{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `ignore` is 2 major version(s) behind (5.3.2 -> 7.0.5)", "shortDescription": {"text": "npm package `ignore` is 2 major version(s) behind (5.3.2 -> 7.0.5)"}, "fullDescription": {"text": "`ignore` is pinned/resolved at 5.3.2 but the latest stable release on the npm registry is 7.0.5 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/attest` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/attest` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/attest@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1371"}, "properties": {"repository": "mnaoumov/obsidian-advanced-exclude", "repoUrl": "https://github.com/mnaoumov/obsidian-advanced-exclude", "branch": "master"}, "results": [{"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 140689, "scanner": "repobility-threat-engine", "fingerprint": "16e068c1b98caff8d87b48cb3b5c74c206a0f113ad831f1c729d1b77def9b68b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|scripts/commit.ts|3|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/commit.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `ignore` is 2 major version(s) behind (5.3.2 -> 7.0.5)"}, "properties": {"repobilityId": 140686, "scanner": "repobility-dependency-currency", "fingerprint": "1b7ef2df20fa955e950b6d228a7513962845ee424cd9d78f1b01137977f5392b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ignore", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.0.5", "correlation_key": "fp|1b7ef2df20fa955e950b6d228a7513962845ee424cd9d78f1b01137977f5392b", "current_version": "5.3.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 140684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1bf0c4f9d2aae910d233e9bf84b7d2e81de211b44fed3caa311d5a90fd97ffa2", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "fix", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "scripts/lint-md.ts", "correlation_key": "fp|1bf0c4f9d2aae910d233e9bf84b7d2e81de211b44fed3caa311d5a90fd97ffa2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/lint-md-fix.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 140683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8d6f22802165ce4319c605bf52ebe99cb65ed8947353b2aa71d39b6c876222e", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "fix", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "scripts/lint.ts", "correlation_key": "fp|f8d6f22802165ce4319c605bf52ebe99cb65ed8947353b2aa71d39b6c876222e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/lint-fix.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 140682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6930c6626bc6cb2449eac3db8d2b2ed2e8368eb3c230369f50043dfecd11c0d4", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "clean", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "scripts/build.ts", "correlation_key": "fp|6930c6626bc6cb2449eac3db8d2b2ed2e8368eb3c230369f50043dfecd11c0d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-clean.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `obsidian` is minor version(s) behind (1.12.3 -> 1.13.0)"}, "properties": {"repobilityId": 140688, "scanner": "repobility-dependency-currency", "fingerprint": "45e2af461fe8b74d9fa49af46cc07fad06b1f0e7bf6d410e29a73052f052776d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "obsidian", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.13.0", "correlation_key": "fp|45e2af461fe8b74d9fa49af46cc07fad06b1f0e7bf6d410e29a73052f052776d", "current_version": "1.12.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `jiti` is minor version(s) behind (2.6.1 -> 2.7.0)"}, "properties": {"repobilityId": 140687, "scanner": "repobility-dependency-currency", "fingerprint": "d17a689de677667a2620b930997fec1836e853d808b69cb8b110b8a31d52ab9d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jiti", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.7.0", "correlation_key": "fp|d17a689de677667a2620b930997fec1836e853d808b69cb8b110b8a31d52ab9d", "current_version": "2.6.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 140691, "scanner": "repobility-threat-engine", "fingerprint": "f7c13f2c85e17365b5e2ec0791b0a53aa28218c3d49efba70fc8182f1c02e47a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7c13f2c85e17365b5e2ec0791b0a53aa28218c3d49efba70fc8182f1c02e47a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/file-tree-component.ts"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 140690, "scanner": "repobility-threat-engine", "fingerprint": "57607bef31f27b4df3977ca2dacbfa562a72c84a54d612702cad2699903809b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "orphanPaths.delete(childPath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|57607bef31f27b4df3977ca2dacbfa562a72c84a54d612702cad2699903809b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/file-tree-component.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/attest` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 140685, "scanner": "repobility-supply-chain", "fingerprint": "7f25ffc2a7732d9c01b0997c62bb2022597f92cd12a9d1394aa6f6ccb91d039f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7f25ffc2a7732d9c01b0997c62bb2022597f92cd12a9d1394aa6f6ccb91d039f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/attest-release-assets.yml"}, "region": {"startLine": 22}}}]}]}]}