7041c667cdbeedcfe05b355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 266}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 72403, "scanner": "repobility-docker", "fingerprint": "750ca978d30533b084de70147fcb3af38fe43ccc8393715cf2d276c7ad1ab22d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|750ca978d30533b084de70147fcb3af38fe43ccc8393715cf2d276c7ad1ab22d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 263}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 72402, "scanner": "repobility-docker", "fingerprint": "beb7e52cda47a6c68aa09548ee1783f7822dbdc15d2d60eef25bf7262f977672", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|beb7e52cda47a6c68aa09548ee1783f7822dbdc15d2d60eef25bf7262f977672"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 235}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 72401, "scanner": "repobility-docker", "fingerprint": "2d6eee9346cfe2a643f5494ac6ecb37844fb3c600acdc2ce1d4d00ffdb1aa23c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2d6eee9346cfe2a643f5494ac6ecb37844fb3c600acdc2ce1d4d00ffdb1aa23c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 172}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 72396, "scanner": "repobility-docker", "fingerprint": "bf218078d65db057cf9f1beca37770e6753557c2af994ab294e3f0710fb65e02", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bf218078d65db057cf9f1beca37770e6753557c2af994ab294e3f0710fb65e02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72395, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8fcf47a4e8b151fc9aa8a72066b83eab726d9720809ac7c0663bbe813c27251e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "superset-frontend/packages/superset-ui-chart-controls/src/sections/advancedAnalytics.tsx", "duplicate_line": 110, "correlation_key": "fp|8fcf47a4e8b151fc9aa8a72066b83eab726d9720809ac7c0663bbe813c27251e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/packages/superset-ui-chart-controls/src/sections/timeComparison.tsx"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72394, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7da04dde8417367e287569d8eba34625fd31b79f09ae232e5d0c6117d77537e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "superset-frontend/cypress-base/cypress/e2e/dashboard/shared_dashboard_functions.ts", "duplicate_line": 5, "correlation_key": "fp|e7da04dde8417367e287569d8eba34625fd31b79f09ae232e5d0c6117d77537e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/cypress-base/cypress/e2e/explore/visualizations/shared.helper.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72393, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ba7f3bcd2e23595583a651db358c0c4f0f5ff2f9ff2a3456594650b4995ebf5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "superset-frontend/.eslintrc.js", "duplicate_line": 68, "correlation_key": "fp|1ba7f3bcd2e23595583a651db358c0c4f0f5ff2f9ff2a3456594650b4995ebf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/.eslintrc.minimal.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72392, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c2bd3182e63ed287ae178f9eb0b408387d73222d15c139c53be0fe7ee9965a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/generate_frontend_class_component_tasklist.js", "duplicate_line": 2, "correlation_key": "fp|8c2bd3182e63ed287ae178f9eb0b408387d73222d15c139c53be0fe7ee9965a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate_frontend_ts_tasklist.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `verify_key` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=2, if=3, nested_bonus=3."}, "properties": {"repobilityId": 72352, "scanner": "repobility-threat-engine", "fingerprint": "cabafc9961842a5a772a28ad70477cffe6a320841bc753f3f0212f21e7f787db", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "verify_key", "breakdown": {"if": 3, "elif": 1, "else": 2, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|cabafc9961842a5a772a28ad70477cffe6a320841bc753f3f0212f21e7f787db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/verify_release.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_gpg_info` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, else=2, for=1, if=5, nested_bonus=2, or=1, ternary=2."}, "properties": {"repobilityId": 72351, "scanner": "repobility-threat-engine", "fingerprint": "fe2384316cd4a67ce088853fe02d3d1c04c42708284d6df7f7d2ce45f71ff9a5", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_gpg_info", "breakdown": {"if": 5, "or": 1, "for": 1, "else": 2, "break": 1, "ternary": 2, "nested_bonus": 2}, "complexity": 14, "correlation_key": "fp|fe2384316cd4a67ce088853fe02d3d1c04c42708284d6df7f7d2ce45f71ff9a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/verify_release.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 72400, "scanner": "repobility-docker", "fingerprint": "835c2bbb4450cbe6f2a9efb6da96272cffd58e8cd58c3b499c04323902066721", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "python:${PY_VER}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|835c2bbb4450cbe6f2a9efb6da96272cffd58e8cd58c3b499c04323902066721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 72387, "scanner": "repobility-threat-engine", "fingerprint": "77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "aggregated_count": 5}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 72386, "scanner": "repobility-threat-engine", "fingerprint": "01dd4234f852834ee39dcd062cff1fb1cb474cbd3331a6ad7bc6be84847c2395", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01dd4234f852834ee39dcd062cff1fb1cb474cbd3331a6ad7bc6be84847c2395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/packages/superset-core/src/common/index.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 72385, "scanner": "repobility-threat-engine", "fingerprint": "7902dab36ab1fed84dc9c127b33649094d4e964e5d0fbc5efa9cab6bf5162569", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7902dab36ab1fed84dc9c127b33649094d4e964e5d0fbc5efa9cab6bf5162569"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/packages/superset-core/src/commands/index.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 72384, "scanner": "repobility-threat-engine", "fingerprint": "20bb394121f99e1c63ebb5fa835f9c3b9347835a91975496422703533e028cd7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20bb394121f99e1c63ebb5fa835f9c3b9347835a91975496422703533e028cd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-embedded-sdk/src/index.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 72383, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72382, "scanner": "repobility-threat-engine", "fingerprint": "bfd0e33eaf0e3adee69acf33191dcd7e5daa32a0984c5d161c10fa6cd693aa42", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bfd0e33eaf0e3adee69acf33191dcd7e5daa32a0984c5d161c10fa6cd693aa42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/packages/superset-ui-chart-controls/src/operators/histogramOperator.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72381, "scanner": "repobility-threat-engine", "fingerprint": "76e4d0910f93fa8a6df554df16f02a5204f291772f0afe590831546baf217599", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|76e4d0910f93fa8a6df554df16f02a5204f291772f0afe590831546baf217599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/packages/superset-ui-chart-controls/src/components/labelUtils.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72380, "scanner": "repobility-threat-engine", "fingerprint": "679b5e17ea07bff6b6585cc3a958c05447d0b7b02873a9edf8837ff9a71ff613", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|679b5e17ea07bff6b6585cc3a958c05447d0b7b02873a9edf8837ff9a71ff613"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-embedded-sdk/src/index.ts"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 72379, "scanner": "repobility-threat-engine", "fingerprint": "06c910dbc36a7769f660aaa143db1318122d531b2b223a1b405c40fe30c65c82", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06c910dbc36a7769f660aaa143db1318122d531b2b223a1b405c40fe30c65c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-core/src/superset_core/rest_api/decorators.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 72378, "scanner": "repobility-threat-engine", "fingerprint": "74008b2208ec75dcd1036968c908769c8b8a92d14733b87a62ab70bf6f11607b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|74008b2208ec75dcd1036968c908769c8b8a92d14733b87a62ab70bf6f11607b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-core/src/superset_core/tasks/types.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 72377, "scanner": "repobility-threat-engine", "fingerprint": "0b8c15b35026799c99e0d24843ed1f43f5706fe870e4b0f73be2a074d04b0a4f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b8c15b35026799c99e0d24843ed1f43f5706fe870e4b0f73be2a074d04b0a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-core/src/superset_core/semantic_layers/types.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 72376, "scanner": "repobility-threat-engine", "fingerprint": "b77847d70cbf6a0aee78d5c680f22b18d14f9da086e1f6de5592aea21f060160", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b77847d70cbf6a0aee78d5c680f22b18d14f9da086e1f6de5592aea21f060160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-core/src/superset_core/queries/types.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 72374, "scanner": "repobility-threat-engine", "fingerprint": "cd4ff08cbb509778875d04bc81c4d5dddf6eb913fbf65972cae2187283af5035", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd4ff08cbb509778875d04bc81c4d5dddf6eb913fbf65972cae2187283af5035", "aggregated_count": 12}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 72373, "scanner": "repobility-threat-engine", "fingerprint": "7a23e4f888a582d90599a3d895300a41470621b5848a34dd711bb22f52e482da", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a23e4f888a582d90599a3d895300a41470621b5848a34dd711bb22f52e482da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-core/src/superset_core/common/models.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 72372, "scanner": "repobility-threat-engine", "fingerprint": "8c2632ef1282c8da261af92b6dcc5373b12c1c2bd6c96cbdf5a7f6de27e38dac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c2632ef1282c8da261af92b6dcc5373b12c1c2bd6c96cbdf5a7f6de27e38dac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-core/src/superset_core/common/daos.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 72371, "scanner": "repobility-threat-engine", "fingerprint": "b9eca444f248108f76e29d06c024903c83f799fd6eba859b35d75a8e58395494", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b9eca444f248108f76e29d06c024903c83f799fd6eba859b35d75a8e58395494"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/translations/build_translation_index.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 72361, "scanner": "repobility-threat-engine", "fingerprint": "c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c17c3c334a0c891d86f3db6af749774e09bf68bbf397b5eac82d842bd1fc7f0c", "aggregated_count": 9}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 72360, "scanner": "repobility-threat-engine", "fingerprint": "9bf4efbe10ab58b703ffe901121ca6567b04d0817ed7d158178b3f8606525c33", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9bf4efbe10ab58b703ffe901121ca6567b04d0817ed7d158178b3f8606525c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/theme/ReactLiveScope/index.tsx"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 72359, "scanner": "repobility-threat-engine", "fingerprint": "65041f44b0f1eca6e2b447cca971e9e1c4858a2eccf785d53abfa79661063f96", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65041f44b0f1eca6e2b447cca971e9e1c4858a2eccf785d53abfa79661063f96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/theme/Playground/Preview/index.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 72358, "scanner": "repobility-threat-engine", "fingerprint": "299086ea370a33002ab5fe52059bf22322ced426b212a4c42c9454b4bf0a2856", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|299086ea370a33002ab5fe52059bf22322ced426b212a4c42c9454b4bf0a2856"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/plugins/robots-txt-plugin.js"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 72357, "scanner": "repobility-threat-engine", "fingerprint": "1f39cbad446b2628343dd40ffb5cba110d8c5d67e860e89af6c2b79f69db0ff9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f39cbad446b2628343dd40ffb5cba110d8c5d67e860e89af6c2b79f69db0ff9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/changelog.config.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 72356, "scanner": "repobility-threat-engine", "fingerprint": "73d52ca2ffbc36ea9faf3bb56dd6aaf9e43dfe87da43d1766486dad181e847f6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|73d52ca2ffbc36ea9faf3bb56dd6aaf9e43dfe87da43d1766486dad181e847f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/pages/community.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 72355, "scanner": "repobility-threat-engine", "fingerprint": "799e85b30d4738e15ae94de41b9aa8b46c0c9b868b1569d946fc3b4785d33d85", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|799e85b30d4738e15ae94de41b9aa8b46c0c9b868b1569d946fc3b4785d33d85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/pythonpath_dev/superset_config.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 72354, "scanner": "repobility-threat-engine", "fingerprint": "49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "get_gpg_info", "breakdown": {"if": 5, "or": 1, "for": 1, "else": 2, "break": 1, "ternary": 2, "nested_bonus": 2}, "aggregated": true, "complexity": 14, "correlation_key": "fp|49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "aggregated_count": 15}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 72350, "scanner": "repobility-threat-engine", "fingerprint": "688e66c4db29793db8e542e676e1d9a743e91d1654fe55fd43817d1fabbbd600", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|688e66c4db29793db8e542e676e1d9a743e91d1654fe55fd43817d1fabbbd600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/verify_release.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 72347, "scanner": "repobility-threat-engine", "fingerprint": "2370019f2a20390336bbfb0be59e8a091d5f44425d207342ea254486f86e354d", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|2370019f2a20390336bbfb0be59e8a091d5f44425d207342ea254486f86e354d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/verify_release.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72492, "scanner": "repobility-supply-chain", "fingerprint": "74f5e54457ae2c41fee4661bb01f67f0f71ef8075f88a0a64fd4045583f0fd75", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74f5e54457ae2c41fee4661bb01f67f0f71ef8075f88a0a64fd4045583f0fd75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-app-cli.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:17-alpine` unpinned: `container/services image: postgres:17-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72491, "scanner": "repobility-supply-chain", "fingerprint": "018974b4bccece2eba56454f8d0eca0920296657048374f180662c4555f219d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|018974b4bccece2eba56454f8d0eca0920296657048374f180662c4555f219d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-app-cli.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72488, "scanner": "repobility-supply-chain", "fingerprint": "cc3ecbfdd2e64f95bc81b1b760b88645ec7d846812dcceef694f3377ca132687", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc3ecbfdd2e64f95bc81b1b760b88645ec7d846812dcceef694f3377ca132687"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-integrationtest.yml"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72487, "scanner": "repobility-supply-chain", "fingerprint": "712e48f4a67339ced1b9fe77e025205de67ced05c3a54fa0ff30b9bdea2cf870", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|712e48f4a67339ced1b9fe77e025205de67ced05c3a54fa0ff30b9bdea2cf870"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-integrationtest.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:17-alpine` unpinned: `container/services image: postgres:17-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72486, "scanner": "repobility-supply-chain", "fingerprint": "c1f60a35c91de69042d44951426af5afb79290c208a337be952513b65f854610", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1f60a35c91de69042d44951426af5afb79290c208a337be952513b65f854610"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-integrationtest.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72485, "scanner": "repobility-supply-chain", "fingerprint": "5ab318bdf5a6451e115529b474efe80340768dcfdfcae27cd5de5da24b23e572", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ab318bdf5a6451e115529b474efe80340768dcfdfcae27cd5de5da24b23e572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-integrationtest.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mysql:8.0` unpinned: `container/services image: mysql:8.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72484, "scanner": "repobility-supply-chain", "fingerprint": "c521907d70eb56577b81c55cb5dd275fda9f069cd4bae1b82c4a01df70ccb3fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c521907d70eb56577b81c55cb5dd275fda9f069cd4bae1b82c4a01df70ccb3fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-integrationtest.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72483, "scanner": "repobility-supply-chain", "fingerprint": "a730e7b23c49183728c71143ae37bc4875457323a4fda25b4d6d4f26eb0801d4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a730e7b23c49183728c71143ae37bc4875457323a4fda25b4d6d4f26eb0801d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-e2e.yml"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:17-alpine` unpinned: `container/services image: postgres:17-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72482, "scanner": "repobility-supply-chain", "fingerprint": "9615d89e5d63bf33dd42b6179b0351ca3190d5cdca0a38794f125bab77aa2d81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9615d89e5d63bf33dd42b6179b0351ca3190d5cdca0a38794f125bab77aa2d81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-e2e.yml"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72481, "scanner": "repobility-supply-chain", "fingerprint": "1d36da4bd6d018d2b563e71360caa4c6132cd60ce2d77ec2dab250a6b703d232", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d36da4bd6d018d2b563e71360caa4c6132cd60ce2d77ec2dab250a6b703d232"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-e2e.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:17-alpine` unpinned: `container/services image: postgres:17-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72480, "scanner": "repobility-supply-chain", "fingerprint": "079ab0a5a6fd26b6a65f3dc4872ab50ab0e815f1f709e292a27a8c6a29af5183", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|079ab0a5a6fd26b6a65f3dc4872ab50ab0e815f1f709e292a27a8c6a29af5183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-e2e.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72478, "scanner": "repobility-supply-chain", "fingerprint": "b71c7dc54d61dee49eaee2ebaaf8aa5e1acbc54bdb0e1cfe04b874fe8f31dcb7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b71c7dc54d61dee49eaee2ebaaf8aa5e1acbc54bdb0e1cfe04b874fe8f31dcb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-presto-hive.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:17-alpine` unpinned: `container/services image: postgres:17-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72477, "scanner": "repobility-supply-chain", "fingerprint": "08029d754844c01e47e1267eb92065317245bcb031605b976c6888bda2a94e19", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08029d754844c01e47e1267eb92065317245bcb031605b976c6888bda2a94e19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-presto-hive.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72476, "scanner": "repobility-supply-chain", "fingerprint": "c3485e5534124b0ea0d255edf492e69e7d42637012c93c22653c023b76f67105", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3485e5534124b0ea0d255edf492e69e7d42637012c93c22653c023b76f67105"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-presto-hive.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `starburstdata/presto:350-e.6` unpinned: `container/services image: starburstdata/presto:350-e.6` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72475, "scanner": "repobility-supply-chain", "fingerprint": "1af636e7993d2a73c5bddefa8d83c95d61cf2d6cdad311f62e8b2dd1a44ecefc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1af636e7993d2a73c5bddefa8d83c95d61cf2d6cdad311f62e8b2dd1a44ecefc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-presto-hive.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:17-alpine` unpinned: `container/services image: postgres:17-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72474, "scanner": "repobility-supply-chain", "fingerprint": "581edc597a190c2a5ae11f084ea5cd2af5e75f567d2db94cc57ad21f77cec194", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|581edc597a190c2a5ae11f084ea5cd2af5e75f567d2db94cc57ad21f77cec194"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-python-presto-hive.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `redis:7-alpine` unpinned: `container/services image: redis:7-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72467, "scanner": "repobility-supply-chain", "fingerprint": "855582461a419ea18984d99233954a45dc532e285baadf06e56f51c493396552", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|855582461a419ea18984d99233954a45dc532e285baadf06e56f51c493396552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-playwright.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:17-alpine` unpinned: `container/services image: postgres:17-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 72466, "scanner": "repobility-supply-chain", "fingerprint": "3f3bfe0019c0414b24ebe376272088e48205d6372981e8d3a0caef960fa91aba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3f3bfe0019c0414b24ebe376272088e48205d6372981e8d3a0caef960fa91aba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-playwright.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11.13-trixie` not pinned by digest: `FROM python:3.11.13-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 72465, "scanner": "repobility-supply-chain", "fingerprint": "a49257c3bd50c9c63c90f003e806c85cf3b2daf0ef04721f4e47f16dad9061bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a49257c3bd50c9c63c90f003e806c85cf3b2daf0ef04721f4e47f16dad9061bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 72464, "scanner": "repobility-supply-chain", "fingerprint": "900d52e4906381e5c427505bf666b45f8a9f063b01a6782bf90cc426130f4855", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|900d52e4906381e5c427505bf666b45f8a9f063b01a6782bf90cc426130f4855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-websocket/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 72463, "scanner": "repobility-supply-chain", "fingerprint": "c47281baebd1317dc76f41c7d2a73db48d5ce4ea97f9dfe0b76b3c40c3cd89e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c47281baebd1317dc76f41c7d2a73db48d5ce4ea97f9dfe0b76b3c40c3cd89e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-websocket/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_python_package_name_invalid: Test function `test_validate_python_package_name_invalid` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72458, "scanner": "repobility-ast-engine", "fingerprint": "6178f3d578fa0b6ea13d5be2ca56b02d3d34318d0493d502c7769d780fca2f55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6178f3d578fa0b6ea13d5be2ca56b02d3d34318d0493d502c7769d780fca2f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_name_transformations.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_python_package_name_keywords: Test function `test_validate_python_package_name_keywords` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72457, "scanner": "repobility-ast-engine", "fingerprint": "a5f5ff5168cd9379ae03072fc22630d4f54c46d9a117cac02cb8f52f12f7f4fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a5f5ff5168cd9379ae03072fc22630d4f54c46d9a117cac02cb8f52f12f7f4fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_name_transformations.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_python_package_name_valid: Test function `test_validate_python_package_name_valid` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72456, "scanner": "repobility-ast-engine", "fingerprint": "b31bae864fb501684e748207ec8a9e79ccb0aaf6e613f5652b804b209c84eaaf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b31bae864fb501684e748207ec8a9e79ccb0aaf6e613f5652b804b209c84eaaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_name_transformations.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_display_name_invalid: Test function `test_validate_display_name_invalid` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72455, "scanner": "repobility-ast-engine", "fingerprint": "d51eea8d8e949d803f8b51a9ffe565ebcb9b13ad4bc1c53987eba2c052613a9c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d51eea8d8e949d803f8b51a9ffe565ebcb9b13ad4bc1c53987eba2c052613a9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_name_transformations.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_read_toml_with_various_invalid_content: Test function `test_read_toml_with_various_invalid_content` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72454, "scanner": "repobility-ast-engine", "fingerprint": "5b55c580f4d1b3aef947e4dd629cdac3d2a6509a0c19ec986822fb2e8ee1c5e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b55c580f4d1b3aef947e4dd629cdac3d2a6509a0c19ec986822fb2e8ee1c5e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_utils.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_read_toml_with_invalid_toml: Test function `test_read_toml_with_invalid_toml` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72453, "scanner": "repobility-ast-engine", "fingerprint": "dd63a634275ac3b0e0305048fb03f36de8919d468198df067d4c6599a3cf49a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dd63a634275ac3b0e0305048fb03f36de8919d468198df067d4c6599a3cf49a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_utils.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_read_json_with_invalid_json: Test function `test_read_json_with_invalid_json` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72452, "scanner": "repobility-ast-engine", "fingerprint": "a0d65b86829e569f75b62f98f2fe1eeb0e8b3c93cca037d4412f4471dc27a0a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0d65b86829e569f75b62f98f2fe1eeb0e8b3c93cca037d4412f4471dc27a0a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_utils.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_copy_backend_files_handles_various_glob_patterns: Test function `test_copy_backend_files_handles_various_glob_patterns` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72451, "scanner": "repobility-ast-engine", "fingerprint": "1bfb57e58fc4392ffa13a447a7f639af7f94147ae3a9002c3953c30bfca298b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1bfb57e58fc4392ffa13a447a7f639af7f94147ae3a9002c3953c30bfca298b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_build.py"}, "region": {"startLine": 560}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_copy_backend_files_copies_matched_files: Test function `test_copy_backend_files_copies_matched_files` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72450, "scanner": "repobility-ast-engine", "fingerprint": "0ab505e4736ba77856bf510d34c496269f1c904b3737f4988d52fed299825a1b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ab505e4736ba77856bf510d34c496269f1c904b3737f4988d52fed299825a1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_build.py"}, "region": {"startLine": 511}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rebuild_backend_calls_copy_and_shows_message: Test function `test_rebuild_backend_calls_copy_and_shows_message` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72449, "scanner": "repobility-ast-engine", "fingerprint": "9cf37ec0c4e6f45d1005f97f9cdd048c20255cfd0ca4925cf5a6dcb3888ace6f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9cf37ec0c4e6f45d1005f97f9cdd048c20255cfd0ca4925cf5a6dcb3888ace6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_build.py"}, "region": {"startLine": 435}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_clean_dist_frontend_handles_nonexistent_directory: Test function `test_clean_dist_frontend_handles_nonexistent_directory` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72448, "scanner": "repobility-ast-engine", "fingerprint": "6a95e5c5b0bd3bd098b444554f48679bff8e753ade63192dea7d06de7730b4b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6a95e5c5b0bd3bd098b444554f48679bff8e753ade63192dea7d06de7730b4b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_build.py"}, "region": {"startLine": 367}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_init_frontend_deps_runs_npm_i_when_missing: Test function `test_init_frontend_deps_runs_npm_i_when_missing` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72447, "scanner": "repobility-ast-engine", "fingerprint": "7a9781902aa8d906af6fd2debdf66a9900257683c28cc399fd2bd245830c487d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a9781902aa8d906af6fd2debdf66a9900257683c28cc399fd2bd245830c487d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_build.py"}, "region": {"startLine": 231}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_init_frontend_deps_skips_when_node_modules_exists: Test function `test_init_frontend_deps_skips_when_node_modules_exists` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72446, "scanner": "repobility-ast-engine", "fingerprint": "2ed4a2877549d7578a33573c42dd50955966d7b7426fa57f8a6097bfec7d233d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ed4a2877549d7578a33573c42dd50955966d7b7426fa57f8a6097bfec7d233d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_build.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_npm_with_empty_version_output_raises_error: Test function `test_validate_npm_with_empty_version_output_raises_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72445, "scanner": "repobility-ast-engine", "fingerprint": "068f8d629d934ef742f265a4ba8a7c05f4c9eefe57a8e2bf8af8c802040cbf2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|068f8d629d934ef742f265a4ba8a7c05f4c9eefe57a8e2bf8af8c802040cbf2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_validate.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_npm_with_malformed_version_output_raises_error: Test function `test_validate_npm_with_malformed_version_output_raises_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72444, "scanner": "repobility-ast-engine", "fingerprint": "63ce2e64b36738524b9d2f46fe05da41d6d637bc6547e618a2676fc47bce5cfc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|63ce2e64b36738524b9d2f46fe05da41d6d637bc6547e618a2676fc47bce5cfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_validate.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_npm_does_not_catch_other_subprocess_exceptions: Test function `test_validate_npm_does_not_catch_other_subprocess_exceptions` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72443, "scanner": "repobility-ast-engine", "fingerprint": "2677f5a760911627007fd107db96a637a081d7a4bc46ea8f0b811471ea6c0c5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2677f5a760911627007fd107db96a637a081d7a4bc46ea8f0b811471ea6c0c5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_validate.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_npm_version_comparison_edge_cases: Test function `test_validate_npm_version_comparison_edge_cases` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72442, "scanner": "repobility-ast-engine", "fingerprint": "30bd7622062c2639ff00f8ba00d0336df498a747458a95118a0292ff1001b9ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|30bd7622062c2639ff00f8ba00d0336df498a747458a95118a0292ff1001b9ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_validate.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_npm_succeeds_with_valid_versions: Test function `test_validate_npm_succeeds_with_valid_versions` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72441, "scanner": "repobility-ast-engine", "fingerprint": "ebd3492dc303124d8dd417c20c80ecb4e6ff6107a49c33b0770cab53cc9dbad6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebd3492dc303124d8dd417c20c80ecb4e6ff6107a49c33b0770cab53cc9dbad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_validate.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_validate_command_calls_npm_validation: Test function `test_validate_command_calls_npm_validation` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72440, "scanner": "repobility-ast-engine", "fingerprint": "125f9f87e05656380b2849b8781a9b4f5018a8c252361d913f62ff8392387ee6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|125f9f87e05656380b2849b8781a9b4f5018a8c252361d913f62ff8392387ee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_validate.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_backend_watcher_function_coverage: Test function `test_backend_watcher_function_coverage` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72439, "scanner": "repobility-ast-engine", "fingerprint": "fab4450039982631bffd5f03a2e3d50acd217e105a11ad585a72f80b5ceef4e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fab4450039982631bffd5f03a2e3d50acd217e105a11ad585a72f80b5ceef4e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_dev.py"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_frontend_watcher_function_coverage: Test function `test_frontend_watcher_function_coverage` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72438, "scanner": "repobility-ast-engine", "fingerprint": "1f597a9af7ae5e2c12d2cbc82ebb1a452bd5c5a03e1252fc6d94789f6f001ceb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f597a9af7ae5e2c12d2cbc82ebb1a452bd5c5a03e1252fc6d94789f6f001ceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_dev.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_frontend_change_handler_triggers_on_source_changes: Test function `test_frontend_change_handler_triggers_on_source_changes` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72437, "scanner": "repobility-ast-engine", "fingerprint": "ac5bacfdcd3ade2b64256779d6480ed79f65f93a50461db91d841960566b5b13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ac5bacfdcd3ade2b64256779d6480ed79f65f93a50461db91d841960566b5b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_dev.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_frontend_change_handler_ignores_dist_changes: Test function `test_frontend_change_handler_ignores_dist_changes` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72436, "scanner": "repobility-ast-engine", "fingerprint": "7ec500b1ac2e3624174817bc034011ac760ceb23da8c0a1fb60b419dfbd91a4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ec500b1ac2e3624174817bc034011ac760ceb23da8c0a1fb60b419dfbd91a4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_dev.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_dev_command_initial_build: Test function `test_dev_command_initial_build` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72435, "scanner": "repobility-ast-engine", "fingerprint": "065b54c2daf264ef27555a84417cb9ef9e3fe26af4273d030ff11c7af8ab63df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|065b54c2daf264ef27555a84417cb9ef9e3fe26af4273d030ff11c7af8ab63df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_dev.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_dev_command_starts_watchers: Test function `test_dev_command_starts_watchers` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 72434, "scanner": "repobility-ast-engine", "fingerprint": "5a6b9cf5c8a8ea3c422afd86c4f9bc253a356a84ebc6db5b1474e4404802c681", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a6b9cf5c8a8ea3c422afd86c4f9bc253a356a84ebc6db5b1474e4404802c681"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-extensions-cli/tests/test_cli_dev.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._git_checkout` used but never assigned in __init__: Method `_git_logs` of class `GitLogs` reads `self._git_checkout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72432, "scanner": "repobility-ast-engine", "fingerprint": "b51206fb1b746f981d7db5cc2d7bad352b65d43755595eea1d69604f8bc84df8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b51206fb1b746f981d7db5cc2d7bad352b65d43755595eea1d69604f8bc84df8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._git_checkout` used but never assigned in __init__: Method `_git_logs` of class `GitLogs` reads `self._git_checkout`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72431, "scanner": "repobility-ast-engine", "fingerprint": "49be66f0c64f907875dd2c9b9195ebd023b006714b3e1ab978fb39b7d988c291", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49be66f0c64f907875dd2c9b9195ebd023b006714b3e1ab978fb39b7d988c291"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 290}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._git_get_current_head` used but never assigned in __init__: Method `_git_logs` of class `GitLogs` reads `self._git_get_current_head`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72430, "scanner": "repobility-ast-engine", "fingerprint": "7b114c513bf7afdef5935d2254cad6cb26a1865155b9a6ea324f23322179fcf7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b114c513bf7afdef5935d2254cad6cb26a1865155b9a6ea324f23322179fcf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._git_get_current_head` used but never assigned in __init__: Method `_git_checkout` of class `GitLogs` reads `self._git_get_current_head`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72429, "scanner": "repobility-ast-engine", "fingerprint": "7660eb6ad557b465d0da77bbca844304aefa2ea12c4a46c094285e69e3fc0444", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7660eb6ad557b465d0da77bbca844304aefa2ea12c4a46c094285e69e3fc0444"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._git_logs` used but never assigned in __init__: Method `fetch` of class `GitLogs` reads `self._git_logs`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72428, "scanner": "repobility-ast-engine", "fingerprint": "f6a5ef34b4cf1751cfb88f981f08f069580048c519791a4a3b58185b94cd1866", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f6a5ef34b4cf1751cfb88f981f08f069580048c519791a4a3b58185b94cd1866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._parse_log` used but never assigned in __init__: Method `fetch` of class `GitLogs` reads `self._parse_log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72427, "scanner": "repobility-ast-engine", "fingerprint": "532b8a65a8b4d9b9ecfb237d1159af0261d021fa991954f18d04598402860187", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|532b8a65a8b4d9b9ecfb237d1159af0261d021fa991954f18d04598402860187"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._parse_change_log` used but never assigned in __init__: Method `__repr__` of class `GitChangeLog` reads `self._parse_change_log`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72426, "scanner": "repobility-ast-engine", "fingerprint": "d7e003c521d4c5aa2fbdc0b96faa87ad857ec0335250dca29fec5b3f90c7d1ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7e003c521d4c5aa2fbdc0b96faa87ad857ec0335250dca29fec5b3f90c7d1ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_changelog_version_head` used but never assigned in __init__: Method `__repr__` of class `GitChangeLog` reads `self._get_changelog_version_head`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72425, "scanner": "repobility-ast-engine", "fingerprint": "bf6b4969a985ed176eab426f0a3bdbae1dd0aede5f271d031e54df3e06105736", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf6b4969a985ed176eab426f0a3bdbae1dd0aede5f271d031e54df3e06105736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_pull_request_details` used but never assigned in __init__: Method `__repr__` of class `GitChangeLog` reads `self._get_pull_request_details`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72424, "scanner": "repobility-ast-engine", "fingerprint": "f0e6ffdfb679ace5cbc233b3cac70d17482ebcda010c48e4365a41feb26b490a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f0e6ffdfb679ace5cbc233b3cac70d17482ebcda010c48e4365a41feb26b490a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_github_login` used but never assigned in __init__: Method `__repr__` of class `GitChangeLog` reads `self._get_github_login`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72423, "scanner": "repobility-ast-engine", "fingerprint": "4454eab2f62316417f13f3487069a8d51dcd548377af7df081b1132e2749fcad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4454eab2f62316417f13f3487069a8d51dcd548377af7df081b1132e2749fcad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._fetch_github_pr` used but never assigned in __init__: Method `_get_pull_request_details` of class `GitChangeLog` reads `self._fetch_github_pr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72422, "scanner": "repobility-ast-engine", "fingerprint": "bccb131d4cde8aebedad0d645895b33f629d61c0c4c5612b4ad2ab71b68861c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bccb131d4cde8aebedad0d645895b33f629d61c0c4c5612b4ad2ab71b68861c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._is_risk_pull_request` used but never assigned in __init__: Method `_get_pull_request_details` of class `GitChangeLog` reads `self._is_risk_pull_request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72421, "scanner": "repobility-ast-engine", "fingerprint": "e7b689b60378a2a25ed70011ed69795c1814ed889b6d54d6a89490fc647a3b01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7b689b60378a2a25ed70011ed69795c1814ed889b6d54d6a89490fc647a3b01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._has_commit_migrations` used but never assigned in __init__: Method `_get_pull_request_details` of class `GitChangeLog` reads `self._has_commit_migrations`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72420, "scanner": "repobility-ast-engine", "fingerprint": "76883709a11b0376c21d73d0dbb46ac2575f6eff0ba294b6c3ebd1d471a7453e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|76883709a11b0376c21d73d0dbb46ac2575f6eff0ba294b6c3ebd1d471a7453e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._fetch_github_pr` used but never assigned in __init__: Method `_get_github_login` of class `GitChangeLog` reads `self._fetch_github_pr`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 72419, "scanner": "repobility-ast-engine", "fingerprint": "20bd24485a81da81fbd89f11e4da7d9eaf4d38ccf32d52a2d988fc5fb90c1d9b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20bd24485a81da81fbd89f11e4da7d9eaf4d38ccf32d52a2d988fc5fb90c1d9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/changelog.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 72407, "scanner": "repobility-docker", "fingerprint": "c40266e49e232ac3c6e784acabe46dee73b3dcf848135d664d716fe976117ffb", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c40266e49e232ac3c6e784acabe46dee73b3dcf848135d664d716fe976117ffb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-websocket/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 72397, "scanner": "repobility-docker", "fingerprint": "2e545dd11f89f8cf1b10ef418cd220ece921a9ed1a262126e7e726b667126c2f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2e545dd11f89f8cf1b10ef418cd220ece921a9ed1a262126e7e726b667126c2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 72390, "scanner": "repobility-threat-engine", "fingerprint": "e207804d09ab0e11393abc9402085e9942a2c698d3ee3f3942cb035e7ba4a510", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(whiskerOptions", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e207804d09ab0e11393abc9402085e9942a2c698d3ee3f3942cb035e7ba4a510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-frontend/packages/superset-ui-chart-controls/src/operators/boxplotOperator.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 72370, "scanner": "repobility-threat-engine", "fingerprint": "f158f960db806049836feca70f457cc6678d5a2d1eb265248ce0b07d2424f80e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((directory) => `${curDirectory}/${directory}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f158f960db806049836feca70f457cc6678d5a2d1eb265248ce0b07d2424f80e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate_frontend_ts_tasklist.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 72369, "scanner": "repobility-threat-engine", "fingerprint": "2d02d904526a322ed8747edd7a92771e3690ed41fccc95eaa31bf30883f0e81c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((directory) => `${curDirectory}/${directory}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d02d904526a322ed8747edd7a92771e3690ed41fccc95eaa31bf30883f0e81c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate_frontend_class_component_tasklist.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 72368, "scanner": "repobility-threat-engine", "fingerprint": "7a90c52b26035d0e82189262029e6265677788fdeadfdd2bb112b1421092aab6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a90c52b26035d0e82189262029e6265677788fdeadfdd2bb112b1421092aab6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cypress_run.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 72367, "scanner": "repobility-threat-engine", "fingerprint": "7a5d2575c64686863880bf931c03602024fd1d430be7c7dd4d6d598c92135ca9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a5d2575c64686863880bf931c03602024fd1d430be7c7dd4d6d598c92135ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-env.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 72366, "scanner": "repobility-threat-engine", "fingerprint": "7ac30dca8842385326841ea848becf7d60de43af6567060a55479a78da8067a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DatasetDAO.create(attributes={\"name\": \"New Dataset\"})", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ac30dca8842385326841ea848becf7d60de43af6567060a55479a78da8067a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "superset-core/src/superset_core/common/daos.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 72365, "scanner": "repobility-threat-engine", "fingerprint": "55ddef7b0c3626c9853b4ec20956fc2cb3027f42f3d202859d3b4664d120f754", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "security_manager.get_session.delete(pvm)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55ddef7b0c3626c9853b4ec20956fc2cb3027f42f3d202859d3b4664d120f754"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/permissions_cleanup.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 72364, "scanner": "repobility-threat-engine", "fingerprint": "ccb6a821384959eb0fb9e00f537850fda8d4321ba8a3f0b3f76c5e9ae08e70d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "check_req_types.update([\"docker\", \"frontend\", \"backend\"])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccb6a821384959eb0fb9e00f537850fda8d4321ba8a3f0b3f76c5e9ae08e70d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-env.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 72349, "scanner": "repobility-threat-engine", "fingerprint": "b730af07ecfcb00ed0a49380b16eb3a4f15b649e0bf493a80b384e3ee6b53492", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(\n        r\"DEFAULT_FEATURE_FLAGS(?:\\s*:\\s*[^=]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|63|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/extract_feature_flags.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 72348, "scanner": "repobility-threat-engine", "fingerprint": "525b4cf4c6ad24b412571294c903bc0b9754751d255d9174b07369a0ed27cbe8", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"RSA key ([0-9A-F]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|releasing/verify_release.py|103|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/verify_release.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72346, "scanner": "repobility-threat-engine", "fingerprint": "37934453289ead08739307001b7a54d793c0a0556c75418b4191f02dfa2e72a4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|37934453289ead08739307001b7a54d793c0a0556c75418b4191f02dfa2e72a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/extract_feature_flags.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72345, "scanner": "repobility-threat-engine", "fingerprint": "bf36154c74fb553e7e11da1e2410bcb1bc6097f72fbcf8d02f9a72f806bf0099", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf36154c74fb553e7e11da1e2410bcb1bc6097f72fbcf8d02f9a72f806bf0099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/theme/Root.js"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72344, "scanner": "repobility-threat-engine", "fingerprint": "836acd5bd5f512cbd03d757d723e4c135e81fa0f0d74f9c495580dd1d27b3be5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(KEYS_URL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|836acd5bd5f512cbd03d757d723e4c135e81fa0f0d74f9c495580dd1d27b3be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASING/verify_release.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72490, "scanner": "repobility-supply-chain", "fingerprint": "86c4c7422533260d82a8c75a2d9bd99e3acba9e4b6d0b8171cb9bfec4c41e4eb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86c4c7422533260d82a8c75a2d9bd99e3acba9e4b6d0b8171cb9bfec4c41e4eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-python-deps.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72489, "scanner": "repobility-supply-chain", "fingerprint": "4d30842ab68e56700a16933aea1890f67625574ee57465154a685c7cfcdfef46", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d30842ab68e56700a16933aea1890f67625574ee57465154a685c7cfcdfef46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-python-deps.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CYPRESS_RECORD_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CYPRESS_RECORD_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72479, "scanner": "repobility-supply-chain", "fingerprint": "dafecf4abc7bded159bf9b6214adb7107a0c483a5c573a93cc026546ba0f7353", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dafecf4abc7bded159bf9b6214adb7107a0c483a5c573a93cc026546ba0f7353"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/superset-e2e.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72473, "scanner": "repobility-supply-chain", "fingerprint": "0b992dafbfe6f3f13441dfcfb813718517f83e0722a65b07a29783fb2f20a9cc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b992dafbfe6f3f13441dfcfb813718517f83e0722a65b07a29783fb2f20a9cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72472, "scanner": "repobility-supply-chain", "fingerprint": "4564f0f71c28525f01920137f4cb50554930d6bfb211981b191f500e6222bd1f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4564f0f71c28525f01920137f4cb50554930d6bfb211981b191f500e6222bd1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72471, "scanner": "repobility-supply-chain", "fingerprint": "4e35c40d19f16b03f6cf38e72d4043db4ed3a991117540aac81578553a52a447", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e35c40d19f16b03f6cf38e72d4043db4ed3a991117540aac81578553a52a447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72470, "scanner": "repobility-supply-chain", "fingerprint": "ce8ec4ab4bdf545303f230dd5ca73fcac0277687f8fd06bb133147c0acc0e80d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce8ec4ab4bdf545303f230dd5ca73fcac0277687f8fd06bb133147c0acc0e80d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72469, "scanner": "repobility-supply-chain", "fingerprint": "d6ef268fbaeee11b28ab90ce63574f3d3ae7a69e03f12b0b0ffdc4f4395be125", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6ef268fbaeee11b28ab90ce63574f3d3ae7a69e03f12b0b0ffdc4f4395be125"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 72468, "scanner": "repobility-supply-chain", "fingerprint": "7d44d046267aeb465d0e9776c43ede6f4e42fb8ffdb87df13082ff10f363b0a6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d44d046267aeb465d0e9776c43ede6f4e42fb8ffdb87df13082ff10f363b0a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 72433, "scanner": "repobility-ast-engine", "fingerprint": "2776b2acb8eebba1178361e7f48698349d81bca08048ed70f2c52885f708e5d4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2776b2acb8eebba1178361e7f48698349d81bca08048ed70f2c52885f708e5d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark_migration.py"}, "region": {"startLine": 83}}}]}]}]}