{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}]}}, "automationDetails": {"id": "repobility/270"}, "properties": {"repository": "nodejs/nodejs.org", "repoUrl": "https://github.com/nodejs/nodejs.org", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 8368, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 8367, "scanner": "repobility-agent-runtime", "fingerprint": "a987f1518835348cfe7c07567bacca14306162ea84dd02a23d1368374547eac1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a987f1518835348cfe7c07567bacca14306162ea84dd02a23d1368374547eac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/site/pages/en/blog/npm/npm-1-0-released.md"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8366, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b1521a618b0546856850fd3a8753149785b6a5eaf86b865dcf6b64008a07f503", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ui-components/src/Icons/PartnerLogos/Vlt/Favicon.tsx", "duplicate_line": 1, "correlation_key": "fp|b1521a618b0546856850fd3a8753149785b6a5eaf86b865dcf6b64008a07f503"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui-components/src/Icons/PartnerLogos/Vlt/Logo.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8365, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f73ae8354556b7e15fe4051ca4bd09d8adf942168c813ffcdf8d8fd1bb0c3d6", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ui-components/src/Icons/PartnerLogos/Microsoft/Favicon.tsx", "duplicate_line": 10, "correlation_key": "fp|7f73ae8354556b7e15fe4051ca4bd09d8adf942168c813ffcdf8d8fd1bb0c3d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui-components/src/Icons/PartnerLogos/Microsoft/Logo.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8364, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ceec48e22be039c8cdc0723e96285929bb070186104f625b5eb97c8f1427f79a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ui-components/src/Icons/PartnerLogos/IBM/Favicon.tsx", "duplicate_line": 1, "correlation_key": "fp|ceec48e22be039c8cdc0723e96285929bb070186104f625b5eb97c8f1427f79a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui-components/src/Icons/PartnerLogos/IBM/Logo.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8363, "scanner": "repobility-ai-code-hygiene", "fingerprint": "10c574e2e647b3eea572dbec8a929aa5583eac65200de8e70709b1487915907b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ui-components/src/Icons/PartnerLogos/ARM/Favicon.tsx", "duplicate_line": 1, "correlation_key": "fp|10c574e2e647b3eea572dbec8a929aa5583eac65200de8e70709b1487915907b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui-components/src/Icons/PartnerLogos/ARM/Logo.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8362, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27bb7214949f550c4c476c0018bc0b41ff723a512a55fedfd88805afb52a9ce8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ui-components/src/Common/TableOfContents/index.stories.tsx", "duplicate_line": 18, "correlation_key": "fp|27bb7214949f550c4c476c0018bc0b41ff723a512a55fedfd88805afb52a9ce8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui-components/src/Containers/MetaBar/index.stories.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8361, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de92cb0dc719599da320fd57414bfab939e9fbf65d4ff88272dfae6e77f2e530", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/rehype-shiki/eslint.config.js", "duplicate_line": 3, "correlation_key": "fp|de92cb0dc719599da320fd57414bfab939e9fbf65d4ff88272dfae6e77f2e530"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui-components/eslint.config.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8360, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b38a073a13e2a9df89c94642527f5ad94587b69bcd804a6d2c9cc4f654911dc5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/site/app/[locale]/[...path]/page.tsx", "duplicate_line": 24, "correlation_key": "fp|b38a073a13e2a9df89c94642527f5ad94587b69bcd804a6d2c9cc4f654911dc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/site/app/[locale]/page.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 8369, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}]}]}